@Chuey I think I ended up finding your blog yesterday anyway, it's very annoying that at present we as admins can't get round this.
@emily thanks for that information about 10.3 providing the MDM profile rather than the QuickAdd package for enrolling on High Sierra. Had a few techs reporting the "Approve" requirement (we're currently on 10.2.2 and not using DEP, so everything's still QuickAdd packages), am looking at upgrading to 10.3.1 as soon as possible.
Hey all, I am wondering if anyone else is seeing the issue (feature?) I am seeing in 10.13.3 and 10.13.4. I happen to have an all-DEP workflow at this point in time, but with a couple of different configuration workflows. One is fairly straightforward where the end user creates their own local user account as part of setup, and then that user does not have to approve the MDM profile. No problems here. The other is where no user (aside from a local management account) is created, and additional users are created via Self Service with some cocoa dialog scripting I've done. These additional users also don't seem to have to approve the MDM profile, EXCEPT when I install a user-based Wi-Fi/Active Directory certificate profile for them, and then all of a sudden the MDM profile becomes unapproved (even when I log back in as the local admin). At first I thought this was a bug only with 10.13.3 but then noticed it in 10.13.4 too (but it sounds like UAMDM has been a thing since 10.13.2 anyway). Any insight would be helpful as always, thanks!
You know what, duh... forgot all about this: https://www.jamf.com/jamf-nation/articles/372/enabling-mdm-for-local-user-accounts. This explains my problem I think.
Hello Everyone
Read all the posts and are having similar issues to most folks on this post. Thanks @timlarsen for the link. Explains my issue, but not sure of how my new workflow will be.
VPP was working great until Jamf 10 (i think) and Apple introducing UAMDM. Since then we can no longer push out VPP to lab machines unless logged in as a (MDM Capable account) AD account (Lab machines bound to AD at this stage). Super annoying and does not look good for Jamf. I read Profile Manager can install VPP apps no problems.
P.
At least as far as kernel extension use goes...
Per Faronics:
To disable User Approved Kernel Extension Loading, boot into macOS Recovery and use the 'spctl kext-consent disable' command to completely disable the feature
Per the related Apple doc:
If you're managing User Approved Kernel Extension Loading using the spctl command and you reset NVRAM, your Mac reverts to its default state with User Approved Kernel Extension Loading enabled. You can set a firmware password on your Mac to prevent unauthorized changes to NVRAM.
https://support.apple.com/en-ca/HT208019
If you check the man page for spctl it looks like it can have some interesting uses. It also looks like it's a bad idea to completely disable spctl itself, so be careful.
Any one have any idea how long it takes for the Jamf binaries to come over once the CA and MDM profiles have been installed? It's be over an hour and nothings installed yet
Hey folks. Quick question regarding our experiences with this:
We're currently using DEP for all our new devices, and we're on Jamf Pro 10.2.2 at the moment. We're still needing to user-approve the MDM profile for every single device however... is this expected with the versions we're on? Would upgrading our Jamf installation remedy it?
So there is still no way to "auto approve" the MDM profile unless you use Device Enrollment method? Irritating..
Hey, so I found this guys site which has a great idea. It's not full automation of profiles but it DOES allow you to do this remotely!
https://jerbecause.wordpress.com/2018/02/18/remotely-approving-uamdm/
The idea is you can enable apple script editor to have control of the computer using (Manual step everytime) System Preferences -> Security & Privacy -> Accessibility -> + Script Editor. Once it has been given control, you can simply run the below applescript to approve the MDM Profile. Great job apple, you really secured those computers! /s
tell application "System Preferences" to activate
tell application "System Events"
tell application process "System Preferences"
set currentWindow to name of window 1
click button "Profiles" of scroll area 1 of window "System Preferences"
delay 2
click button "Approveā¦" of scroll area 1 of window "Profiles"
click button "Approve" of sheet 1 of window "Profiles"
end tell
end tell
@tnielsen Im 99% sure that that won't work. The Accessibility settings are also protected.
Apple plugged that hole once word got out.
We have a policy that runs once a day scoped to a smart group "NEEDS MDM user approval" (Advanced criteria "User Approved MDM" is "No" )
It runs the following script:
#!/bin/sh
User=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`
jamfHelper="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"
icon="/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertCautionIcon.icns"
description="Please approve the profile: MDM Profile"
# Open Profiles in System Preferences
open /System/Library/PreferencePanes/Profiles.prefPane
# Display JamfHelper dialog (as user to avoid errors)
Dialog=$(/bin/launchctl asuser $(id -u $User) sudo -u $(ls -l /dev/console | awk '{print $3}') "$jamfHelper" -windowType hud -icon "$icon"
-title "IT department" -heading "APPROVE MDM" -description "$description" -button1 "OK" -defaultButton "1" -lockHUD )
sleep 60; # Wait for possible approval
# Do a recon only if user has approved the MDM
profiles status -type enrollment | grep "Approved" >/dev/null 2>&1 && jamf recon
exit
@AHolmdahl 1st of great post above to assist with users being able to be notified and quickly remediate the issue. I have a question based on some weirdness that is happening with most of my devices. When i run this policy systems are failing when this is running with the following error.
LSOpenURLsWithRole() failed with error -10810
When trying to open system preferences /profiles, have you run into this issue? And if so is there an edited version of this which will just pop up the notification and an ok. Possibly removing the approval and pop up of systems preferences.
I have a Self Service policy set that will either re-enroll via DEP or prompt the end user to manually approve MDM. At first the profiles -N command appeared work intermittently, but a ticket with AppleCare showed that the end user needs to be local admin at the time of re-enrollment.
#!/bin/sh
user=`/usr/bin/who | /usr/bin/awk '/console/{ print $1 }'`
adminneeded=`/usr/bin/dsmemberutil checkmembership -U "$user" -G admin`
DEPURL="https://mycompanyURL"
DEPAssigned=`/usr/bin/profiles show -type enrollment | grep ConfigurationURL | cut -d '"' -f2`
OS=`/usr/bin/defaults read /System/Library/CoreServices/SystemVersion ProductVersion | awk '{print substr($1,1,5)}'`
#Temporarily Grant Admin Rights to Standard User for Enrollment
if [[ "$adminneeded" == *not* ]]; then
/usr/sbin/dseditgroup -o edit -a $user -t user admin
if [[ "$OS" < "10.13" ]]; then
/usr/local/jamf/bin/jamf removeMDMProfile
/usr/local/jamf/bin/jamf enroll -invitation myJSSInvitationID && /usr/local/jamf/bin/jamf recon -endUsername $user
/usr/local/jamf/bin/jamf mdm -userLevelMdm
/usr/libexec/mdmclient dep nag
/usr/sbin/dseditgroup -o edit -d $user -t user admin
elif [[ "$DEPAssigned" == "$DEPURL" ]];then
/usr/local/jamf/bin/jamf removeMDMProfile
/usr/bin/profiles -N
/usr/sbin/dseditgroup -o edit -d $user -t user admin
else
/usr/local/jamf/bin/jamf removeMDMProfile
/usr/local/jamf/bin/jamf enroll -invitation myJSSInvitationID && /usr/local/jamf/bin/jamf recon -endUsername $user
/usr/local/jamf/bin/jamf mdm -userLevelMdm
/usr/bin/osascript -e 'tell application "Finder"
activate
open document file "Profiles.prefPane" of folder "PreferencePanes" of folder "Library" of folder "System" of startup disk
end tell'
/usr/sbin/dseditgroup -o edit -d $user -t user admin
fi
fi
#Leave Admin rights in Tact if account is already elevated
if [[ "$adminneeded" != *not* ]]; then
if [[ "$OS" < "10.13" ]]; then
/usr/local/jamf/bin/jamf removeMDMProfile
/usr/local/jamf/bin/jamf enroll -invitation myJSSInvitationID && /usr/local/jamf/bin/jamf recon -endUsername $user
/usr/local/jamf/bin/jamf mdm -userLevelMdm
/usr/libexec/mdmclient dep nag
elif [[ "$DEPAssigned" == "$DEPURL" ]];then
/usr/local/jamf/bin/jamf removeMDMProfile
/usr/bin/profiles -N
else
/usr/local/jamf/bin/jamf removeMDMProfile
/usr/local/jamf/bin/jamf enroll -invitation myJSSInvitationID && /usr/local/jamf/bin/jamf recon -endUsername $user
/usr/local/jamf/bin/jamf mdm -userLevelMdm
/usr/bin/osascript -e 'tell application "Finder"
activate
open document file "Profiles.prefPane" of folder "PreferencePanes" of folder "Library" of folder "System" of startup disk
end tell'
fi
fi
@daniel.behan does this work if an enrollment MDM profile Failed after enrollment?
I am having this issue, that if a user does not sign in right away the main MDM will not install on the machine and it will not let me add the profile without having to re-image the machine witch is a real PITA!
The challenge I am facing is putting in the the correct time hooks as some are faster than others,
Thanks
@CorpIT_eB It usually works as long as there are no other MDM issues, or if a tech uses the "Remove MDM Profile" Management command. In some cases, I've had to clear the apsd.keychain from /Library/Keychains
@AHolmdahl Have tried your script in testing however upon clicking OK from the nag pop up System Prefs never opens, it bounces for a minute or so then stops bouncing and needs to be force quit.
Any suggestions?
Cheers
@TimT I am running into the same issue. Appears to be that com.apple.preferences.configurationprofiles.remoteservice has to be launched as well for the Profile Pane to successfully open without having to force quit. I am struggling to find the command to open along side the /System/Library/PreferencePanes/Profiles.prefPane
@AHolmdahl Do you happen to have any suggestions or a way to launch that process along side of the Profile pane to open it up successfully. I recently took over the company's Jamf and half of them are still are pending approval making it difficult to push user approved kernel extensions.
Any suggestions are much appreciated.
Thanks!
@awueschinski The way I was able to do this successfully was by running it as the currently logged in user. I have seen the issue where Profiles just bounces and this is what fixed it for me, here is a simple example.
#!/bin/sh
consoleuser=`/bin/ls -la /dev/console | /usr/bin/cut -d " " -f 4`
sudo -u $consoleuser open /System/Library/PreferencePanes/Profiles.prefPane
Give it a try and let me know if it works !
Hi there - I am trying to use the following script to see if I can get MDM Approval working for end-users (just early testing stages) and I am getting the following error: Expected expression but found unknown token
!/bin/sh
consoleuser=/bin/ls -la /dev/console | /usr/bin/cut -d " " -f 4
sudo -u $consoleuser open /System/Library/PreferencePanes/Profiles.prefPane
Any help would be greatly appreciated :)
@P.Featherstonhaugh, found a couple of things and fixed them. Needed a proper shebang on line 1 that included the pound symbol (hash). Also, when running commands and assigning their results to a variable, you need to include them in $( ).
The following works for me here.
#!/bin/sh
consoleuser=$( /bin/ls -la /dev/console | /usr/bin/cut -d " " -f 4 )
sudo -u $consoleuser open /System/Library/PreferencePanes/Profiles.prefPane
try like this
tell application "System Preferences" to quit
tell application "System Preferences" to activate
tell application "System Events"
tell application process "System Preferences"
set currentWindow to name of window 1
if currentWindow does not contain "Profiles" then
click button "Show All" of group 1 of group 2 of toolbar 1 of window 1
delay 2
click button "Profiles" of scroll area 1 of window "System Preferences"
delay 2
end if
tell window "Profiles"
tell scroll area 2
repeat with aRow in row of table 1
if value of static text of UI element 1 of aRow starts with "MDM Profile" then
select aRow
delay 1
end if
end repeat
end tell
click button "Approveā¦" of scroll area 1
click button "Approve" of sheet 1
end tell
end tell
end tell
tell application "System Preferences" to quit
save as a MDMapprove..scpt file
run via terminal osascript (file path )
make sure in accessibility terminal, script editor should be added on that -tested manually via jamf not yet
if running via jamf can create the configuration profile via PPPC to enable the terminal and script editor @accessablity
