Jamf Nation Community

@bpavlov I've tried it immediately after a reboot with no apps open. The only possible process would be the ARD agent, but there was no remote connection to the admin console at that time.

I can sit here with screen sharing active and still approve the MDM Profile on the Mac (on the actual Mac).
So something else is going on.
Do you have anything else like TeamViewer, etc. running?

@scottb

Nope. nothing running. but logging in as root user am able to approve it.

@ooshnoo - How about something that does cursor movement like "Jiggler"? I have this on mine and can test.
I got it to move the cursor, but it's not on the test Macs...
Might be worth a look?

@scottb this is happening on freshly imaged machines, with nothing but a bare OS and Office 2016.

hmm. strange one.
I encountered the same issue but later found out that it's due to lanschool running in the background.

I wonder if it's only allowing the originally created account to approve it. That would be incredibly dumb, but this is Apple and 10.13 we're talking about so insanely stupid ideas aren't exactly unexpected at this point.

I am seeing the same behavior on a machine that does not have any remoting software installed or other tools of the kind.

However, after rebooting, we were able to approve the MDM, so this sounds like a process the machine thinks is trying to automate stuff.

Weird things, indeed.

I have seen this on a few computers too. Just haven't had time to open a case or post here in JN.

~Scott

Has anyone come up with a fix? I'm running into the exact same problem. I run as a non-admin user, and use a separate admin level account when credential prompts for installs and system modifications. I did use those credentials to install the MDM profile, so perhaps it's a mismatch between the account that installed the profile and the account that is trying to approve? If so, that's kludgy as heck. I'll try switching to the admin user interactively and report back how it goes.

Well, for what it's worth, we discovered that Google Chrome or one of the installed extensions was the culprit of this strange behavior. The machine had a couple of extensions for Windows Remote Desktop and Citrix, so maybe it was one of those.

Which takes us back to the claims that "nothing but the OS" are likely not true.
If anyone truly has this issue with ZERO added software, then it's an issue for sure.

Totally true… It's interesting to figure out, though, that extensions on a browser are detected by this mechanism.

Just ran into this same issue. Killed Google Chrome completely and user was able to approve mdm.

Another possibility is if MagicPrefs is loaded on the machine.
Kill the process in Activity Monitor and try again

Hey party people, here's a quick way to sort this:

Boot to safe mode (hold Shift @ boot), approve the profile.

Whatever Chrome extensions and other remote services you have won't load in safe mode.

This worked like a charm on two machines I had that were self-enrolled.

I've seen at least 4-5 pieces of software cause this. I was going to start maintaining a list, but found that either a safe boot or a clean user account worked fine. Still, it's a royal PITA to walk clients through yet another hoop.

@scottb here is the list you wanted to create...already made!!!

https://docs.google.com/spreadsheets/d/1IWrbE8xiau4rU2mtXYji9vSPWDqb56luh0OhD5XS0AM/edit#gid=0

@ooshnoo - this is the table for KEXT whitelisting...the issue here is the computer not allowing local "approvals" of Profiles.
I looked thru the tabs, and didn't see anything regarding this one. Or am I blind?

Just posting here to add to the knowledge - I was running into this issue and narrowed it down to Google Chrome thanks to this thread.

The offending extension? Google Play music.

I had the same issue whit some devices @ebtech solution works 100%.

Killed Chrome & then tried to approve worked like charm!! Thanks All for your solution!!!!

So I have been seeing this same thing. I assumed this was a new security feature with MacOS whereby remote control can no longer approve MDM management. Is everyone here saying that it's not and it's actually a bug or some other app?

Is there no way I can spin up the update and approve the execution by terminal?

@Maxalot It's not a bug, Apple intentionally blocks remote approval of MDM management. It must be approved by a local user via the GUI.

@sdagley Yes, you are correct SD. So I figured out a way around this. We had several conference rooms and with the shelter at home due to Covid, no way to send someone there to click the button. I figured out a way to click the button and then adding the profile was trivial. However once Apple figures it out they will probably block the method. Wow. We are in August already. I hope everyone is ok and healthy.