This article includes information on User Approved MDM management in Jamf Pro. User Approved MDM is required for certain performance and security enhancements, like managing kernel extensions.
Jamf Pro 10.3.0 or later
Computers with macOS 10.13.2 or later
There are a number of ways in which a computer can achieve a User Approved MDM status in Jamf Pro:
|Enrollment via DEP||Enrollment via DEP using a PreStage enrollment is one of the methods which results in a User Approved MDM status.
For detailed information on computer PreStage enrollments, see Computer PreStage Enrollments in the Jamf Pro Administrator's Guide.
|User-initiated enrollment with an MDM profile||User-initiated enrollment with an MDM profile is one of the methods which results in a User Approved MDM status.
During the user-initiated enrollment process, the user will be prompted to download and install a CA certificate (CA Certificate.mobileconfig) and then an MDM profile (enrollmentProfile.mobileconfig). Users must manually return to the enrollment portal webpage after CA certification installation to install the MDM profile and complete the enrollment process.
Note: In environments with a trusted third-party signed SSL certificate in Jamf Pro, such as Jamf Cloud, administrators may choose to skip the installation of the CA certificate and only require the installation of the MDM profile. To allow the CA certificate installation to be skipped, navigate to Settings > Global Management > User-Initiated Enrollment and select the Skip certificate installation during enrollment checkbox.
For detailed information on computer PreStage enrollments and the user-initiated enrollment experience, see User-Initiated Enrollment for Computers and User-Initiated Enrollment Experience for Computers in the Jamf Pro Administrator's Guide.
|Enrollment in MDM prior to being upgraded to macOS 10.13.4||A computer with macOS that was enrolled in MDM prior to being upgraded to macOS 10.13.4 or later will retain the User Approved MDM status after the upgrade.|
In addition, if a computer was enrolled without the User Approved MDM option, you can change the existing enrollment to a User Approved MDM status.
To approve an existing enrollment for an eligible computer, navigate to System Preferences > Profiles. Select the enrollment profile under Device Profiles, click the Approve button, and follow the prompts.
As of Jamf Pro 10.4.0, you can choose to notify users in Self Service and in Notification Center that they must approve your organization's MDM profile.
To access this feature in Jamf Pro, navigate to the Self Service for macOS Configuration settings and select the Enable User Approved MDM Profile Notification checkbox. Users with eligible computers are notified via a pop-up dialog when they launch Self Service and via a Notification Center notification that is automatically sent once per week or after Tomcat is restarted.
Jamf Pro stores detailed inventory information for each computer. You can view status of the User Approved MDM attribute in the General category of a computer's inventory information. This information is collected and displayed for macOS 10.13.2 or later only.
A computer will be reported as "Yes" for User Approved MDM during inventory collection if it is enrolled via DEP or with user-initiated enrollment with an MDM profile, is enrolled in MDM prior to being upgraded to macOS 10.13.4, or manually approved in System Preferences > Profiles.
To display the User Approved MDM attribute field in inventory, navigate to Settings > Computer Management > Inventory Display and select the User Approved MDM checkbox.
You can also use an advanced computer search and a smart computer group to report on the User Approved MDM status.
Note: When you view the results of an advanced search or a smart group, the inventory information returns "Unsupported OS Version" for computers with macOS 10.13.1 or earlier.
As of version 10.6.0, Jamf Pro includes “install or queue for retry" logic to handle configuration profile payloads that require User Approved MDM enrollment for installation. When attempting to install a profile that requires User Approved MDM, if an eligible computer does not have a User Approved MDM status, the profile stays queued and automatically attempts to re-install when the computer meets the User Approved MDM status.
If an eligible computer does not have a User Approved MDM status, you can approve it by navigating to System Preferences > Profiles, choosing the enrollment profile, and clicking the Approve button.
For more information on User Approved MDM, see the Prepare for changes to kernel extensions in macOS High Sierra article from Apple's support website.