FR - Add minimum macOS Version Check for ADE #27

New Issue

Open

opened 2026-01-19 18:31:16 +00:00 by michael · 2 comments

michael commented 2026-01-19 18:31:16 +00:00

Owner

Copy Link

Originally created by @Uggbert on GitHub.

Problem:

As devices age out we want to prevent users enrolling older or unsupported devices. We currently force devices during ADE to upgrade to latest macOS based on hardware using JAMF. This is fine for supported models, however a user can currently still enrol an ADE device with macOS 11, 12 and now 13 installed as the latest OS - even though they are all end of life.

Currently I have a script that runs during pre-stage (before JSM installs) to check macOS version and (not very gracefully) interrupt the ADE process and reboot the device, rendering it unusable.

Where JSM can help:

During the 'Getting Ready' phase it would be ideal at this point to check the macOS version and if it falls below an admin defined value in the config it simply halts and displays a custom message - usually in our case directing the user to contact our Service Desk

'Sorry, we cannot proceed with setup of your device. Your device (macOS 13) no longer meets the organisations minimum macOS requirements (macOS 14), please contact the Service Desk to arrange for a replacement device'

This keeps the device enrolled (so we have sight of it in JAMF) but does not allow the user to proceed and/or use the device. If they reboot or try to force quit JSM - at the next reboot it will just loop back into JSM due to the completed flag file being missing.

Originally created by @Uggbert on GitHub. Problem: As devices age out we want to prevent users enrolling older or unsupported devices. We currently force devices during ADE to upgrade to latest macOS based on hardware using JAMF. This is fine for supported models, however a user can currently still enrol an ADE device with macOS 11, 12 and now 13 installed as the latest OS - even though they are all end of life. Currently I have a script that runs during pre-stage (before JSM installs) to check macOS version and (not very gracefully) interrupt the ADE process and reboot the device, rendering it unusable. Where JSM can help: During the 'Getting Ready' phase it would be ideal at this point to check the macOS version and if it falls below an admin defined value in the config it simply halts and displays a custom message - usually in our case directing the user to contact our Service Desk 'Sorry, we cannot proceed with setup of your device. Your device (macOS 13) no longer meets the organisations minimum macOS requirements (macOS 14), please contact the Service Desk to arrange for a replacement device' This keeps the device enrolled (so we have sight of it in JAMF) but does not allow the user to proceed and/or use the device. If they reboot or try to force quit JSM - at the next reboot it will just loop back into JSM due to the completed flag file being missing.

michael added the enhancement label 2026-01-19 18:31:16 +00:00

michael commented 2026-01-19 18:31:17 +00:00

Author

Owner

Copy Link

@scriptingosx commented on GitHub:

I am not certain there is anything Setup Manager can do here. Setup Manager does not launch until after a Mac is enrolled, so the best it could do is stall the progress. You can already achieve that with a custom prestage workflow.

This is a feature request for Apple to refuse enrollment below a certain macOS version, but I'd assume they will refer to the softwareupdate option and say “use that”

@scriptingosx commented on GitHub: I am not certain there is anything Setup Manager _can_ do here. Setup Manager does not launch until after a Mac is enrolled, so the best it could do is stall the progress. You can already achieve that with a custom prestage workflow. This is a feature request for Apple to refuse enrollment below a certain macOS version, but I'd assume they will refer to the softwareupdate option and say “use that”

michael commented 2026-01-19 18:31:17 +00:00

Author

Owner

Copy Link

@Uggbert commented on GitHub:

Here is my current workaround for this type of workflow.

This will kill and remove JSM and leave the device enrolled in JAMF but with no usable user account (we skip user account creation during setup assistant) as we use Jamf Connect - as this is not present due to JSM ending right as it starts, the only user that can login is the hidden local Jamf admin account. The scirpt then attempts to download Swift Dialog to present a nicer UI with some more info, if that fails the user will still see the loginwindow custom text.

1. Create a policy with the below script
2. Set script Parm 4 to your minimum required macOS version, in my case macOS 14 as we run N-2

#!/bin/sh

# Runs during ADE enrolment via JSM and kills the onboarding process to prevent users 
# enroling devices running upsupported macOS versions

# Variables
macos_version_major_required=$1
macos_version_major=$(sw_vers -productVersion | cut -d'.' -f1)
script_name="UnsupportedmacOSVersion.sh"
script_path="/Library/Scripts"
launchagent_path="/Library/LaunchAgents"
launchagent_name="dts.UnsupportedmacOSVersion.plist"
appName="Setup Manager"
bundleID="com.jamf.setupmanager"
appPath="/Applications/Utilities/${appName}.app"

if [[ -z "${1}" ]]; then
	echo "Expected version param, using 14 as default."
	macos_version_major_required=14
fi

echo "Major Version Required was set to: ${macos_version_major_required}"
echo "Installed Version of macOS is: "${macos_version_major}

if [[ "${macos_version_major}" -lt ${macos_version_major_required} ]]; then
	defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "Sorry, we cannot proceed with the setup of your device. macOS ${macos_version_major} no longer meets the org minimum macOS requirements of macOS ${macos_version_major_required}, please contact Help4U to arrange for disposal of this device in line with our client device policy."
	
	#download and install SwiftDialog for user notification
	dialogURL="https://github.com/swiftDialog/swiftDialog/releases/download/v2.5.6/dialog-2.5.6-4805.pkg"
	expectedDialogTeamID="PWA5E9TQ59"
	preFlight "Installing swiftDialog..."
	workDirectory=$( /usr/bin/basename "$0" )
	tempDirectory=$( /usr/bin/mktemp -d "/private/tmp/$workDirectory.XXXXXX" )
	/usr/bin/curl --location --silent "$dialogURL" -o "$tempDirectory/Dialog.pkg"
	teamID=$(/usr/sbin/spctl -a -vv -t install "$tempDirectory/Dialog.pkg" 2>&1 | awk '/origin=/ {print $NF }' | tr -d '()')
	if [[ "$expectedDialogTeamID" == "$teamID" ]]; then
		/usr/sbin/installer -pkg "$tempDirectory/Dialog.pkg" -target /
		sleep 2
		dialogVersion=$( /usr/local/bin/dialog --version )
		preFlight "swiftDialog version ${dialogVersion} installed; proceeding..."
	fi
	/bin/rm -Rf "$tempDirectory"
		
	# Write out splash screen script
	cat <<-EOF > ${script_path}/${script_name}
	#!/bin/zsh
	#Clean up the original script that wrote out this file as there is no longer a requirement for it.
	if [[ -f /Library/Scripts/macOSADEVersionCheck.sh ]]; then
		rm '/Library/Scripts/macOSADEVersionCheck.sh'
	fi

	#Display Message to user.
	'/Library/Application Support/Dialog/Dialog.app/Contents/MacOS/Dialog' \
	--message "Sorry, we cannot proceed with the setup of this device \n\n 
	macOS ${macos_version_major} is no longer meets the org minimum requirements of macOS ${macos_version_major_required} 
	\n\nPlease contact Help4U to order a new device and arrange for disposal of this device in line with our client device policy." \
	--icon computer \
	--title "Unsupported macOS Version" \
	--button1text none \
	--button1disabled \
	--showonallscreens \
	--loginwindow \
	--infobox "* {computermodel}\n * {serialnumber}\n * macOS {osname}\n * Version {osversion}" \
	--blurscreen \
	--quitkey A
	EOF
	echo "Script Created"
	
	# Set script permissions
	chmod +x ${script_path}/${script_name}
	
	# Write LaunchAgent to load script
	cat <<-EOF > ${launchagent_path}/${launchagent_name}
	<plist version="1.0">
	<dict>
		<key>OnDemand</key>
		<false/>
		<key>LaunchOnlyOnce</key>
		<true/>
		<key>ProgramArguments</key>
		<array>
			<string>${script_path}/${script_name}</string>
		</array>
		<key>LimitLoadToSessionType</key>
		<string>LoginWindow</string>
		<key>Label</key>
		<string>dts.UnsupportedmacOSVersion</string>
		<key>StandardErrorPath</key>
		<string>/var/log/dts.UnsupportedmacOSVersion.log</string>
		<key>StandardOutPath</key>
		<string>/var/log/dts.UnsupportedmacOSVersion.error.log</string>
	</dict>
	</plist>
	EOF
	echo "LaunchAgent Created"
	
	# Set LaunchAgent permissions
	chown root:wheel  ${launchagent_path}/${launchagent_name}
	chmod 644 ${launchagent_path}/${launchagent_name}
	
	#Display run the script now (it will run again via launch agent after reboot)
	${script_path}/${script_name} &
	sleep 120
	# Remove and Kill Jamf Setup Manager (we dont need this anymore)
	if launchctl list | grep -q "$bundleID" ; then
		echo "unloading JSM launch daemon"
		launchctl unload /Library/LaunchDaemons/"$bundleID".plist
	fi
	
	echo "removing JSM files"
	rm -rfv "$appPath"
	rm -v /Library/LaunchDaemons/"$bundleID".plist
	rm -v /Library/LaunchAgents/"$bundleID".loginwindow.plist
	
	echo "forgetting $bundleID pkg receipt"
	pkgutil --forget "$bundleID"
	pkill "Setup Manager"
	sleep 5
	rm -rf "/Applications/Utilities/Setup Manager.app/"
	echo "Removed JSM"
fi

exit 0

3. set custom trigger to 'macOSVersionCheck' or similar
4. add the following as the first action in your JSM config:

<dict>
  <key>label</key>
  <string>macOS Version Check</string>
  <key>icon</key>
  <string>https://path.to/icon.png</string>
  <key>policy</key>
  <string>macOSVersionCheck</string>
</dict>

@Uggbert commented on GitHub: Here is my current workaround for this type of workflow. This will kill and remove JSM and leave the device enrolled in JAMF but with no usable user account (we skip user account creation during setup assistant) as we use Jamf Connect - as this is not present due to JSM ending right as it starts, the only user that can login is the hidden local Jamf admin account. The scirpt then attempts to download Swift Dialog to present a nicer UI with some more info, if that fails the user will still see the loginwindow custom text. 1. Create a policy with the below script 2. Set script Parm 4 to your minimum required macOS version, in my case macOS 14 as we run N-2 ``` #!/bin/sh # Runs during ADE enrolment via JSM and kills the onboarding process to prevent users # enroling devices running upsupported macOS versions # Variables macos_version_major_required=$1 macos_version_major=$(sw_vers -productVersion | cut -d'.' -f1) script_name="UnsupportedmacOSVersion.sh" script_path="/Library/Scripts" launchagent_path="/Library/LaunchAgents" launchagent_name="dts.UnsupportedmacOSVersion.plist" appName="Setup Manager" bundleID="com.jamf.setupmanager" appPath="/Applications/Utilities/${appName}.app" if [[ -z "${1}" ]]; then echo "Expected version param, using 14 as default." macos_version_major_required=14 fi echo "Major Version Required was set to: ${macos_version_major_required}" echo "Installed Version of macOS is: "${macos_version_major} if [[ "${macos_version_major}" -lt ${macos_version_major_required} ]]; then defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "Sorry, we cannot proceed with the setup of your device. macOS ${macos_version_major} no longer meets the org minimum macOS requirements of macOS ${macos_version_major_required}, please contact Help4U to arrange for disposal of this device in line with our client device policy." #download and install SwiftDialog for user notification dialogURL="https://github.com/swiftDialog/swiftDialog/releases/download/v2.5.6/dialog-2.5.6-4805.pkg" expectedDialogTeamID="PWA5E9TQ59" preFlight "Installing swiftDialog..." workDirectory=$( /usr/bin/basename "$0" ) tempDirectory=$( /usr/bin/mktemp -d "/private/tmp/$workDirectory.XXXXXX" ) /usr/bin/curl --location --silent "$dialogURL" -o "$tempDirectory/Dialog.pkg" teamID=$(/usr/sbin/spctl -a -vv -t install "$tempDirectory/Dialog.pkg" 2>&1 | awk '/origin=/ {print $NF }' | tr -d '()') if [[ "$expectedDialogTeamID" == "$teamID" ]]; then /usr/sbin/installer -pkg "$tempDirectory/Dialog.pkg" -target / sleep 2 dialogVersion=$( /usr/local/bin/dialog --version ) preFlight "swiftDialog version ${dialogVersion} installed; proceeding..." fi /bin/rm -Rf "$tempDirectory" # Write out splash screen script cat <<-EOF > ${script_path}/${script_name} #!/bin/zsh #Clean up the original script that wrote out this file as there is no longer a requirement for it. if [[ -f /Library/Scripts/macOSADEVersionCheck.sh ]]; then rm '/Library/Scripts/macOSADEVersionCheck.sh' fi #Display Message to user. '/Library/Application Support/Dialog/Dialog.app/Contents/MacOS/Dialog' \ --message "Sorry, we cannot proceed with the setup of this device \n\n macOS ${macos_version_major} is no longer meets the org minimum requirements of macOS ${macos_version_major_required} \n\nPlease contact Help4U to order a new device and arrange for disposal of this device in line with our client device policy." \ --icon computer \ --title "Unsupported macOS Version" \ --button1text none \ --button1disabled \ --showonallscreens \ --loginwindow \ --infobox "* {computermodel}\n * {serialnumber}\n * macOS {osname}\n * Version {osversion}" \ --blurscreen \ --quitkey A EOF echo "Script Created" # Set script permissions chmod +x ${script_path}/${script_name} # Write LaunchAgent to load script cat <<-EOF > ${launchagent_path}/${launchagent_name} <plist version="1.0"> <dict> <key>OnDemand</key> <false/> <key>LaunchOnlyOnce</key> <true/> <key>ProgramArguments</key> <array> <string>${script_path}/${script_name}</string> </array> <key>LimitLoadToSessionType</key> <string>LoginWindow</string> <key>Label</key> <string>dts.UnsupportedmacOSVersion</string> <key>StandardErrorPath</key> <string>/var/log/dts.UnsupportedmacOSVersion.log</string> <key>StandardOutPath</key> <string>/var/log/dts.UnsupportedmacOSVersion.error.log</string> </dict> </plist> EOF echo "LaunchAgent Created" # Set LaunchAgent permissions chown root:wheel ${launchagent_path}/${launchagent_name} chmod 644 ${launchagent_path}/${launchagent_name} #Display run the script now (it will run again via launch agent after reboot) ${script_path}/${script_name} & sleep 120 # Remove and Kill Jamf Setup Manager (we dont need this anymore) if launchctl list | grep -q "$bundleID" ; then echo "unloading JSM launch daemon" launchctl unload /Library/LaunchDaemons/"$bundleID".plist fi echo "removing JSM files" rm -rfv "$appPath" rm -v /Library/LaunchDaemons/"$bundleID".plist rm -v /Library/LaunchAgents/"$bundleID".loginwindow.plist echo "forgetting $bundleID pkg receipt" pkgutil --forget "$bundleID" pkill "Setup Manager" sleep 5 rm -rf "/Applications/Utilities/Setup Manager.app/" echo "Removed JSM" fi exit 0 ``` 3. set custom trigger to 'macOSVersionCheck' or similar 4. add the following as the first action in your JSM config: ``` <dict> <key>label</key> <string>macOS Version Check</string> <key>icon</key> <string>https://path.to/icon.png</string> <key>policy</key> <string>macOSVersionCheck</string> </dict> ```

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

beta

v1.4.2

v1.4.1

v1.4

v1.4beta2

v1.4beta

v1.3.1

v1.3

v1.3beta

v1.2.2

v1.2.1

v1.2

v1.2beta3

v1.2beta2

v1.2beta

v1.1.1

v1.1

v1.1beta

v1.0

v1.0rc

v0.9.1-306

Labels

Clear labels

bug

documentation

duplicate

enhancement

enhancement

question

Support

wontfix

No Label enhancement

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

michael

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: jamf/Setup-Manager#27