quickadd.pkg with High Sierra

tcandela
Valued Contributor II

when i enroll a computer running fresh installation of 10.13. using the quickadd.pkg i will check on the 'profile' in system preferences , the MDM profile has the yellow alert icon and the description says

functionality may be limited until this profile is approved

so i manually approve it. Has anyone else seen this ??

1 ACCEPTED SOLUTION

RLim945
New Contributor III

Yep, it's a new security measure by Apple, called UAMDM:

https://support.apple.com/en-us/HT208019

View solution in original post

15 REPLIES 15

RLim945
New Contributor III

Yep, it's a new security measure by Apple, called UAMDM:

https://support.apple.com/en-us/HT208019

tcandela
Valued Contributor II

@RLim945 that link you have doesn't send me anywhere

i found this uamdm

so basically i'll have to manually approve it

yoopersteeze
New Contributor II

@tcandela Yes you 100% have to manually approve it. ARD cannot approve it, Jamf Remote cannot, scripts cannot. The user has to. It's like Supervision for macOS

tobiaslinder
Contributor II

This is only required if on a Mac whose MDM enrollment is not done through DEP. Since you can already manage security-sensitive settings on devices whose MDM enrollment is performed via DEP, User Approved enrollment is unnecessary for these devices.

ahovsepyan
New Contributor

Tobias, that would be amazing if it was working that way, but unfortunately with our DEP enrolled systems we are still seeing that accept button on the profile at the client side.

tobiaslinder
Contributor II

@ahovsepyan It's not me making this up. This is directly from the official Apple website:

https://support.apple.com/en-us/HT208019

So you should probably look into the matter with Jamf Support. Perhaps something is wrong with your DEP setup.

marklamont
Contributor III

@tobiaslinder check the link you posted, the actual URL is this discussion

ammonsc
Contributor II

I have some users that will do the enrollment themselves and struggled with how to complete that part. I use this script to Kindly ask them to do it for me.

#!/bin/bash

# This script displays a message that lets the user know that 
# enrollment has finished. It is set 
# to the lowest priority to ensure that it runs last after all 
# other scripts and policy actions.

open /System/Library/PreferencePanes/Profiles.prefPane
sleep 3

# Determine OS version
osvers=$(sw_vers -productVersion | awk -F. '{print $2}')

dialog="Your Mac has now been enrolled in the AEP JAMF MDM Solution. Please Approve to MDM Profile to continue. After you have approved the profile please restart your machine at your earliest convenience."
description=`echo "$dialog"`
button1="OK"
jamfHelper="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"
icon="/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertNoteIcon.icns"

if [[ ${osvers} -lt 7 ]]; then

  "$jamfHelper" -windowType utility -description "$description" -button1 "$button1" -icon "$icon"

fi

if [[ ${osvers} -ge 7 ]]; then

  jamf displayMessage -message "$dialog"

fi

exit 0

obing
New Contributor III

So this fundamentally changes quickadd to a two-step process? I have to run quickadd package, enter admin creds, then have user goto profiles and click approve? Does JAMF have an official answer on this?

howie_isaacks
Valued Contributor II

Thanks for the script @ammonsc! This is very helpful. I will use this with my remote users.

obing
New Contributor III

so Just to confirm again - this doesn't seem to be in the latest documentation - how does JAMF advise customers address this approval step for non DEP machines? Quickadd used to be a one step solution - now it's multiple steps. JAMF? Any feedback here?

gachowski
Valued Contributor II

@ober,

Join the beta program... and I'm not 100% sure any MDM provider can do anything ... The real hope is that Apple allows us to add machines to DEP just like iPhones.

C

alexjdale
Valued Contributor III

Apple has built this to require either DEP or a user to physically click the button. Currently, JAMF can't do much about it, but based on the 10.3 beta info they've revealed I think they are building an approval step into the enrollment process. I don't know what that looks like, but it might just be beating the user over the head until they click the button and proceed.

On my end, I'm going to have to restrict everything in Self Service to require MDM approval via policy scoping. Conditional Access, basically, where literally nothing can happen until it's approved. I hope JAMF builds this into the product with a UI/UX that is designed to support that with good messaging to the user.

ammonsc
Contributor II
I'm going to have to restrict everything in Self Service to require MDM approval via policy scoping.

@alexjdale What are you using to scope this? Currently I have my script set as part of a Post Enrollment policy. But, I would like this to continue to run if the user has not approved it.

gachowski
Valued Contributor II

The Jamf's solution in 10.3 is very nice... i'm not going to plan on putting old machines back in to DEP even if Apple allows it.. not worth the extra work compared to Jamf's new workflow..

C