Skip to main content

Hello,

We are using Jamf Connect for account creation with Automatic Device Enrollment. Because of this, our user accounts are not managed users, per @rabbitt 's post https://community.jamf.com/t5/tech-thoughts/mdm-capable-mdm-enabled-or-mdm-managed-users-why-to-not-use-user/ba-p/276926 . 

We are trying to deploy user certificates but because they are not managed users, the certs go to the System Keychain. Exporting the cert and importing into Login Keychain is not an option for us. We know that we can re-enroll the devices to obtain MDM Enabled user accounts but it is inelegant. 

Are there other commonly used solutions out there of which we are unaware? How does your organization get around this problem?

 

Thank you,

Rafe Moody

 

There is no way to change your MDM-Enabled User from the local admin account without renrolling the device in to JAMF. Generally speaking its best to target configuration profiles at system instead of user for macOS and use other methods to identify the user's identity like Kerberos tickets. The user level stuff is more of a Windows workflow that Apple wants nothing to do with.

 

MDM-Enabled Local User Accounts - Jamf Pro Administrator's Guide | Jamf

 

There is no way to change your MDM-Enabled User from the local admin account without renrolling the device in to JAMF. Generally speaking its best to target configuration profiles at system instead of user for macOS and use other methods to identify the user's identity like Kerberos tickets. The user level stuff is more of a Windows workflow that Apple wants nothing to do with.

 

MDM-Enabled Local User Accounts - Jamf Pro Administrator's Guide | Jamf


AJPinto,
Thank you for your response. As a rule, we avoid user level configs. Unfortunately, our InfoSec requires Machine Certs and User Certs to access our VPN. I believe they want to confirm both user and device and have ruled out username and password as a stand ins for User Certs. Kerberos is not an option in this case because we would need to connect to VPN to get to our on premise servers for Kerberos tickets. Any other insights would be helpful.

Thank you,

Rafe

Reply


Terms & ConditionsCookie settings