Allow Profile installation dependent on macOS Versions
Allow certain profiles to only be deployed to certain versions of macOS.
I would like to be able to deploy certain profiles ONLY if the current macOS version is 10.16 or above. The MDM spec reports the OS version so using this as criteria for profile deployment would be a big enhancement going forward.
OS version scoping is now available for System Extensions, Kernel Extensions, and Custom Configuration Profiles. Scoping functionality will continue to be added to other profiles in the near future.
-
soberhofer commented
For many use cases it isn't even needed to customize which profiles are available for which macOS Versions.
Mostly i think it's about Profiles that need to be installed after a macOS Upgrade, for Payloads that haven't existet prior, but you can't just deploy it before the upgrade and have the OS enforce it once the payload is available. -
Carl commented
Being able to scope OS versions to custom and first party profiles is important.
Presently my priority is being able to stop KEXT profiles being deployed to Big Sur - especially on M1 hardware. -
miawri commented
Any update on this one?
We have a particular custom configuration profile that we do not want to apply to macOS 11 and above. Being able to scope thr profile would be very useful! -
Carl commented
Yes! This would be very welcome!
Being able to specify minimum macOS version for custom configurations as well as the first party configurations in the SimpleMDM web UI would be quite helpful. -
Eric Holtam commented
Not necessarily only Custom configurations. OS specific requirements can be introduced for any type of management profile - custom or 1st party.
As Apple's management methods continues to grow and depend on MDM specific delivery, it's critical that payloads install when the OS understands how to use it. Apple also doesn't respect profiles when upgraded that are installed on OS versions that don't understand the management keys at the time.
One issue with this is that the profile can appear to be installed but the payload is not respected. The presence of the payload doesn't mean the management is there. If the payload can be restricted to not even install until a certain OS is detected, that can help with admins checking to see if the proper management profile is installed before proceeding with a software install, etc.
One example would be for the new System Extension management of Big Sur. The way system extensions are implemented in macOS, once the sysext tries to load, if the payload to allow that sysext to load isn't there the _only_ way to allow the sysext is to manually click buttons with an admin account. Even if the payload is installed after the sysext is in approval mode it won't allow it silently. Admins need to be sure that the payload is installed prior to installing any software that uses a sysext. Again, the presence of the profile in System Preferences doesn't mean that the system is respecting it.
-Eric
-
miawri commented
Primarily, yes but I would also like to be able to deploy other payloads by macOS Version.
-
AdminSimpleMDM (--------, SimpleMDM) commented
Are you interested in this feature primarily for Custom Configuration Profiles?
-
Steve Yuroff commented
YES, please. I'm realizing the adaptations that I'll have to make to change from having munki deploy profiles when necessary to having to move this task to SimpleMDM. Being smart about the OS version and behaving accordingly would be nice.
-
miawri commented
Please implement this function before macOS 11 lands. Profile installation criteria in Big Sur makes it essential that we can specify minimum OS versions.
-
Eric Holtam commented
I second this though I’m out of votes apparently. Some payloads are only applicable to specific OS versions. macOS is dumb and will not reassess a payload if it is delivered prior to it knowing what to do with it. Having payloads only install when the OS supports it would address some timing issues with compatibility.
-
miawri commented
I've just noticed that a Group can have 'OS Rules' for iOS. Can this be modified to allow the same for macOS? This would allow us to target certain profiles at OS versions e.g. >+ 10.16