Starting in macOS 10.13.2, Apple introduced the concept of User Approved MDM Enrollment (UAMDM). UAMDM grants mobile device management (MDM) additional management privileges, beyond what is allowed for macOS MDM enrollments which have not been “user approved”. As of macOS 10.13.4, the only additional management privilege associated with UAMDM is that it allows you to deploy a profile which provides a white list for third-party kernel extensions. However, I would anticipate that this list will grow over time.
Starting in macOS 10.13.4, you can use the profiles command line tool to determine if a machine is enrolled into a MDM, and if user-approved MDM is enabled. To do this, run the command shown below:
profiles status -type enrollment
Depending on your MDM enrollment status, you may see one of the following statuses shown below:
No MDM enrollment
computername:~ username$ profiles status -type enrollment Enrolled via DEP: No MDM enrollment: No computername:~ username$
MDM enrolled, without user-approved MDM enabled
computername:~ username$ profiles status -type enrollment Enrolled via DEP: No MDM enrollment: Yes computername:~ username$
MDM enrolled, with user-approved MDM enabled
computername:~ username$ profiles status -type enrollment Enrolled via DEP: No MDM enrollment: Yes (User Approved) computername:~ username$
DEP Enrolled
computername:~ username$ profiles status -type enrollment Enrolled via DEP: Yes MDM enrollment: Yes (User Approved) computername:~ username$
Note: If your Mac is enrolled in Apple’s Device Enrollment Program (DEP), it automatically gets user-approved MDM.
To help detect if a particular Mac has user-approved MDM enabled, I’ve written a script. For more details, please see below the jump.
The script first checks the OS on a particular Mac and verifies that it is running macOS 10.13.4 or later. If the Mac is running an earlier OS, the script reports the following:
Unable To Detect User-Approved MDM On, followed by the OS version.
If the script verifies that the Mac is running macOS 10.13.4 or later, the script continues on to determine if the Mac has user-approved MDM enabled.
If the Mac has user-approved MDM enabled, the script reports the following:
Yes
If the Mac does not have user-approved MDM enabled, the script reports the following:
No
The script is available below, and at the following address on GitHub:
https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/detect_user-approved_mdm
A complementary Jamf Pro Extension Attribute is available at the following address on GitHub: