Profiles cannot be approved while using remote or automated input methods...

ooshnoo
Valued Contributor

Our users on 10.13.4 are getting the following message when approving their MDM Profile...

2989a2898e154a1bbf16eac24c5a2271

The problem is, there is no remote session going on. They are trying to approve the MDM profile while sitting right in front of their laptop, using it's own built in keyboard and trackpad. The only way we can get them approved is to login as root user and then it works.

Anyone else seen this and have a fix? I've already removed MDM profiles and re-enrolled into MDM and it makes no difference.

26 REPLIES 26

bpavlov
Honored Contributor

Have you checked to see what processes are running?

ooshnoo
Valued Contributor

@bpavlov I've tried it immediately after a reboot with no apps open. The only possible process would be the ARD agent, but there was no remote connection to the admin console at that time.

scottb
Honored Contributor

I can sit here with screen sharing active and still approve the MDM Profile on the Mac (on the actual Mac).
So something else is going on.
Do you have anything else like TeamViewer, etc. running?

ooshnoo
Valued Contributor

@scottb

Nope. nothing running. but logging in as root user am able to approve it.

scottb
Honored Contributor

@ooshnoo - How about something that does cursor movement like "Jiggler"? I have this on mine and can test.
I got it to move the cursor, but it's not on the test Macs...
Might be worth a look?

ooshnoo
Valued Contributor

@scottb this is happening on freshly imaged machines, with nothing but a bare OS and Office 2016.

j_tanudjaja
New Contributor III

hmm. strange one.
I encountered the same issue but later found out that it's due to lanschool running in the background.

McAwesome
Valued Contributor

I wonder if it's only allowing the originally created account to approve it. That would be incredibly dumb, but this is Apple and 10.13 we're talking about so insanely stupid ideas aren't exactly unexpected at this point.

bearzooka
Contributor

I am seeing the same behavior on a machine that does not have any remoting software installed or other tools of the kind.

However, after rebooting, we were able to approve the MDM, so this sounds like a process the machine thinks is trying to automate stuff.

Weird things, indeed.

scottlep
Contributor II

I have seen this on a few computers too. Just haven't had time to open a case or post here in JN.

~Scott

ostermmg
New Contributor

Has anyone come up with a fix? I'm running into the exact same problem. I run as a non-admin user, and use a separate admin level account when credential prompts for installs and system modifications. I did use those credentials to install the MDM profile, so perhaps it's a mismatch between the account that installed the profile and the account that is trying to approve? If so, that's kludgy as heck. I'll try switching to the admin user interactively and report back how it goes.

bearzooka
Contributor

Well, for what it's worth, we discovered that Google Chrome or one of the installed extensions was the culprit of this strange behavior. The machine had a couple of extensions for Windows Remote Desktop and Citrix, so maybe it was one of those.

scottb
Honored Contributor

Which takes us back to the claims that "nothing but the OS" are likely not true.
If anyone truly has this issue with ZERO added software, then it's an issue for sure.

bearzooka
Contributor

Totally true… It's interesting to figure out, though, that extensions on a browser are detected by this mechanism.

srisch
New Contributor

Just ran into this same issue. Killed Google Chrome completely and user was able to approve mdm.

retroroscoe
Contributor

Another possibility is if MagicPrefs is loaded on the machine.
Kill the process in Activity Monitor and try again

ebtech
New Contributor

Hey party people, here's a quick way to sort this:

Boot to safe mode (hold Shift @ boot), approve the profile.

Whatever Chrome extensions and other remote services you have won't load in safe mode.

This worked like a charm on two machines I had that were self-enrolled.

scottb
Honored Contributor

I've seen at least 4-5 pieces of software cause this. I was going to start maintaining a list, but found that either a safe boot or a clean user account worked fine. Still, it's a royal PITA to walk clients through yet another hoop.

ooshnoo
Valued Contributor

@scottb here is the list you wanted to create...already made!!!

https://docs.google.com/spreadsheets/d/1IWrbE8xiau4rU2mtXYji9vSPWDqb56luh0OhD5XS0AM/edit#gid=0

scottb
Honored Contributor

@ooshnoo - this is the table for KEXT whitelisting...the issue here is the computer not allowing local "approvals" of Profiles.
I looked thru the tabs, and didn't see anything regarding this one. Or am I blind?

crogersgrazado
New Contributor II

Just posting here to add to the knowledge - I was running into this issue and narrowed it down to Google Chrome thanks to this thread.

The offending extension? Google Play music.

jose_gutierrez
New Contributor II

I had the same issue whit some devices @ebtech solution works 100%.

hafizulla_chitt
New Contributor III

Killed Chrome & then tried to approve worked like charm!! Thanks All for your solution!!!!

Maxalot
New Contributor III

So I have been seeing this same thing. I assumed this was a new security feature with MacOS whereby remote control can no longer approve MDM management. Is everyone here saying that it's not and it's actually a bug or some other app?

Is there no way I can spin up the update and approve the execution by terminal?

sdagley
Esteemed Contributor II

@Maxalot It's not a bug, Apple intentionally blocks remote approval of MDM management. It must be approved by a local user via the GUI.

Maxalot
New Contributor III

@sdagley Yes, you are correct SD. So I figured out a way around this. We had several conference rooms and with the shelter at home due to Covid, no way to send someone there to click the button. I figured out a way to click the button and then adding the profile was trivial. However once Apple figures it out they will probably block the method. Wow. We are in August already. I hope everyone is ok and healthy.