Posted on 07-15-2018 03:57 AM
Hi everybody,
I would like to know if you can help me on a problem that I meet.
We have a scope of users who are administrators of their computers (Developers users).
As a result, we block access to Profiles pane in System preferences, so that they can not uninstall the MDM Profile (we install the MDM Agent with quickadd package).
The problem is that we have a few computers where the MDM needs to be approved (User Approved MDM process).
Is it possible to approve the MDM profile without accessing to the Profiles pane in system preferences ?
Maybe a workaround ?
Or if is not possible, is it possible to block the uninstallation of the MDM profile even for administrators ?
Thank you for your help.
And I take this opportunity to say a big thank you to this community so rich in informations and who has helped me so many times... Thank you very much.
Rani
Posted on 07-15-2018 08:56 AM
@glpi-ios, no, you cannot automate clicking the Approve button. You can't even remote control the Mac and click that button. Apple disallows that.
My advice is that you allow access to the Profiles pane.
Developers are smart. If they already have admin privileges, they can already partially or completely remove your management using Terminal. Blocking access to Profile is merely a speed bump and Googling for the correct Terminal command is trivial.
Instead, use Jamf Pro to audit your developers' Macs with a Smart Computer Group and have it email you a notification when the MDM profile gets removed. So long as you communicate with your developers that removing management is off-limits, it becomes a people/HR issue instead of a technical issue.
Posted on 07-15-2018 11:12 AM
Another option would be to enroll the devices with DEP. DEP devices are enrolled automatically at Setup Assistant, and are user approved by default without additional action by the end users. DEP enrolled devices can also be enrolled with a non-removable MDM profile.
Posted on 07-25-2018 06:25 AM
Thanks for your answers...