Block old OS from enrolling

mnickels
New Contributor III

Is there a way to block older operating systems from enrolling? For instance, I'd like to set a policy that devices must be running Mojave or higher in order to be permitted to enroll.

I couldn't find a setting for this, but was wondering if someone had a script that could be run at enrollment to effectively check, un-enroll if necessary, and display a message to the user to upgrade first?

1 ACCEPTED SOLUTION

efil4xiN
Contributor II

adding this here maybe it will help someone. Had this same issue. So similar to what @tomhastings  sugeested, we ended up using erase-install with a OS version check during DEP/ADE to force an upgrade to the current version of  macOS or the most recent version the device will support

View solution in original post

6 REPLIES 6

alexjdale
Valued Contributor III

You could create a policy that runs after enrollment (scoped to the OS versions you want to deny) that will removeFramework and pop up a message.

You can't block enrollment as far as I know, but you can very quickly react to it.

tomhastings
Contributor II

How about forcing an upgrade to Mojave on enrollment?

marklamont
Contributor III

question is what would you hope to achieve by blocking enrolment? Surely enrolling to find and remediate, one way or another, would be the better option?

mnickels
New Contributor III

There could be older devices that don't support the newer operating systems.

Blocking vs remediating is ideal in a BYOD scenario where we can only set a policy "you must be this OS or better to enroll". It would be up to the user to determine whether or not they want to meet that policy. Other MDMs have this functionality built-in and we use it extensively for iOS.

Thanks for the suggestion on the script. Do you know of the best way to force that script to run before other policies?

Knighton
New Contributor III

There is a feature request for this here

efil4xiN
Contributor II

adding this here maybe it will help someone. Had this same issue. So similar to what @tomhastings  sugeested, we ended up using erase-install with a OS version check during DEP/ADE to force an upgrade to the current version of  macOS or the most recent version the device will support