macOS 10.13.2 and "User Approved MDM enrollment"

Winterhalter
New Contributor III

Per the newly issued Apple Doc https://support.apple.com/en-us/HT208019 , any new enrolls I have for clients running macOS 10.13.2 need the MDM Profile to be "approved" by a user (any user!) in order to have full functionality.

Is this something that JAMF Pro will be able to work around? (I'm on 9.81 at the moment) Is the only real "solution" to this enrolling in DEP? (the distributed nature of our organization makes DEP annoying at best) This seems like a case of Apple creating a problem that DEP is the solution for.

The profile functionality being disabled is listed in the following screenshots.
e82675a2d623420b9e1f3924b4a8b802
fe87f4592e744bd0bee4256c2507a362

52 REPLIES 52

AHolmdahl
New Contributor III

We have a policy that runs once a day scoped to a smart group "NEEDS MDM user approval" (Advanced criteria "User Approved MDM" is "No" )

It runs the following script:

#!/bin/sh

User=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`

jamfHelper="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"
icon="/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertCautionIcon.icns"
description="Please approve the profile: MDM Profile"

# Open Profiles in System Preferences
open /System/Library/PreferencePanes/Profiles.prefPane

# Display JamfHelper dialog (as user to avoid errors)
Dialog=$(/bin/launchctl asuser $(id -u $User) sudo -u $(ls -l /dev/console | awk '{print $3}') "$jamfHelper" -windowType hud -icon "$icon" 
-title "IT department" -heading "APPROVE MDM" -description "$description" -button1 "OK" -defaultButton "1" -lockHUD )

sleep 60; # Wait for possible approval

# Do a recon only if user has approved the MDM
profiles status -type enrollment | grep "Approved" >/dev/null 2>&1 && jamf recon

exit

foreverkan
New Contributor III

How could you create a smart group based on script's answer?

If the script runs as part of an extension attribute, the output of the script can be saved in the inventory record.

bjones
New Contributor III

@AHolmdahl 1st of great post above to assist with users being able to be notified and quickly remediate the issue. I have a question based on some weirdness that is happening with most of my devices. When i run this policy systems are failing when this is running with the following error.
LSOpenURLsWithRole() failed with error -10810
When trying to open system preferences /profiles, have you run into this issue? And if so is there an edited version of this which will just pop up the notification and an ok. Possibly removing the approval and pop up of systems preferences.

daniel_behan
Contributor III

I have a Self Service policy set that will either re-enroll via DEP or prompt the end user to manually approve MDM. At first the profiles -N command appeared work intermittently, but a ticket with AppleCare showed that the end user needs to be local admin at the time of re-enrollment.

#!/bin/sh
user=`/usr/bin/who | /usr/bin/awk '/console/{ print $1 }'`
adminneeded=`/usr/bin/dsmemberutil checkmembership -U "$user" -G admin`
DEPURL="https://mycompanyURL"
DEPAssigned=`/usr/bin/profiles show -type enrollment | grep ConfigurationURL | cut -d '"' -f2`
OS=`/usr/bin/defaults read /System/Library/CoreServices/SystemVersion ProductVersion | awk '{print substr($1,1,5)}'`

#Temporarily Grant Admin Rights to Standard User for Enrollment
if [[ "$adminneeded" == *not* ]]; then
/usr/sbin/dseditgroup -o edit -a $user -t user admin
    if [[ "$OS" < "10.13" ]]; then
        /usr/local/jamf/bin/jamf removeMDMProfile
        /usr/local/jamf/bin/jamf enroll -invitation myJSSInvitationID && /usr/local/jamf/bin/jamf recon -endUsername $user
        /usr/local/jamf/bin/jamf mdm -userLevelMdm
        /usr/libexec/mdmclient dep nag
        /usr/sbin/dseditgroup -o edit -d $user -t user admin
    elif [[ "$DEPAssigned" == "$DEPURL" ]];then
        /usr/local/jamf/bin/jamf removeMDMProfile
        /usr/bin/profiles -N
        /usr/sbin/dseditgroup -o edit -d $user -t user admin
    else
        /usr/local/jamf/bin/jamf removeMDMProfile
        /usr/local/jamf/bin/jamf enroll -invitation myJSSInvitationID && /usr/local/jamf/bin/jamf recon -endUsername $user
        /usr/local/jamf/bin/jamf mdm -userLevelMdm
        /usr/bin/osascript -e 'tell application "Finder"
            activate
            open document file "Profiles.prefPane" of folder "PreferencePanes" of folder "Library" of folder "System" of startup disk
        end tell'
        /usr/sbin/dseditgroup -o edit -d $user -t user admin
    fi
fi

#Leave Admin rights in Tact if account is already elevated
if [[ "$adminneeded" != *not* ]]; then
    if [[ "$OS" < "10.13" ]]; then
        /usr/local/jamf/bin/jamf removeMDMProfile
        /usr/local/jamf/bin/jamf enroll -invitation myJSSInvitationID && /usr/local/jamf/bin/jamf recon -endUsername $user
        /usr/local/jamf/bin/jamf mdm -userLevelMdm
        /usr/libexec/mdmclient dep nag
    elif [[ "$DEPAssigned" == "$DEPURL" ]];then
        /usr/local/jamf/bin/jamf removeMDMProfile
        /usr/bin/profiles -N
    else
        /usr/local/jamf/bin/jamf removeMDMProfile
        /usr/local/jamf/bin/jamf enroll -invitation myJSSInvitationID && /usr/local/jamf/bin/jamf recon -endUsername $user
        /usr/local/jamf/bin/jamf mdm -userLevelMdm
        /usr/bin/osascript -e 'tell application "Finder"
            activate
            open document file "Profiles.prefPane" of folder "PreferencePanes" of folder "Library" of folder "System" of startup disk
        end tell'
    fi
fi

CorpIT_eB
Contributor II

@daniel.behan does this work if an enrollment MDM profile Failed after enrollment?

I am having this issue, that if a user does not sign in right away the main MDM will not install on the machine and it will not let me add the profile without having to re-image the machine witch is a real PITA!

The challenge I am facing is putting in the the correct time hooks as some are faster than others,

Thanks

daniel_behan
Contributor III

@CorpIT_eB It usually works as long as there are no other MDM issues, or if a tech uses the "Remove MDM Profile" Management command. In some cases, I've had to clear the apsd.keychain from /Library/Keychains

TimT
Contributor

@AHolmdahl Have tried your script in testing however upon clicking OK from the nag pop up System Prefs never opens, it bounces for a minute or so then stops bouncing and needs to be force quit.

Any suggestions?

Cheers

awueschinski
New Contributor II

@TimT I am running into the same issue. Appears to be that com.apple.preferences.configurationprofiles.remoteservice has to be launched as well for the Profile Pane to successfully open without having to force quit. I am struggling to find the command to open along side the /System/Library/PreferencePanes/Profiles.prefPane

@AHolmdahl Do you happen to have any suggestions or a way to launch that process along side of the Profile pane to open it up successfully. I recently took over the company's Jamf and half of them are still are pending approval making it difficult to push user approved kernel extensions.

Any suggestions are much appreciated.

Thanks!

arivera
New Contributor III

@awueschinski The way I was able to do this successfully was by running it as the currently logged in user. I have seen the issue where Profiles just bounces and this is what fixed it for me, here is a simple example.

#!/bin/sh
consoleuser=`/bin/ls -la /dev/console | /usr/bin/cut -d " " -f 4`
sudo -u $consoleuser open /System/Library/PreferencePanes/Profiles.prefPane

Give it a try and let me know if it works !

P_Featherstonha
New Contributor III

Hi there - I am trying to use the following script to see if I can get MDM Approval working for end-users (just early testing stages) and I am getting the following error: Expected expression but found unknown token

!/bin/sh

consoleuser=/bin/ls -la /dev/console | /usr/bin/cut -d " " -f 4
sudo -u $consoleuser open /System/Library/PreferencePanes/Profiles.prefPane

Any help would be greatly appreciated :)

talkingmoose
Moderator
Moderator

@P.Featherstonhaugh, found a couple of things and fixed them. Needed a proper shebang on line 1 that included the pound symbol (hash). Also, when running commands and assigning their results to a variable, you need to include them in $( ).

The following works for me here.

#!/bin/sh
consoleuser=$( /bin/ls -la /dev/console | /usr/bin/cut -d " " -f 4 )
sudo -u $consoleuser open /System/Library/PreferencePanes/Profiles.prefPane

mani2care
Contributor

try like this

tell application "System Preferences" to quit
tell application "System Preferences" to activate

tell application "System Events"
    tell application process "System Preferences"
        set currentWindow to name of window 1
        if currentWindow does not contain "Profiles" then
            click button "Show All" of group 1 of group 2 of toolbar 1 of window 1
            delay 2
            click button "Profiles" of scroll area 1 of window "System Preferences"
            delay 2
        end if

        tell window "Profiles"
            tell scroll area 2
                repeat with aRow in row of table 1
                    if value of static text of UI element 1 of aRow starts with "MDM Profile" then
                        select aRow
                        delay 1
                    end if
                end repeat
            end tell
            click button "Approve…" of scroll area 1
            click button "Approve" of sheet 1
        end tell
    end tell
end tell
tell application "System Preferences" to quit

save as a MDMapprove..scpt file run via terminal osascript (file path )

make sure in accessibility terminal, script editor should be added on that -tested manually via jamf not yet

if running via jamf can create the configuration profile via PPPC to enable the terminal and script editor @accessablity