MDM profiles not applying to non-DEP mac after upgrade to High Sierra

timlings
Contributor

We have upgraded some of our Macs to High Sierra from Sierra, but once they have upgraded none of the MDM profiles seem to work. If we wipe and set up the Macs again (this time using DEP), they are able to run High Sierra fine without any issues with profiles not applying.

Could the issue be to do with the fact that the SSL certificate on our Jamf Pro instance is self-signed?

4 REPLIES 4

Brad_G
Contributor II

On a non-DEP enrolled machine, look at System Preferences under Security and Privacy. Is there an option to allow the MDM profile to be applied (similar to the allow 3rd party kernel extensions in High Sierra)? I think there was another topic here on Jamf Nation a while back during beta evaluations.

jmahlman
Valued Contributor

Someone can correct me if I'm wrong but user accepted MDM does not stop the installation of config profiles, it only stops the ability to bypass UAKEL.

mike_paul
Contributor III
Contributor III

If your SSL was Self Signed it would work for DEP or other means of enrolling into MDM as mdm requires a signed

If the SSL certificate is created and signed by the JSS Certificate Authority it does work for MDM as long as trust is established to the built in Certificate Authority (an untrusted issuer) which it does with the Anchor certificate in the DEP prestage or during enrollment as long as you dont have the checkbox enabled for Settings>Global Management>User Initiated Enrollment>General>"Skip certificate installation during enrollment". Some of the cert differences are listed here: https://www.jamf.com/blog/enhancements-to-certificate-security-for-mdm-enrollment/

@Brad_G is correct that you will see the 'Approve' button on 10.13+ for the MDM profile if it was enrolled via any means other than DEP at this time but the MDM is still there and works for deploying profiles regardless if its approved or not. As @jmahlman stated, nothing in High Sierra around User Approved MDM should stop config profiles from coming out until Apple enforces UAKEL till Spring 2018 per https://support.apple.com/en-us/HT208019.

While on the computer that was just upgraded and not wiped to go through DEP, if you run sudo jamf mdm -verbose, what does it show? Are you seeing the MDM profile come down but not other configuration profiles?

timlings
Contributor

Upon further investigation, if I upgrade a non-DEP machine via Internet Recover (holding down alt+cmd+R after restart), the machine upgrades fine and everything seems to work (even AD binding!). Maybe we're a couple of point releases on (now on 10.13.2), which has fixed some of these quirks?

I will give it a try on a few more machines to see if it keeps on working...