Deploying users via JumpCloud in order to activate MDM

conor
New Contributor III

Hi,

So with the changes in Sierra meaning that only 1 local account per machine is MDM enabled we have hit a wall.

As we did not have a Directory Service in place beforehand we are trialling JumpCloud. However their user provisioning appears to be that it creates a local user, so still not MDM enabled.

Does anyone know a way around this or if I am doing something wrong?

Thanks

1 ACCEPTED SOLUTION

conor
New Contributor III

Looks like i may have solved this. need to remove mdm profile from old user with sudo jamf removeMDMProfile on account that isnt being used then running sudo jamf mdm -userLevelMdm on login.

View solution in original post

9 REPLIES 9

mpermann
Valued Contributor II

@conor have a look at this it might provide you with some guidance.

conor
New Contributor III

@mpermann Yeah ive read over that a couple of times. So we are not using DEP. but for some reason even running the sudo jamf mdm -userLevelMdm line doesnt appear to switch mdm status to the current user.

conor
New Contributor III

edit. Double post

gregorymkeller
New Contributor II

Conor,

Greg here from JumpCloud. Let us know if we can assist you with some Q & A on the local accounts we deploy/take ownership of on Sierra boxes. Our support team is also pretty fluent with Jamf (we have a ton of shared customers). I'd love to get a bit more color on what you're requiring vis-a-vis these accounts....e.g., why denoting them as MDM users is required for your use cases.

Give us a shout at support@jumpcloud.com

Thanks!
Greg

conor
New Contributor III

@gregorymkeller Hi, so our set up is;

Admin account is deployed onto the system. this is for IT to go in and fix stuff if it goes wrong, as this is the first account it gets enabled in MDM by default.
Then standard user is deployed to the machine (this gets deployed via JumpCloud) as is it still classed as a local user it doesnt get MDM enabled. However we need this for app store app deployment for the user.

Ideally we need either, a dynamic way to switch MDM between the users or for JumpCloud to deploy directory users as mobile accounts similar to what Active Directory does i suppose.

gregorymkeller
New Contributor II

@conor - The team took a look at this, this morning and I think that the article referenced above (e.g. https://www.jamf.com/jamf-nation/articles/372/enabling-mdm-for-local-user-accounts) is fairly telling. Meaning, only one local account user can be MDM-enabled on the box at a time. So, if a second local user account becomes MDM enabled on the computer, the first local user account is no longer MDM enabled.

It appears that in the article there may also be a known issue with the command listed not being able to appropriately switching the MDM status between accounts. I'd check in with the Jamf crew on this. If, for some reason, the command is functioning and it is having difficulty switching between two JumpCloud provisioned local accounts, then that is another use case we can work with Jamf on to test.

Greg

conor
New Contributor III

@gregorymkeller Thanks for that, yeah thats what i was afraid of :( will have to find another way around this then i suppose

conor
New Contributor III

Looks like i may have solved this. need to remove mdm profile from old user with sudo jamf removeMDMProfile on account that isnt being used then running sudo jamf mdm -userLevelMdm on login.

gregorymkeller
New Contributor II

Strong work, @conor ! If you have any explicit steps you did (e.g. problem:solution), the JumpCloud team are happy to put those up on our KB as well to help others. Nice work!