Home > Mac administration, Mac OS X > Bypassing the Mavericks managed preferences login check

Bypassing the Mavericks managed preferences login check

November 13, 2013 Leave a comment Go to comments

With the release of 10.9, a number of Mac admins began seeing an Updating Managed Settings message appear at the login window.

Screen Shot 2013-11-12 at 7.43.30 PM

When contacted, Apple said that this was new behavior and it was added for the following reasons:

Starting with 10.9, MCX will attempt to contact an AD/OD/MDM server during login, before the Finder is launched to ensure that all managed settings are applied before any user session applications run.

The dialog you are seeing comes up if this process takes more than a couple seconds.

The dialog does not add any time to the login process.

It’s just telling you why the login is taking extra time.

If your AD/OD/MDM server is responding slowly, then this is “normal” as the client just has to wait for the operations to complete.

In my own shop, this was going to be an issue. Our Casper server does not communicate with its clients over the Internet, so my users would see this message whenever they logged in while off of the office network. After working with Apple support, I now have a solution that works while a better one is hopefully being developed. See below the jump for the details.

It is possible to disable the MDM check that is causing both the login delay and the Updating Managed Settings message to appear. You can disable the check by running the following command with root privileges:

defaults write /Library/Preferences/com.apple.mdmclient BypassPreLoginCheck -bool YES

Screen Shot 2013-11-12 at 7.52.52 PM

Here’s what /Library/Preferences/com.apple.mdmclient.plist looked like on my Mac once the command had been run:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>BypassPreLoginCheck</key>
	<true/>
</dict>
</plist>

Effects of disabling the login check

Disabling the login check causes any pending profiles that contain user-level managed preferences not to be applied until the following login. The point of the delay was to make sure that the MDM server had a chance to apply settings; bypassing the login check-in will affect that.

For my own shop, the solution above is an acceptable trade-off but different shops have different needs. Evaluate your own needs carefully.

Update – 11-13-2013: I’ve now built a script and payload-free package to disable the login check. Both are available here on my GitHub repo:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/bypass_mavericks_mdm_login_check

Categories: Mac administration, Mac OS X
  1. Scott Blake
    November 13, 2013 at 4:43 am
    Reply

    Did they give you any hints as to how to get rid of the dialog, but still enforce the prelogincheck?

  2. Adam Girardi
    November 13, 2013 at 5:33 pm
    Reply

    As always, I see a new issue, and it is already documented on derflounder.

    Thanks Rich,
    Adam

  3. Dan Gio
    November 20, 2013 at 2:46 pm
    Reply

    Thank you for this Rich. Unfortunately, that file doesn’t exist on any the machines in my shop. Not sure why.

  4. Clif Hirtle
    November 20, 2013 at 3:06 pm
    Reply

    Same issue here Rich. Perhaps leveraging as a loginhook and some if/then logic before the defaults command to check for known networks that we know our MDM server to be in would allow a more dynamic on/off activation of the function? This assumes this script would trigger prior to the MDM check happening.

  5. rtrouton
    November 20, 2013 at 3:09 pm
    Reply

    /Library/Preferences/com.apple.mdmclient.plist does not exist before running the defaults command. Running the defaults command will create it.

  6. Eric William Smith
    January 17, 2014 at 2:39 pm
    Reply

    the terminal command needs to end with “yes” not “Y”. It gives an error with “Y”

    • Eric William Smith
      January 17, 2014 at 2:52 pm
      Reply

      Nevermind, I see I hadn’t scrolled. The “ES” was cut off of “YES”

  7. Derick
    February 7, 2014 at 1:26 am
    Reply

    You can also accomplish this via a profile.

    Custom settings in Profile Manager

    Domain: com.apple.mdmclient
    Key: BypassPreLoginCheck boolean (checked)

    Worked in my testings! Thanks Rich

  8. Matt
    March 4, 2014 at 7:11 pm
    Reply

    Awesome, thanks for posting this. One question, will user level managed preferences and configuration profiles apply when the machine logs in the next time on the office network?

  9. Gabe Shackney
    December 19, 2014 at 7:44 pm
    Reply

    Do you ever see this affecting logouts? Im seeing an applying managed preferences message on logout and its taking about 10min to log out.

  10. James McConachie
    December 19, 2014 at 8:19 pm
    Reply

    The “Defaults write” command does not seem to have the same effect in Yosemite. Back to the Configuration Profile Tool nags.

  1. No trackbacks yet.

Leave a comment