Jamf mdm -userLevelMdm breaks DEP enrolment on Macs - WARNING

rickgmac
Contributor

So we have just been advised the KB article regarding user level mdm, which is needed to deploy VPP apps to lab machines or local users. https://www.jamf.com/jamf-nation/articles/372/enabling-mdm-for-local-user-accounts

Will break DEP enrolment on Macs.

As we have found out now 10.13.4 has been released and we need to Profiles for KEXT Approval.

To be fair to JAMF they did update the KB article to state the following.
Note: For computers with macOS 10.13.2 and later, this workflow for enabling MDM for local user accounts will reset any previous User Approved MDM Enrollments. If you use this as a part of existing ongoing workflows, you should evaluate the impact of these changes.

However not having looked at the KB article for some time. I would have loved to see more about this in release notes

On the latest 10.3 version of the JSS they added an inventory collection item Enrolled via DEP:

this is populated by running the command

profiles status -type enrollment

However if you have at any point run the command jamf mdm -userLeveMdm

This will set your machine back to the equivalent of user based enrolment.

Which means if you try and deploy a profile that requires user approved or DEP. it will fail

12 REPLIES 12

rickgmac
Contributor

So as a concept to get machine back into DEP enrolment Status I have done some basic testing to get it back done to as zero touch as possible

  1. Make sure the Global Setting > Re-enrollment are all un-ticked and the drop down is "Clean Nothing"

  2. Disable your policy's which do the -userLevelMdm command

  3. Create a new Pre-stage enrolment profile for re-enrollment
    General > Don't require Auth
    General > Make MDM Profile Mandatory
    General > Skip All Steps on setup window
    Account Settings > Skip Account Creation

  4. Create a policy to remove /var/db/.AppleSetupDone and restart the machine.

  5. Upon restart you will go through the setup assistant and have to agree to as few things as possible.

  6. Once you have confirmed and re-enrolled all devices you will want to change back the settings changed in items 1 and move devices back to original pre-stage enrolment

lashomb
Contributor II

@rickgmac Do you know if there is an open PI on this, or is the "Here be Dragons" disclaimer in the KB all we will see on this?

dgreening
Valued Contributor II

So, this is not DEP specific: running "jamf mdm -userLevelMdm" on a 10.13.x Mac which has UAMDM enabled will RESET the UAMDM status. 'Effing hell, Jamf and Apple! HELL!

fsjjeff
Contributor II

Wow... just wow...

This past year I really feel like Apple has lost the plot on macOS..

UAMDM, Kext blocking, deprecating of imaging, deprecation of OS X Server and SUS, firmware updates only installable through macOS Install, encouragement to abandon AD, Configuration Profiles that trade the subtlety of MCX with it's Once, Often, Always for the blunt knife they've become... After spending the past couple months trying to plan our migration of 3500 Macs to High Sierra over the summer, this will be the first time in over a decade that we will be redeploying the previous year's OS. Even worse, we're starting to think about abandoning the platform altogether as it's getting almost impossible to manage with any kind of predictability.

triding
New Contributor III

What a SHAMBLES!!! Please JAMF, provide an easy fix that we can push out for this..... it's a DEP disaster.

UESCDurandal
Contributor II
So, this is not DEP specific: running "jamf mdm -userLevelMdm" on a 10.13.x Mac which has UAMDM enabled will RESET the UAMDM status. 'Effing hell, Jamf and Apple! HELL!

It also appears to change Enrolled via DEP from Yes to No for our DEP enrolled Macs when our first local admin user is logged in for the first time and a VPP app is deployed automatically. We've had to turn off automatic VPP app installation all together until we figure out a workaround.

It seems to me that the issue stems from our first local admin user not getting classified as "MDM Capable" at creation by the pre-stage enrollment.

j_s_
New Contributor II

Has anyone identified an alternative to the jamf mdm -userlevelMdm command to apply user level config profiles?

analog_kid
Contributor

I've had about half of my 10.13 systems enrolled via DEP lose their "Enrolled via DEP" status in Jamf inventory. I also have a single VPP app automatically deployed to all systems but I honestly don't know what variables are contributing to this problem. End result is this is beyond annoying.

UESCDurandal
Contributor II

My issues were originating from VPP apps set to automatically install while our local admin was logged in. We fixed this by adding our local admin account to the exclusion list for these VPP apps.

Kaltsas
Contributor III

@analog_kid are the clients losing UAMDM status logging in with local users?

analog_kid
Contributor

@Kaltsas I minimized the conditions that cause the issue in the first place since I posted. But even so, I've seen it positively occur since then. Luckily we aren't reliant on local users and use Mobile users mostly.

Sonic84
Contributor III

any updates? This is a problem now that Supervision is a thing on macOS.