0

Enforce minimum OS for Automated Device Enrollment (DEP) for iOS and macOS devices

Posted on by Roderik de Block

Introduction

Many organizations will recognize this common challenge: an iPhone or Mac has been sitting on the shelf for some time, and by the time it reaches the end user, the operating system is outdated. As a result, the device gets enrolled with an OS version that doesn’t meet your compliance policies.

This can pose a security risk. A newly enrolled macOS or iOS device running an older OS version may still contain known vulnerabilities. That’s why security teams often enforce minimum OS version requirements for corporate devices. But this raises an important question for IT administrators: how can you ensure that macOS and iOS devices are fully updated before they’re even enrolled?

Enforce Minimum OS Version

With the recent release of Workspace ONE UEM version 2410, Omnissa introduced a powerful new feature: the ability to enforce a minimum operating system version during Automated Device Enrollment (previously known as the Device Enrollment Program).

IT admins can now configure a minimum OS requirement directly within the Automated Device Enrollment (ADE) profile. This capability applies to devices running iOS 17, macOS 14, or later. If a device doesn’t meet the specified OS version at the time of enrollment, it will be required to update to the defined version before it can complete the enrollment process. This ensures all newly enrolled devices are secure and compliant right from the start.

Configuring the desired Minimum OS Version

To get this in place the ADE Profile has te be configured. First you have to navigate to “Groups & Settings –> All Settings”

Then navigate to “Devices & Users –> Apple –> Automated Device Enrollment”

Create a new or edit your existing Automated Device Enrollment profile

 

Scroll down to the “Minimum OS Version” section and select the version which you would like to get installed on your ADE devices and when all other settings are in place click “Save”.

 

End User Experience

When everything is in place, it is time to test the configuration and show the End User Experience on an iOS device.:

After the update is successfully installed, the end user will have to go through the ADE process again and after that the device will be enrolled in Workspace ONE UEM with the desired OS version.

Additional information:

https://community.omnissa.com/technical-blog/enforcing-minimum-os-version-for-apple-device-enrollment-r16/

https://support.apple.com/en-gb/guide/deployment/depd30715cbb/web

 

Roderik de Block

More Posts

Leave a Reply

Your email address will not be published. Required fields are marked *