High Sierra and Quick-add package. Need physical action ??

astiephi
New Contributor III

Hi all,

I just created a QuickAdd package with Recon, signed with my wildcard certificate, deployed to a few machines with ARD.

Pre High-Sierra machines (10.11 and 10.12) are enrolled, the MDM profile is properly signed and available. No problem.

In 10.13 (.2 beta I have to say), it enrolls, the profile is installed, but... this needs to be approved, and this needs to be done PHYSICALLY with a keyboard on the machine, so... you can not do it via any remote control.

What am I missing ? How can we do ?

I guess this would not happen if using DEP ?

(at least, the JAMF binary seems fully functional)

411d101e0f564d6ebfd39bba0c76c530
f383e5b3da68427f8a40d20aadaff562
634781232e994ace90d314297bf3f4ae

40 years of Apple Experience... but not that old ! :)
7 REPLIES 7

chriscollins
Valued Contributor

Yes. This is an intentional change by Apple coming in 10.13.2. If it is enrolled with DEP it automatically is considered “approved”.

Requiring physical input to approve is also intentional.

astiephi
New Contributor III

OK.... I understand the idea, but this will be a headache for headless servers !

Or we have to be sure that proper IP KVMs are in place.

40 years of Apple Experience... but not that old ! :)

MatG
Contributor III

Not really happy with this. Apple answer is use DEP but for us at this time its not an option. DEP is not even supported worldwide yet so I don't really see why are Apple are even taking that approach.

astiephi
New Contributor III

Keep in mind, it's in 10.3.2 beta. So still time to raise concerns.

40 years of Apple Experience... but not that old ! :)

MatG
Contributor III

Yep, concerns raised to Apple on this already.

iJake
Valued Contributor

I encourage everyone that has not already done to reach out to your Apple team and let them know how poor and shortsighted this change is without proper lead time, feedback, and most importantly DEP not being nearly useless.

dgreening
Valued Contributor II

I raised this with our SE! Everyone please do the same! We can't leverage DEP right now, and can't have users opting out of Config Profiles which control security compliance!