Help

High Sierra and Quick-add package. Need physical action ??

astiephi
New Contributor III

Posted on ‎11-11-2017 08:22 AM

Hi all,

I just created a QuickAdd package with Recon, signed with my wildcard certificate, deployed to a few machines with ARD.

Pre High-Sierra machines (10.11 and 10.12) are enrolled, the MDM profile is properly signed and available. No problem.

In 10.13 (.2 beta I have to say), it enrolls, the profile is installed, but... this needs to be approved, and this needs to be done PHYSICALLY with a keyboard on the machine, so... you can not do it via any remote control.

What am I missing ? How can we do ?

I guess this would not happen if using DEP ?

(at least, the JAMF binary seems fully functional)

411d101e0f564d6ebfd39bba0c76c530
f383e5b3da68427f8a40d20aadaff562
634781232e994ace90d314297bf3f4ae

40 years of Apple Experience... but not that old ! :)
0 Kudos
Reply
7 REPLIES 7

chriscollins
Valued Contributor

Posted on ‎11-12-2017 06:28 PM

Yes. This is an intentional change by Apple coming in 10.13.2. If it is enrolled with DEP it automatically is considered “approved”.

Requiring physical input to approve is also intentional.

0 Kudos
Reply

astiephi
New Contributor III

Posted on ‎11-12-2017 10:25 PM

OK.... I understand the idea, but this will be a headache for headless servers !

Or we have to be sure that proper IP KVMs are in place.

40 years of Apple Experience... but not that old ! :)
0 Kudos
Reply

MatG
Contributor III

Posted on ‎11-13-2017 02:42 AM

Not really happy with this. Apple answer is use DEP but for us at this time its not an option. DEP is not even supported worldwide yet so I don't really see why are Apple are even taking that approach.

0 Kudos
Reply

astiephi
New Contributor III

Posted on ‎11-13-2017 03:28 AM

Keep in mind, it's in 10.3.2 beta. So still time to raise concerns.

40 years of Apple Experience... but not that old ! :)
0 Kudos
Reply

MatG
Contributor III

Posted on ‎11-13-2017 04:29 AM

Yep, concerns raised to Apple on this already.

0 Kudos
Reply

iJake
Valued Contributor

Posted on ‎11-13-2017 12:19 PM

I encourage everyone that has not already done to reach out to your Apple team and let them know how poor and shortsighted this change is without proper lead time, feedback, and most importantly DEP not being nearly useless.

0 Kudos
Reply

dgreening
Valued Contributor II

Posted on ‎11-13-2017 12:24 PM

I raised this with our SE! Everyone please do the same! We can't leverage DEP right now, and can't have users opting out of Config Profiles which control security compliance!

0 Kudos
Reply