Big Sur - No management profile to approve?

mikemangino
New Contributor III

Hey all,

Got a machine here to enroll, download the QuickAdd.pkg, everything appears to work as expected. Starting up Self Service the first time gives the popup about approving the MDM profile in System Preferences, but when I click the button to go over into Sys Pref, there's no profile there to approve. Totally blank. Is there an extra step or a different method now?

Thanks!

2 ACCEPTED SOLUTIONS

garybidwell
Contributor III

Big Sur doesn't allow this as the QuickAdd uses the "profile" command to install the config profile which has been deprecated by Apple
Only UIE enrolment or ADE (DEP) enrolment is supported with Big Sur

View solution in original post

mainelysteve
Valued Contributor II

https://docs.jamf.com/10.25.0/jamf-pro/release-notes/What%27s_New.html (4th paragraph/section).

TLDR: QuickAdd isn't recommended for enrollments. Especially Big Sur clients.

View solution in original post

22 REPLIES 22

sirsir
Contributor

Also curious about this.

garybidwell
Contributor III

Big Sur doesn't allow this as the QuickAdd uses the "profile" command to install the config profile which has been deprecated by Apple
Only UIE enrolment or ADE (DEP) enrolment is supported with Big Sur

mainelysteve
Valued Contributor II

https://docs.jamf.com/10.25.0/jamf-pro/release-notes/What%27s_New.html (4th paragraph/section).

TLDR: QuickAdd isn't recommended for enrollments. Especially Big Sur clients.

mikemangino
New Contributor III

Thanks! We don't use DEP, and I have ONLY ever done QuickAdd.

I assume I start here? https://docs.jamf.com/10.25.0/jamf-pro/administrator-guide/User-Initiated_Enrollment_for_Computers.html

Also, I assume the user will have to be an admin on the machine to do this?

mainelysteve
Valued Contributor II

@mikemangino Yes. The last time I did a UIE it prompted for admin creds. I assume you must have a small install base if you were using the QuickAdd to enroll and don't use DEP/ADE?

sdagley
Esteemed Contributor II

@mikemangino Is there a reason you're not using DEP/ADE? It's pretty clear that Apple is moving to a model where managing Macs will necessitate they be in ASM/ABM and enrolled with an MDM.

dmw3
Contributor III

We have a support case in with Jamf for this. Case #: JAMF-2100576

Even enrolling via Jamf Remote we have this issue.

For our computers with Big Sur installed, no Configuration Profiles are installing. All Configuration Profiles are in a Pending state.
From Terminal:
profiles status
There are no configuration profiles installed on this system

Also on opening Self-Service.app there is a request to Approve the MDM Profile, this happens on each launch of the app. If the request box is clicked, opens System Preferences/Profiles which is showing no profiles.

garybidwell
Contributor III

Big Sur has completely change the way profiles can be interacted with
If you are not using ADE (including Auto Advance and Apple Configurator) then UIE is the only other supported method by Apple for macOS 11 Big Sur currently.
i.e. https://yourjamfserver.com/enrol
Normally all other methods will use a profiles command in the background at some point which is no longer allow to run un-inactive or without the direct input from the enduser

This article outlines why Apple has stopped this method
https://www.zdnet.com/article/new-apple-macos-big-sur-feature-to-hamper-adware-operations/

Here is a slide from a Apple Big Sur deep drive presentation - the first point is the killer for older methods of enrolment into MDM for Big Sur

f3804c84db344fceb007c27ec910dec3

If you still wish to use the old methods then they must be enrolled when still running macOS Catalina (or earlier) and then upgraded to macOS Big Sur post enrolment

I'm sure some clever developer may possibly find a way around this, but also I'm sure Apple will shut that door soon after like they have done with Imagining and you will end up swimming against the tide of change.

Saying that, I'm finding the new UIE process is a worse user experience in Big Sur than in Catalina
Previously once the profile was downloaded it installed and brought up the System Profiles - Profiles presence right up front for the user to approve the MDM profile.
Now is Big Sur it installs it (but doesn't activate) and just shows a small notification banner in the top right corner (which Is very easily missed by a user) that they have to open System Profiles - Profiles and manually activate

Chris_Hafner
Valued Contributor II

@mikemangino Yes. The end-user must be an admin and should be the holder of the secure token. At least for this specific process. It's super easy though and will likely save you the hassle of having to install the quickadd.pkg each time. You just log into the enrollment site and install the profiles. If these are company-owned, check out DEP. It makes this much simpler.

wmehilos
Contributor

@sdagley Plenty of us still have older purchases that weren't put into ASM/ABM. I only ever got on the old Apple Deployment Program in 2018, so with, generally, a 4 year lifecycle on any given machine, only about half my fleet has been "converted" over.

sdagley
Esteemed Contributor II

@wmehilos The potential for it working varies from vendor to vendor, but you should be able to ask that your purchases made prior to joining the DEP program in 2018 be added to your ASM account.

dmw3
Contributor III

@garybidwell We think our main issue is that we do not see the MDM Profile to to Approve it. Just comes back with a blank Profile Preference dialog box. See screenshot.
24289747af67403686dafa9ca9f53ffb

JustDeWon
Contributor III

.

mikemangino
New Contributor III

Ugh, UIE can't be used with the local users in Jamf, you HAVE to connect back to LDAP? This is deeply suboptimal.

jocbaz
New Contributor

BigSur 11.3. | Jamf disabled profiles, as part of sec polices, but the installation failed; and I cannot reinstall Self Service, is there a way to re-enable Profiles? currently is grayed out. Thank you

vmaraschiello
New Contributor

Hello all has any one figured out how to use UIE successfully? Please give specific configuration adjustments or pics. Please do not right "it's super easy" We know quick add does not work. Steps please. TY

scottb
Honored Contributor

UIE for Jamf 

 

It's easy 😎

@scottbthanks, but the question for this thread deals with BigSur specifically. So from what I have been reading and what ring true in my case is that when you do a UIE it downloads the quickpackage (in "Big Sur OS") the quick package does not allow the MDM profile to load with "Big Sur" as a matter of fact the process (qiuckadd) does not load or install any profiles. In Jamf admin is shows all profiles as pending. So "Not easy". Again if anyone has figured this out please show the correct configuration or steps to get the profiles installed on a "Big Sur OS". Thank you!

As long as your version of Jamf Pro is recent and the user agent on your browser hasn't been monkeyed with then it should download a mdm profile or trust and mdm profile. 

Have you checked that you meet the requirements for this? Are you on-prem or cloud hosted?

@mainelysteverunning cloud version 10.34.0-t1636381463 (Pro). What do you mean user agent? Also what requirements? OS 11.6.1

Requirements are basically that your Jamf Pro instance was new enough to properly manage the OS version and you meet that. If you're not aware of user agents then it shouldn't pose an issue in your environment. Essentially it's what your browser(s) reports to web servers as being this OS version and that browser version.  

I'm not sure how you're still being offered a quickadd though. You're going to https://myjamfproinstance.jamfcloud.com/enroll, right?

Perhaps provide some sanitized screenshots of your user initiated enrollment settings.

scottb
Honored Contributor

@vmaraschiello - if you use: https://mycompany.jamfcloud.com/enroll it would/should download a profile...to get QuickAdd now, one has to use a URL like this:

https://mycompany.jamfcloud.com/?type=quickadd

Is that what you're doing?