Open Radar

 
# Description

In Kandji MDM we are trying to use new Sonoma feature "Require minimum OS version" during Automated Device Enrolment. 
Unfortunatelly it always fails in the following scenario:
- macOS installed on the device: 14.3 (23D56)
- Target version is set to: 14.3.1 (via "Version must be greater than or equal to" setting in "Automated Device Enrollment Configuration" Kandji Library item)
- Latest macOS version currently available from Apple: 14.4 (23E214)
- Result: Error message "System update could not be installed" (see attached screenshot su_error.jpg)
- Platform: Observed on several Apple Silicon Macs:
  - M1 2020 MacBook Pro (13-inch, M1, 2020)
  - M3 2023 MacBook Pro (14-inch, M3 Pro or M3 Max, Nov 2023)


# Reproducibility

Always. I can reproduce this on my test machine consistently
I am able to reproduce the issue with different combinations of installed macOS and update target:

- 14.3 installed, 14.3.1 target (su_error.jpg)
- 14.2.1 installed, 14.3.1 target (su_error_14-2-1_to_14-3-1.jpeg)
- 14.2.1 installed, 14.3 target (su_error_14-2-1_to_14-3.jpeg)


# Steps to reproduce

1. In Kandji add "Automated Device Enrollment Configuration" library item and assign it to a blueprint
2. Enable "Require minimum OS version (macOS 14+)" feature and set "Version must be greater than or equal to" to 14.3.1
3. In Apple Business Manager assign the Mac to Kandji MDM server so the blueprint and configuration from previous steps is applied to the device during Automated Device Enrollment
4. Restore Mac to macOS 14.3.1 (23D56) by using IPSW in DFU mode
5. Boot up the Mac and proceed through Setup Assistant.
6. After Remote Management pane, Software Update pane appears with following message: "Your Mac is required to update to "14.3.1". The currently installed version is 14.3 (23D56)" (See attached picture su_pane.jpeg). Click on Continue


# Expected result

Setup Assistant is able to update the Mac. Either to 14.3.1 or latest version available so user does not get stuck. 


# Actual result

Following error message is displayed: "System update could not be installed. The software update required for this Mac by your organization could not be installed. Contact your administrator for assistance. Current Version: 14.3 (23D56) Required Version: 14.3.1"
See attached picture su_error.jpg

When user clicks on "Continue", Remote Management pane appears again. User can click Continue to see Software Update pane fail again -> user gets stuck in an infinite loop.


# Workaround

Set "Version must be greater than or equal to" to 14.4 (latest available version!). During next attempt in Setup Assistant's Software Update pane there is no error and the update can be installed without a problem.


# Logs

I can see following message from `mdmclient` process:

```
[0:MDMDaemon:<0xab4b>] Received 403 response: {
    code = "com.apple.softwareupdate.required";
    description = "Description (for logging purposes)";
    details =     {
        OSVersion = "14.3.1";
    };
    message = "Message (for user)";
}
```

Then I see these messages from Setup Assistant process:

```
[ERROR] [248:CPUI_FW:<0xac23>] Failing enrollment because MDM requires software update: {
    OSVersion = "14.3.1";
}
```

```
Preparing MDM Update with Product Marketing Version: 14.3.1 and Build Version: (null)
```

```
Starting Software Update for Product Marketing Version: 14.3.1
```

And finally:

```
Software Update failed to install: The operation couldn’t be completed. (SUOSUErrorDomain error 300.)
```

# Final thoughts

To me this looks like a problem on the client (macOS).  Based on the log output it appears the client receives 403 error and correct payload as specified by https://github.com/apple/device-management/blob/39e2a8223418ec2eeffb084177ea8bd706114eb0/mdm/errors/softwareupdate.required.yaml#L4
Then it proceeds to the actual software update process which fails

Speculation: Setup Assistants wants to install 14.3.1 but softwareupdated returns 14.4 instead?

I have reached out to Kandji support. They are aware of the problem and they agree this looks to be an issue in macOS rather than MDM server.