I've been trying to wrap my brain around the User Approved MDM Profile thing. Why would we allow users to NOT approve our company's MDM? Doesn't that give them a way to avoid being managed? We need our MDM to be 100% approved at all times with no way for the user to have a say one way or the other - HIPAA requirements and such. And It has to be approved every time Tomcat on the server is restarted? I'm trying to understand how this is possibly a good thing.
Question
User Approved MDM Profile clarification needed
+16In my experience if you restore a user's data using Migration Assistant and then attempt to install a Device Assigned VPP app, such as Numbers, to a computer, it has to enable the local user account as the MDM enabled user and that causes User Approved MDM enrollment to change to an unapproved state wherein Jamf Pro believes the device is no longer enrolled by DEP. I don't believe there is anything JAMF can do (other than lay heat on Apple).
I don't run into this often because we primarily use directory (mobile) accounts which are all MDM enabled. When working with a department or user that is using one or more local accounts I have experienced this.
If anyone has access to file a radar or enterprise case please do.
+18I don't know if "Appleseed for IT" is any different than Appleseed, but we have to file bugs there as well.
People often confuse talking in the seed fora vs filing a bug that something will happen. Even with bugs filed, it's questionable what actually gets addressed by Apple as is being discussed at this moment in one forum...
+26Appleseed for IT is specifically designed for feedback on products from IT organizations that manage Apple tech. Every submission I've sent has gotten helpful feedback and had issues reported up to engineering. It is 💯worth the effort of submitting them.
+18Oh, it's 100% worth filing them, what's being discussed is Apple not being able to discuss much after that in the forums.
The reasons being many, but the frustration is not hearing back once feedback is submitted (via feedback app or web portal).
We used to get more replies from Apple folks, and now, we only know it's been submitted and rarely get much in return from them.
I think the issue mainly is info being discussed will leak out and then could cause issues for Apple.
For sure everyone - whether part of any seed group or not - should file feedback with Apple.
+10Is this fixed? It should work without approving on via PreStage Enrollment enrolled Macs, right?
+7@djrory I was going to simply produce a user doco for approving MDM Profile. Then setup a Jamf policy targeting machines MDM Profile not approved to deliver a Jamf notification message hopefully with 2 buttons: More Info to open the link to that user doco, Ok to open self service which should present the instruction for MDM Profile approve to the user as well.
Other than that, 10.14+, you can remote onto the machine, log in and approve the MDM Profiile under your/your admin login.
Then bulk delete all the failed/pending commands.
+7nice I was approved and configured last month one of the machines But after the month again same machines are asking to approve the MDM is there any issue with the profile, The user did not try anything with MDM or jam.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.