Jamf Nation Community

conor · ‎06-15-2017

Hi,

So with the changes in Sierra meaning that only 1 local account per machine is MDM enabled we have hit a wall.

As we did not have a Directory Service in place beforehand we are trialling JumpCloud. However their user provisioning appears to be that it creates a local user, so still not MDM enabled.

Does anyone know a way around this or if I am doing something wrong?

Thanks

conor · ‎06-16-2017

Looks like i may have solved this. need to remove mdm profile from old user with sudo jamf removeMDMProfile on account that isnt being used then running sudo jamf mdm -userLevelMdm on login.

View solution in original post

mpermann · ‎06-15-2017

@conor have a look at this it might provide you with some guidance.

conor · ‎06-15-2017

@mpermann Yeah ive read over that a couple of times. So we are not using DEP. but for some reason even running the sudo jamf mdm -userLevelMdm line doesnt appear to switch mdm status to the current user.

conor · ‎06-15-2017

edit. Double post

gregorymkeller · ‎06-15-2017

Conor,

Greg here from JumpCloud. Let us know if we can assist you with some Q & A on the local accounts we deploy/take ownership of on Sierra boxes. Our support team is also pretty fluent with Jamf (we have a ton of shared customers). I'd love to get a bit more color on what you're requiring vis-a-vis these accounts....e.g., why denoting them as MDM users is required for your use cases.

Give us a shout at support@jumpcloud.com

Thanks!
Greg

conor · ‎06-15-2017

@gregorymkeller Hi, so our set up is;

Admin account is deployed onto the system. this is for IT to go in and fix stuff if it goes wrong, as this is the first account it gets enabled in MDM by default.
Then standard user is deployed to the machine (this gets deployed via JumpCloud) as is it still classed as a local user it doesnt get MDM enabled. However we need this for app store app deployment for the user.

Ideally we need either, a dynamic way to switch MDM between the users or for JumpCloud to deploy directory users as mobile accounts similar to what Active Directory does i suppose.

gregorymkeller · ‎06-15-2017

@conor - The team took a look at this, this morning and I think that the article referenced above (e.g. https://www.jamf.com/jamf-nation/articles/372/enabling-mdm-for-local-user-accounts) is fairly telling. Meaning, only one local account user can be MDM-enabled on the box at a time. So, if a second local user account becomes MDM enabled on the computer, the first local user account is no longer MDM enabled.

It appears that in the article there may also be a known issue with the command listed not being able to appropriately switching the MDM status between accounts. I'd check in with the Jamf crew on this. If, for some reason, the command is functioning and it is having difficulty switching between two JumpCloud provisioned local accounts, then that is another use case we can work with Jamf on to test.

Greg

conor · ‎06-16-2017

@gregorymkeller Thanks for that, yeah thats what i was afraid of :( will have to find another way around this then i suppose

conor · ‎06-16-2017

Looks like i may have solved this. need to remove mdm profile from old user with sudo jamf removeMDMProfile on account that isnt being used then running sudo jamf mdm -userLevelMdm on login.

gregorymkeller · ‎06-16-2017

Strong work, @conor ! If you have any explicit steps you did (e.g. problem:solution), the JumpCloud team are happy to put those up on our KB as well to help others. Nice work!

Jamf Nation Community

Deploying users via JumpCloud in order to activate MDM