MDM Capable Users empty with Jamf Connect

glpi-ios
Contributor III

Hello,

Can you please tell me how you manage MDM Capable Users with Jamf Connect?

We use Jamf Connect but on all of our computers the Capable Users MDM is empty.
This is very problematic, because no more VPP applications, no more user level configuration profiles, etc...

Our devices are enrolled DEP, MacOS 11 or more recent.

The un-enroll and re-enroll solution is not acceptable with us, we have hundreds of new computers per month.

I'm amazed that it's so complicated for such basic and important things.

Thank you for your help

9 REPLIES 9

glpi-ios
Contributor III

Other information: our users are not administrators of their computers.

Thank you

peterlbk
Contributor

If no other MDM profiles are installed you may want to try resetting the profiles, the user has to accept though. Just send this command 
/usr/sbin/profiles renew -type enrollment

glpi-ios
Contributor III

Hello @peterlbk 

Thanks for your answer.

So when we prepare DEP computers, they enroll automatically but you have to renew the enrollment afterwards for each new Connect session with user validation?

There is no other way?

Apple is aware that they complicate the task of administrators 😔 ?

Thank you

glpi-ios
Contributor III

Sorry but when I run the command line I get the following error

/bin/sh: /usr/sbin/profiles: No such file or directory

And when user try 'profiles renew -type enrollment' , you have to run in sudo but our users are not admin.

 

peterlbk
Contributor

sorry that path is /usr/bin/profiles

Anyway, you can paste it in a jamf policy under Files and Processes, then paste it in the execute command field.

It will run as root and show up in the user space

glpi-ios
Contributor III

Thank you for your help.

Another point, we have devices with already an MDM Capable accounts and we cannot login on these accounts.
How can the MDM Capable User be changed remotely?
Because when we try the command line, we get the following error:

Error: Renewing DEP enrollment failed: Enrollment was initially performed by "<LOGIN>". Log in with this account to update it. (MDMDeviceEnrollment:102)

I'm sorry to be annoying like that but I really think Apple is exaggerating.

Thank you,

peterlbk
Contributor

That's tricky one, I refer to https://docs.jamf.com/10.28.0/jamf-pro/administrator-guide/MDM-Enabled_Local_User_Accounts.html

You can set them on user level but then, there is no valid UAMDM.

glpi-ios
Contributor III

And what are the consequences if the users are not MDM Capable ?
Because there I give up, it becomes too penalizing all these procedures.

Anyway, thank you very much for taking the time to help me.

glpi-ios
Contributor III

Hi,

I can read this in Jamf Pro documentation : 

User accounts on computers can be MDM-enabled (formerly MDM-capable) to allow an MDM solution to manage certain user-specific management settings. You need MDM-enabled users to do the following:

  • Deploy user-level configuration profiles.

  • Receive the EDU profile via the user channel for managed classes.
    For more information, see Classes.

Does this mean that it is no longer necessary to have a capable mdm user to trigger an installation of a VPP application as was the case in the past?

Thank you