Question

macOS 10.13.2 and "User Approved MDM enrollment"

Forum|Forum|8 years ago
December 11, 2017
52 replies
246 views

+4

Winterhalter
Contributor

Per the newly issued Apple Doc https://support.apple.com/en-us/HT208019 , any new enrolls I have for clients running macOS 10.13.2 need the MDM Profile to be "approved" by a user (any user!) in order to have full functionality.

Is this something that JAMF Pro will be able to work around? (I'm on 9.81 at the moment) Is the only real "solution" to this enrolling in DEP? (the distributed nature of our organization makes DEP annoying at best) This seems like a case of Apple creating a problem that DEP is the solution for.

The profile functionality being disabled is listed in the following screenshots.

Show first post

1
2
3

Forum|pagination.label 3 / 3

F

+4

foreverkan
Contributor
Forum|Forum|1 year ago
April 1, 2024

We have a policy that runs once a day scoped to a smart group "NEEDS MDM user approval" (Advanced criteria "User Approved MDM" is "No" )

It runs the following script:

#!/bin/sh

User=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`

jamfHelper="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"
icon="/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertCautionIcon.icns"
description="Please approve the profile: MDM Profile"

# Open Profiles in System Preferences
open /System/Library/PreferencePanes/Profiles.prefPane

# Display JamfHelper dialog (as user to avoid errors)
Dialog=$(/bin/launchctl asuser $(id -u $User) sudo -u $(ls -l /dev/console | awk '{print $3}') "$jamfHelper" -windowType hud -icon "$icon" 
-title "IT department" -heading "APPROVE MDM" -description "$description" -button1 "OK" -defaultButton "1" -lockHUD )

sleep 60; # Wait for possible approval

# Do a recon only if user has approved the MDM
profiles status -type enrollment | grep "Approved" >/dev/null 2>&1 && jamf recon

exit

How could you create a smart group based on script's answer?