@NightFlight What was the routing issue that you had? We have a pretty complicated network here and are having similar issues with profiles landing. Any direction would be much appreciated.

Unfortunately I'm back here because of the User Approved profile kafuffle. 'jamf mdm' works fine for me now, but endpoints are never user approved in time for the Kernel extensions profile. I have a script to user approve an endpoint remotely.... but here I am working late hours, waiting for all the seats to clear so I can issue user approvals.

Anyone figure out how to lock down a system - ie kiosk it down to useless UNTIL they user approve the MDM profile?

@jhle1 - I can't comment due to the super secret nature on some of our lines of business.

@NightFlight I guess you could create a bunch of Software Restriction policies to block all common business apps (Office, Safari, Chrome, etc) and apply them to machines where the MDM profile isn't approved yet, by using a Smart Group, so that once they have approved the MDM profile the SR policies would be removed automatically?

Looks like all our machines that matter are pretty much in DEP. Problem being that DEP enrollment, isn't something you can re-run. That and I believe if you remove the framework for general troubleshooting - you loose your DEP enrollment status.

@KSchroeder - I've been re-thinking this and if I were to implement this sort of restriction without the ability to bake in instructions to approve the machine in order to release functionality - I'd have my head handed to me.

True story...I guess you could put the "how to approve MDM" instructions into the message that pops up when you block the app. It wouldn't have pictures or something like that, but might be enough?
I'm just solving problems, not with solutions that everyone will officially like :)

[link text](link URL)
link URL

QuotedText

#!/bin/sh

UnderlinedText StriketroughText 1. one
2. two
- one
- two
BoldText ItalicText

11 years later and its JUST as bad, if not worse. LOL