Reject enrollments for unsupported macOS versions when using SAML
I am requesting SimpleMDM add guards for ADE where a macOS device is under 10.15. Copying directly from enrollment authentication config...
"OSes prior to macOS 10.15 and iOS 13 using Automated Enrollment and all devices enrolled with Apple Configurator do not support SAML authentication and will not be authenticated. Optionally enroll them in a less secure initial device group."
A helpful setting for sure since it means a device can be dropped into a group with no access to organization profiles, packages, or secrets. However, the device is still allowed to enroll and takes up a license. If that Mac were lost or stolen for example, there's now one less way to stop it from being used.
My suggestion is to implement one of these options...
- Fall back to legacy basic (LDAP) auth for pre-10.15 devices when SAML is configured. In this way the old style dialog will appear with no way to ever successfully to auth. A potential attacker or other security risk now has one less way to enroll or use the device. This is configurable in Jamf Pro.
- Reject the enrollment altogether, denying the opportunity to enroll.