macOS 14 Sonoma and iOS 17 have introduced a neat new feature that enables the MDM server to force the device to update itself during the Automated Device Enrollment process, right before the actual MDM enrollment.
Enforcing a minimum version of iOS, iPadOS and macOS
Automated Device Enrolment and MDM page in Apple Platform Deployment guide
MDM solutions can enforce a minimum operating system version on enrolling devices when using Automated Device Enrolment. If the device doesn’t meet the minimum version expected by MDM, the user is guided through a software update or upgrade before they can continue with Setup Assistant. This ensures that devices owned by an organisation are on the necessary version required before being put into production.
Feature demonstration on macOS Sonoma
We start with the usual steps on a new Mac:
- macOS boots and launches Setup Assistant.
- Mac connects to the internet.
- If the Mac exists in ABM/ASM and has an MDM server assigned, a cloud profile containing a link to the enrollment profile and additional ADE configuration is downloaded.
- (Optional) User is asked to authenticate with the MDM server.
- Mac downloads the enrollment profile and starts the enrollment process.
- The device checks in and authenticates with the MDM server.
Note: The enrollment process is covered in Managing MDM Connections Apple Developer article
Here is what’s new:
- During the first check-in, the device sends a
MachineInfo
object to the MDM server. MachineInfo contains the macOS version currently installed on the device. There is a new flag,MDM_CAN_REQUEST_SOFTWARE_UPDATE
(default:false
), which macOS 14+ and iOS 17+ devices going through ADE set totrue
. - MDM server can compare the client OS version with the desired OS version specified by a system administrator. If the device has an older OS version installed, the server responds with HTTP 403 and
ErrorCodeSoftwareUpdateRequired
XML/JSON body specifying the OS version the device should update to.
Implementation
Most MDM vendors have implemented this feature with a dropdown menu where the admin can select the target macOS version. Sometimes this list is manually updated by the vendor. Other vendors might pull version information directly from Apple services. This might be the case with Kandji, but I suspect there is manual approval since there is a significant delay (hours) between macOS update availability and the presence of the new target version in the list.
Unfortunately, both Apple and MDM vendors failed to take a key fact into account. There is a difference between the list of updates managed and unmanaged Macs retrieve from Apple Software Update services. While managed Macs see a list containing multiple minor versions of each major macOS release, unmanaged Macs see only the latest minor version of each major macOS release.
This is because the macs don’t see the “managed” assets (like how MDM can specify individual versions. For example, at the setup assistant, macs only see the PublicAssetSets from gdmf, and not the updates listed under AssetSets.
Posted by chilcote on Mac Admins Slack
The problem
So what happens when a Mac running macOS 14.2 is instructed to update itself to macOS 14.3 while a newer version, 14.4.1, is also available?
- Attempting to complete the enrollment, macOS checks in with the MDM server.
MachineInfo
describes the installed macOS version as 14.2.1. - MDM server responds with HTTP 403 and
ErrorCodeSoftwareUpdateRequired
in the message bodym includingOSVersion
(target macOS version) set to 14.3. - Unmanaged Mac fetches available update via Software Update. Mac only sees 13.6.5 and 14.4.1
- System update could not be installed error message is presented
- When user attempts to proceed the process repeats and the same error appears again
Short term solution
Always set the update target to the latest minor version of a major macOS release. Be prepared when new macOS update is about to drop so you can change the setting quickly.
Ask your MDM vendor to require the latest minor version automatically. Kandji already has this feature for iOS.
Submit feedback with Apple. You can duplicate mine FB13691581.
Long term solution:
It is possible that Apple may be able to make changes in the Software Update Service (server-side) to offer the same list of updates to both unmanaged and managed Macs.
Alternatively, Apple could change the implementation on the client side. Perhaps the client could try to update itself to the closest possible version when the desired version is not visible. However, such a change would help Mac admins 1-2 years when majority of Macs in boxes have the OS version containing this feature installed.
Additional resources
- FileWave Minimum OS version for enrolling Apple devices via ADE article
- Brunder Determining eligible macOS versions via script blog post
- Raw documentation source for
softwareupdate.required
error