Originally this article was posted on Jamf Nation here, prior to the launch of Tech Thoughts.
tl;dr - Getting an "MDM-enabled user" and user channel for configuration profiles has become unobtanium. Pretend that macOS is like iOS or iPadOS, where all configuration profiles and certificates are scoped to the whole machine.
A user who is "MDM-capable," "MDM-enabled," or in the Apple MDM spec a "managed user," can be achieved in a few ways:
For reference, see Enabling MDM for Local User Accounts and from apple.com Prepare for changes to kernel extensions in macOS High Sierra
For a configuration profile or a certificate to be issued to a single user account on a Mac, the user must be a "managed user" as of macOS Catalina. For administrators used to binding their Mac to AD and having this user channel, the change will require planning and changes. (Useful related story: User vs. Machine Certs on MacOS)
What Jamf Connect does with local user accounts
Jamf Connect is MDM agnostic and exists outside of the initial Setup Assistant DEP experience. It is creating accounts just-in-time after the MDM process of device enrollment is complete. The account created is a local account (not bound). Thus, per Apple's specifications, it is not a "managed user." Changing a local user’s MDM capability requires the MDM profile to be re-installed or re-enrolled, which can affect User-approved MDM status if attempted programmatically. Re-enrollment may not be possible in future versions of macOS, limiting this further. Refer to announcements from Apple made at WWDC2020 regarding programatic installation of profiles and future releases.
How to get a "managed user" and use Jamf Connect
An alternative workflow can achieve a managed user and use Jamf Connect for ongoing password sync. Use an Enrollment Customization (available with macOS 10.15 and above) to create the initial user account.
The user created will be a "managed user" per Apple's MDM spec. From there, we can use Jamf Connect to keep that user's local password in sync with an identity provider.
After the user has logged in, scope a configuration profile for Jamf Connect to the target machine and run a Jamf Pro policy to install the Jamf Connect and Jamf Connect menu bar launch agent installer packages.
In this scenario, you may want to disable the Jamf Connect login screen as modifying the managed user in any way may lose the managed user state. Experimentation in your environment will be important. The Jamf Connect menu bar agent can be used exclusive of of the login option to keep the local user password in sync.
How to move an existing user to "managed user" status
Note: If a user is not am MDM-capable user, and an administrator wants to make them MDM-capable, run the following command AS THE USER ACCOUNT
sudo profiles renew -type enrollment
This can also be accomplished with the "sudo profiles -N" command which is a direct replacement in the current macOS but subject to being deprecated in a future version of macOS.
The user being modified must be:
The machine must be enrolled in Apple's automated device enrollment via Apple School Manager or Apple Business Manager and must be assigned to a prestage in the MDM server.
Feedback to Apple around managed user and user level profiles
If you would like to submit feedback to Apple about this process, log into feedbackassistant.apple.com with your Apple Business Manager or Apple School Manager Apple ID to tie the feedback to your organization's ASM/ABM account. Refer to the following already submitted feedback assistant request:
FB9899085 - Feature Request: Allow for a local user account to become “MDM managed” outside of the context of initial MDM enrollment
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.