- Jamf Nation Community
- Products
- Jamf Pro
- Block old OS from enrolling
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-21-2019 11:04 AM
Is there a way to block older operating systems from enrolling? For instance, I'd like to set a policy that devices must be running Mojave or higher in order to be permitted to enroll.
I couldn't find a setting for this, but was wondering if someone had a script that could be run at enrollment to effectively check, un-enroll if necessary, and display a message to the user to upgrade first?
Solved! Go to Solution.
Labels:
- Labels:
-
Settings and Security Management
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-12-2022 05:45 PM
adding this here maybe it will help someone. Had this same issue. So similar to what @tomhastings sugeested, we ended up using erase-install with a OS version check during DEP/ADE to force an upgrade to the current version of macOS or the most recent version the device will support
Reply
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-21-2019 11:25 AM
You could create a policy that runs after enrollment (scoped to the OS versions you want to deny) that will removeFramework and pop up a message.
You can't block enrollment as far as I know, but you can very quickly react to it.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-21-2019 01:25 PM
How about forcing an upgrade to Mojave on enrollment?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-21-2019 01:45 PM
question is what would you hope to achieve by blocking enrolment? Surely enrolling to find and remediate, one way or another, would be the better option?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-22-2019 09:04 AM
There could be older devices that don't support the newer operating systems.
Blocking vs remediating is ideal in a BYOD scenario where we can only set a policy "you must be this OS or better to enroll". It would be up to the user to determine whether or not they want to meet that policy. Other MDMs have this functionality built-in and we use it extensively for iOS.
Thanks for the suggestion on the script. Do you know of the best way to force that script to run before other policies?
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-26-2021 08:23 AM
There is a feature request for this here
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-12-2022 05:45 PM
adding this here maybe it will help someone. Had this same issue. So similar to what @tomhastings sugeested, we ended up using erase-install with a OS version check during DEP/ADE to force an upgrade to the current version of macOS or the most recent version the device will support
Reply
