Enforcing minimum OS version for Apple device enrollment
Introduction
In November of 2024, Apple released critical patches for their various operating systems that provided urgent updates to address two zero-day exploits that were being actively targeted by hackers. These were the third and fourth zero-day vulnerabilities that Apple had to address in the year, making it more important than ever for users to keep their devices up-to-date.
Exploited vulnerabilities like these can be tremendously damaging to enterprises, especially if spyware attacks result in the exfiltration of critical corporate data. An organization’s reputation can be irreparably damaged, and the potential financial impact could be high.
Apple has always recommended keeping devices up-to-date with the latest OS version, and IT admins work diligently to ensure that corporate devices under their management are maintained. Those using Workspace ONE UEM already know how easy it is to deploy updates to existing Apple devices using the Device Updates Dashboard. But what about newly enrolled devices?
A macOS or iOS device that is newly enrolled might expose the enterprise to risk if that device is on a OS version that contains a vulnerability. Enterprise security teams often mandate specific OS versions for corporate-owned devices. How can IT admins ensure that new macOS and iOS devices are up-to-date even before they are enrolled?
Enforce Minimum OS Version
Workspace ONE UEM now supports the enforcement of a minimum operating system version for iOS and macOS devices in Automated Device Enrollment profiles. This new option, supported on iOS 17 and higher and macOS 14 and higher, allows IT admins to set the minimum OS version required for Apple device enrollment into Workspace ONE UEM. When this option is configured, Workspace ONE UEM will not allow device enrollment to complete until the device is at the minimum OS version or higher.
Let’s look at an example scenario. In our example, an IT admin configures an enrollment profile requiring iOS 18.0 as the minimum OS version needed for enrollment in Workspace ONE UEM. An employee receives a new device with iOS version 17.1 from IT and begins the Setup Assistant. During the enrollment process, Workspace ONE checks the version of iOS on the device. When it sees that the OS version does not match that which is required by the enrollment profile, Workspace ONE will trigger the Setup Assistant to initiate a device update. All required restarts will happen automatically. Once the update is complete, the Setup Assistant will continue with the enrollment process.
It is important to note that, if the update fails to complete, the end user will be unable to use the device. The Setup Assistant will not proceed further until the device has been updated.
If you are unfamiliar with Automated Device Enrollment for Apple devices, check out the following resource of Tech Zone.
'%3E%3Cpath id='Rectangle_1' data-name='Rectangle 1' d='M0,0H800V300H0Z' transform='translate(2297 -300)' fill='%23E2F0D9'/%3E%3Cg id='Group_5' data-name='Group 5' transform='translate(-6 -3)'%3E%3Ctext transform='translate(2534 -152)' font-size='50' font-family='Roboto-Regular, Roboto'%3E%3Ctspan x='0' y='0'%3ECurated Assets%3C/tspan%3E%3C/text%3E%3Ctext transform='translate(2683 -99)' font-size='20' font-family='Roboto-Regular, Roboto'%3E%3Ctspan x='0' y='0'%3ECard%3C/tspan%3E%3C/text%3E%3C/g%3E%3C/g%3E%3C/svg%3E)
Configuring Minimum OS Version enforcement
This new option can be configured on new, as well as existing, Automated Device Enrollment profiles. You can add a new profile under Groups & Settings in the Workspace ONE UEM console. Under Automated Device Enrollment (formally called Device Enrollment Program), you click the Add Profile button. By default, the Enforce Minimum OS Version option is disabled. If you enable this option, Workspace ONE provides four available settings, which are described below:
- iOS Minimum Version – This dropdown menu displays all available iOS updates actively signed by Apple. This is required if Enforce Minimum OS Version is enabled.
- macOS Minimum Version – This dropdown menu displays all available macOS updates actively signed by Apple. This is required if Enforce Minimum OS Version is enabled.
- Message – The text entered in this field will be displayed to the end user on the device during enrollment. The message will only be displayed if an update is required on the device. This is optional.
- Description – You can enter text in this field to be used when logging the required update to the Workspace ONE. This will be logged to the troubleshooting log for the device. This is an optional field and is not displayed to the end user.
Additionally, the iOS Minimum Version and macOS Minimum Version dropdowns include the option to select Latest to require the current version of the respective OS in the profile. This means that IT admins never have modify the policy as new versions of iOS and macOS are released.
Keep in mind that using the Enforce Minimum OS Version option in an enrollment profile requires that devices be configured in Apple Business Manager prior to initial enrollment and setup, and will not work with BYO devices.
Summary
The new Enforce Minimum OS Version option in Workspace ONE UEM is available with version 2410 or higher. It offers enterprises the ability to ensure that new macOS and iOS devices are running a corporate-mandated OS version prior to successful enrollment in Workspace ONE. This powerful new feature allows IT admins to manage OS version compliance even before the device is enrolled in Workspace ONE UEM.
Keep in mind, this feature only works on devices running iOS 17.0 or higher or macOS 15.0 or higher. Devices with older OS versions will not have the minimum OS enforced, and will enroll into Workspace ONE without an update.
Additional resources
For more information about Apple’s Automated Device Enrollment, check out the below Tech Zone resourcs:
If you wish to learn more about managing OS updates in iOS and macOS devices, please check out these Tech Zone resources: