Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

Enabling MDM for Local User Accounts

Overview

This article describes the process used to allow Mac App Store apps and user-level macOS configuration profiles to be installed for local user accounts. This process makes the local user account MDM enabled.

Only one local user account can be MDM enabled on a computer at a time. If a second local user account becomes MDM enabled on the computer, the first local user account is no longer MDM enabled.

Note: LDAP directory accounts are MDM enabled by default even after a local user account on the computer becomes MDM enabled.

Explanation

On computers with macOS 10.10 or later and Jamf Pro v9.64 or later, the local user account is automatically MDM enabled the first time a Mac App Store app is installed automatically or via Self Service, or a user-level configuration profile is installed via Self Service. With DEP enrollment, the first local user account that is created is made MDM capable.
On computers with macOS 10.9 or earlier and Jamf Pro v9.4 - v9.64, the user is prompted with a “Local Administrator credentials required” message the first time a Mac App Store app is installed automatically or via Self Service, or a user-level configuration profile is installed via Self Service. The user can click OK or Cancel when prompted.

  • If the user clicks OK, they are prompted to enter credentials for a local administrator account. This allows the local user account to become MDM enabled. Mac App Store apps and user-level configuration profiles can then be installed. All subsequent apps and profiles can also be installed for that user (depending on the versions of Jamf Pro and the operating system).

  • If the user clicks Cancel, they are not prompted to enter credentials for a local administrator account. As a result, the local user account does not become MDM enabled. Mac App Store apps and user-level configuration profiles cannot be installed. All subsequent apps and profiles can also be installed for that user (depending on the versions of Jamf Pro and the operating system).

If an unintended account becomes MDM enabled on a computer with macOS 10.10 or later and Jamf Pro v9.64 or later, you can execute the following command on the computer to force enable MDM for the intended user:

sudo jamf mdm -userLevelMdm

Note: For computers with macOS 10.13.2 and later, this workflow for enabling MDM for local user accounts will reset any previous User Approved MDM Enrollments. If you use this as a part of existing ongoing workflows, you should evaluate the impact of these changes.

For computers with macOS 10.12 the command can be successfully executed only once. Multiple local MDM capable users are not supported (the LDAP directory accounts will work fine).

The sudo jamf mdm -userLevelMdm command force enables MDM for the currently logged-in user only. If you deselect the Allow MDM Profile Removal in computer PreStage Enrollments, this will not work for any additional local users.

Additional Information

For more information about Mac App Store apps and macOS configuration profiles, see the Jamf Pro Administrator’s Guide.

Like Comment
Order by:
SOLVED Posted: by berembert

Hi guys,

I'm trying for the first time to deploy an App Store app, on self service. And I'm encountering the following problem :
- Local Administrator credential required
- When I click on "OK", I can't enter my credentials because there is no prompt, but an error.
The error is "Cannot Install Item. There was a problem installing Microsoft Remote Desktop. Enabling MDM for local user account failed. Contact your administrator"

I precise that I have no push certificate configured and never used MDM. But all others self service apps are working fine (no app store apps...)

I've tried the solution above but I obtain:
"Enabling MDM at the user level...
There was an error.
Unknown Error - An unknown error has occured."

What do I have to configure in order to make this works guys ? Any help would be appreciated !
Thanks,

Like
SOLVED Posted: by maccentric

you need push...

Like
SOLVED Posted: by berembert

Ok, thanks.

I will try it and I"ll let you know then

Like
SOLVED Posted: by DanJ_LRSFC

How do you MDM enable a local user account if it isn't a sudoer? I.E. it's just a standard account without administration rights.

Like
SOLVED Posted: by EvstersTech

i have configured Mac app stores in self service but they are not downloading- scoped to the computer- do you have to set a target user as well.

Latest JSS hosted version, clients are 10.11.1 or 10.11.3

Like
SOLVED Posted: by murph

It would be nice if deploying device base apps didn't depend on a user being enabled and just installed. Seems like it would be a lot less headaches for everyone.

Like
SOLVED Posted: by eonl

Does this mean that people first have to install something from the servicedesk, before we can truly push stuff to them?

Like
SOLVED Posted: by mtward

How could this command be deployed to all managed clients to be run as the current user. Running via script or policy runs as root and fails.

Like
SOLVED Posted: by devlinford

Could this be blasted out as a cron job, that runs at regular intervals locally? This way when any local user logs in, the cron job can switch the MDM capability to this local user and continue to communicate with JSS.

Like
SOLVED Posted: by devlinford
Could this be blasted out as a cron job, that runs at regular intervals locally? This way when any local user logs in, the cron job can switch the MDM capability to this local user and continue to communicate with JSS.

We have created this cron job and it does work well, our plan is to include this in all new images going forward, and get blasted out to existing systems now. However, I was hoping that some of you could clear up some confusion for me...

I have created a 'dummy policy' that, triggered on check-in, simply displays a message: "This computer is checking in" & "This computer is done checking in" via the User Interaction pane. Now the confusing part. I understand that these computers will always check-in regardless of logged in user, but that if it is NOT a logged in user who is MDM capable, it will not pick up and run any policies?

Is this true?

I am finding that even though the current logged in user I am testing with is not an MDM capable user (our CRON scripted is unloaded), it is still grabbing this dummy policy I have created. I feel like I don't fully understand the subtleties of local MDM users....

Thanks,

Dev

Like
SOLVED Posted: by kenergy

What command do you type to verify the command is working?

Like
SOLVED Posted: by ostrowsp

We have a local account on all our lab systems. We would like to make this account an MDM capable account. is there any way to do this using casper remote or Jamf so we do not have to log into every machine with that account and run sudo jamf mdm -userLevelMdm

Like
SOLVED Posted: by Suges

We've built a script here that we make part of the initial imaging of enrolled computers, that makes sure whichever user is currently using the computer will become MDM-enabled. This helps us in situations where we image a computer for someone, but they don't log into it for the first time for a few days.

#!/bin/bash

# installMDMDaemon: Installs MDM's Daemon into a target computer

# The daemon runs as a system agent every four hours, calling jamf's enableMdm
# command to make sure that no matter what user is logged in, the computer
# will phone home to the JSS and sync up.

# Notes: This script expects to be run as root; it will fail otherwise.

echo "Installing MDM Daemon..."

# Step #1: Write the plist file and place it in the correct location
#          (If you need to adjust the plist, do it right here within lines
#          11-27.)

echo "Writing job plist to /Library/LaunchDaemons/com.jamf.enableMdmUser.plist..."

/bin/cat <<EOM >/Library/LaunchDaemons/com.jamf.enableMdmUser.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.jamf.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
        <string>com.jamf.enableMdmUser</string>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/bin/env</string>
        <string>/usr/local/jamf/bin/jamf</string>
        <string>mdm</string>
        <string>-userLevelMdm</string>
    </array>
    <key>StartInterval</key>
        <integer>14400</integer>
    <key>StandardOutPath</key>
        <string>/var/log/system.log</string>
    <key>StandardErrorPath</key>
        <string>/var/log/system.log</string>
</dict>
</plist>
EOM

# Step #2: Change file's owner, group, and permissions
#          (The plist needs to be owned by root and not world/other writable for
#          launchd to even run it as a system daemon.)

echo "Changing permissions on job definition..."

/usr/sbin/chown root:wheel /Library/LaunchDaemons/com.jamf.enableMdmUser.plist
/bin/chmod 755 /Library/LaunchDaemons/com.jamf.enableMdmUser.plist

# Step #3: Load the job into system's launchd
#          (Remember: to unload this script you need to use launchctl as root,
#          otherwise you'll be unloading (unsuccessfully) your regular user's
#          jobs.)

echo "Loading job into launch controller and starting it..."

/bin/launchctl load /Library/LaunchDaemons/com.jamf.enableMdmUser.plist
/bin/launchctl start /Library/LaunchDaemons/com.jamf.enableMdmUser.plist

# Step 4: Launch the newly-installed job immediately so it binds a newly-imaged
#         computer right away

echo "Launching the job immediately for the first run..."

/usr/local/jamf/bin/jamf mdm -userLevelMdm
Like
SOLVED Posted: by etippett

@ostrowsp Could you create a policy that runs jamf mdm -userLevelMdm at login, scoped to all of your lab computers, and limited to only the local lab user? I assume that the username is the same on all of the computers...

Eric

Like
SOLVED Posted: by kwsenger

Looking for an Extension Attribute to determine if the MDM Capable Users: field is blank or empty.
Does anyone have an EA to determine which computers need to run "jamf mdm -userLevelMdm" as the logged in user?

~Karl

Like
SOLVED Posted: by bvrooman

I see that this article has been updated to include:

MacOS Sierra is not supported for multiple local MDM capable users (LDAP directory accounts will work fine).

Does that imply that a single local MDM-capable user is still supported under Sierra?

Like
SOLVED Posted: by bpavlov

Better yet. Will it ever be supported?

Like
SOLVED Posted: by rodders

I too have just run into this, and noticed the latest update. @asugar Im guessing you set this policy freq to once per computer per user?

Like
SOLVED Posted: by Suges

@rodders It's been a while but I believe so!

Like
SOLVED Posted: by jrwilcox

Has any one had any luck getting this to work in Sierra. I am trying in macOS X 10.12.3 with no luck at all. My policy runs there are no errors but I never get any mdm capable users.

Like
SOLVED Posted: by devlinford
Has any one had any luck getting this to work in Sierra. I am trying in macOS X 10.12.3 with no luck at all. My policy runs there are no errors but I never get any mdm capable users.

Hey JR,

Yes, I have had success, except not on 10.12.3, but prior versions. I use Casper Imaging to push an image of Sierra. Included is the cron script mentioned above (I work with @asugar ). I have found on two occasions that the cron doesn't run for some reason. When I re-image the system it works the next time. I cannot say for sure if this behaviour exists solely on Sierra or earlier OS's as well.

If you just manually run the script in Terminal does it work?

Thanks,

Like
SOLVED Posted: by devlinford
I too have just run into this, and noticed the latest update. @asugar Im guessing you set this policy freq to once per computer per user?

@rodders & @asugar ,

The policy to grab this cron is set to Once per system (it runs, regardless of logged in user), no need to run it on subsequent logins.

Like
SOLVED Posted: by Suges

@rodders & @devlinford et al:

I updated the script above. It should now fire every time in every situation.

Like
SOLVED Posted: by nsantoro

Thanks. It worked!!!

I could not get the MDM Profile back on a Macbook. I tried everything: Removing it from JSS, Uninstalling Jamf Framework, plist, and self service, re-enrolling it, and even unbinding it from the domain, changing the Computer Name, then re-enrolling it...nothing work until i ran this simple command:
sudo jamf mdm -userLevelMdm

Thanks a bunch!!!!!!!!

Like
SOLVED Posted: by franton

I spent a little time with Jamf Support last night wondering why this didn't work. If anyone has any troubles, try changing the spelling of the command slightly.

sudo jamf mdm -userLevelMDM

Thats what ended up working for me last night! Unfortunately I have to totally remove all MDM first before it works, with 9.98.

Like
SOLVED Posted: by iancdavidson

Hello - Are they any developers out there with access to the macOS High Sierra beta that can confirm if High Sierra supports multiple local MDM capable users? Really useful to know what direction Apple is headed with this one - lots of changes coming to the Mac App store. Thank you.

Like
SOLVED Posted: by m.entholzner

Hi @iancdavidson , everything about High Sierra is under non disclosure. So you will have to test this by your own.

Like
SOLVED Posted: by conor

So in order to get this properly running on Sierra 10.12.5 on Jamf 9.9.9 I had to do the following:

Remove MDM from previously enabled user by running:sudo jamf removeMDMProfile

Logging into user that required MDM enablement (we do have a policy for this but doesnt seem to work). Then running sudo jamf mdm -userLevelMDM.

This switched the MDM over to the logged in user. Didnt affect the mobile configs either.

Like
SOLVED Posted: by dan.gregson

I created a simple script that I have added to self service and to run at login as well.

!/bin/sh

sudo jamf removeMDMProfile
sudo jamf mdm -userLevelMDM

exit 0

Like
SOLVED Posted: by donmontalvo

Would confirm first user won't lose connectivity before running the sudo jamf removeMDMProfile command (802.1x Wi-Fi profile?). :)

Like
SOLVED Posted: by tcam

if
sudo jamf mdm

returns
Getting management framework from the JSS...
Enabling MDM...
Error installing the computer level mdm profile: profiles install for file:'/Library/Application Support/JAMF/tmp/mdm.mobileconfig' and user:'root' returned 102 (New profile does not meet criteria to replace existing profile.)
Downloading required CA Certificate(s)...
Retrying the user level mdm profile install.
Error installing the computer level mdm profile: profiles install for file:'/Library/Application Support/JAMF/tmp/mdm.mobileconfig' and user:'root' returned 102 (New profile does not meet criteria to replace existing profile.)
Problem installing MDM profile.

you can get around this error with
sudo mv /var/db/ConfigurationProfiles /var/db/ConfigurationProfilesOLD

If your running 10.13+ SIP protects /var/db/ConfigurationProfiles
so if the OS is 10.13+, you hae to disable SIP in order to clear /var/db/ConfigurationProfiles

Like
SOLVED Posted: by kevinwilemon

Note that if you follow @tcam 's steps above and have "Make MDM Mandatory" checked in your prestage enrollment, this will allow users to remove the MDM profile.

Like
SOLVED Posted: by tcam

@kevinwilemon

One way around that might be

sudo mv /var/db/ConfigurationProfiles /var/db/ConfigurationProfilesOLD
reboot
sudo /usr/libexec/mdmclient dep nag

or to re-do applesetup with
rm /var/db/.AppleSetupDone
reboot
complete first time setup

Like
SOLVED Posted: by cgolebio

Can I get clarification on the following statement?

For computers with macOS 10.12 the command can be successfully executed only once.

Does this mean it can only run once, and if run a second time it won't work?

I have the issue on Sierra currently. I'll tackle High Sierra next...

Like
SOLVED Posted: by brian

How about asking a better question, why when we have device based app assignment why do we need a user account at all?!

Like
SOLVED Posted: by cgolebio

@brian Agree with you. I know this probably isn’t the place for it, but in a post-Steve Jobs Apple, does anyone share the feeling that Apple is overcomplicating the simple concepts? If Apple wants to expand in Enterprise, they sure are making it difficult.

I am trying to take the agile approach here tackling one thing at a time and getting it right. Everywhere I turn though I face a new challenge after I think I solved one thing. And unfortunately it seems that the instructions, even on Apple’s support pages are ambiguous.

Like
SOLVED Posted: by PatrickD

@cgolebio , with regards to your question, I can offer some first hand experience.

Can I get clarification on the following statement? For computers with macOS 10.12 the command can be successfully executed only once.

We use user level MDM for our user level installed SCEP Config Profiles (for user certificate based wi-fi auth) for local accounts.

We do this by running the following two commands in a script if we ever need to bring down the user level SCEP profile down again. I have run this many many times on the same machine with no issue.

It does however cause issues when you change to another user account on the same machine, we usually just delete the machine from Jamf and reenroll. Our script is actually a part or our enrollment process.

#removes the MDM profile from the machine
/usr/local/jamf/bin/jamf -removeMdmProfile

#enables user level MDM
/usr/local/jamf/bin/jamf mdm -userLevelMdm
Like
SOLVED Posted: by mike.paul

As noted above by @donmontalvo running the jamf -removeMDMProfile command all other configuration profiles will be removed as well which typically means Wifi so be careful if you are not hardwired otherwise it wont be able to reach the JSS to get the new mdm profile and enable the user.

Also this should not be needed to successfully run jamf mdm -userLevelMdm, as this should enable the current user even if the mdm profile is there (unless restricted by DEP). Technically speaking the mdm profile is removed during this process but it should not impact your other installed profiles.

/var/db/ConfigurationProfiles is SIP protected now so deleting that really isnt an option anymore and SIP should be enabled for most environments. Also, removing that removes all other configuration profiles, including Wifi, among other security things.

Be aware though on 10.13.2 and above that since running either the removeMDMProfile or -userLevelMdm commands removes the profile you would be removing any User Approved MDM (UAMDM) along with it. Currently only the kext whitelist payload is impacted by this but that will change in the future.

Also as kind of mentioned above, if you are DEP enrolled with the box not checked for "Allow MDM Profile Removal", both of those commands will fail with the following errors since the profile cannot be removed per the specs:

sudo jamf mdm -userLevelMdm
Password:
Getting management framework from the JSS...
Enabling MDM at the user level...
Error installing the user level mdm profile: profiles install for file:'/Library/Application Support/JAMF/8F90D19D-FABA-4A28-9CA9-CAC7377D00A8.mobileconfig' and user:'root' returned 102 (New profile does not meet criteria to replace existing profile.)
Downloading required CA Certificate(s)...
Retrying the user level mdm profile install.
Error installing the user level mdm profile: profiles install for file:'/Library/Application Support/JAMF/C1EB30EB-6235-4279-A0C4-5E90C7832A5F.mobileconfig' and user:'root' returned 102 (New profile does not meet criteria to replace existing profile.)
Problem installing MDM profile.

The first user created during DEP gets MDM capability Yes by default. If you are needing to change MDM capable users on DEP restricted computers things are harder.

Like
SOLVED Posted: by rodders

So are we saying that Apple want you to allow users to remove your MDM profile - the very thing that enables us to manage macs in an enterprise environment?!
Or have a misunderstood the intricacies?

Like
SOLVED Posted: by c.kay

Seems Apple now supports install VPP apps when no ones logged in by sending the install apps command to the computer instead of an MDM enabled user. This apparently works in 10.13.3 with latest version of Profile Manager. I hope Jamf will support this in Jamf Pro soon as it’s a real pain having to wait for a user to login before VPP apps can be deployed

Like
SOLVED Posted: by c.kay

Here’s the feature request I created sometime ago about this

https://www.jamf.com/jamf-nation/feature-requests/6437/ability-to-install-update-mdm-device-assigned-vpp-mac-app-store-apps-when-no-user-logged-in

Like
SOLVED Posted: by kerouak

@rodders

Totally Agree!!
W.T.F?

That is so backwards it untrue!

Along with SecureToken, 10.13 is really starting to P34s me right off
:-(

Like
SOLVED Posted: by timlarsen

So...I'll ask the question: What if (hypothetically) I want more than one MDM capable user on the same computer? I have an all-DEP workflow in my environment, but I rely on a user-based profile for my Wi-Fi config (TLS/AD certificate...long story, but not feasible to do computer auth as we don't bind). I'm trying to setup a kind of "check in/check out" system on shared laptops where more than one user account can be present at the same time and still have the ability to have a user based config profile installed. I'm finding this insanely difficult to accomplish if not impossible. Has anyone tried anything like this before? Is there a way (or is it recommended) to script adding the current user to the MDM capable list as a login policy or something? Thanks!

Like
SOLVED Posted: by mmainccs

Tim,

The only thing I have seen like that (and it worked well because I have been using it for a year) is the script in a post higher up in this thread — https://www.jamf.com/jamf-nation/articles/372/enabling-mdm-for-local-user-accounts#responseChild1539. Unfortunately, its use of /usr/local/jamf/bin/jamf mdm -userLevelMdm means that it undoes User Approved Enrollment on any Mac running it, so it is no longer a viable solution, unless one wants to regularly have to manually approve MDM Profiles on any Mac running the script. I sincerely hope some solution can be found for this. Those of us with shared labs and carts have a huge problem on our hands whether we can use DEP on a new Mac or are setting up a Mac ineligible for DEP. I wish you luck.

Like
SOLVED Posted: by timlarsen

Thank you @mmainccs appreciate the clarification. That is also what I'm finding in my tests.

Like
SOLVED Posted: by ebonweaver

So what I'm seeing is once again JAMF isn't actually usable as compared to Profile Manager? Limiting app deployment to a specific user account is nonsense if you're managing multi user labs, it makes this feature entirely useless. There is an agent, Apple can do it, fix your software so it actually works. I just spent 3 days trying to figure out why apps did not deploy to computers, only to discover the entire feature, in all of its needless complexity, doesn't actually work.

Like
SOLVED Posted: by kricotta

Hi Folks, so the way I get it then is that if I have 300 machines that I am pushing Mac Store Apps to (pages, numbers etc) that I have to log into each one of them as my local user account to get the install to kick off?

Like
SOLVED Posted: by bdelamarche

Any news regarding the Product Issue with the DEP enrollment and the userlevelMDM to deploy a macapp store app?

Thanks
Benoit

Like
SOLVED Posted: by artsAvtandil63

Question:

sudo jamf mdm -userLevelMdm

… is the command line version of jss.examplecompany.com:8443/enroll, or are they different?

Like