Bypassing the Mavericks managed preferences login check
With the release of 10.9, a number of Mac admins began seeing an Updating Managed Settings message appear at the login window.
Starting with 10.9, MCX will attempt to contact an AD/OD/MDM server during login, before the Finder is launched to ensure that all managed settings are applied before any user session applications run.
The dialog you are seeing comes up if this process takes more than a couple seconds.
The dialog does not add any time to the login process.
It’s just telling you why the login is taking extra time.
If your AD/OD/MDM server is responding slowly, then this is “normal” as the client just has to wait for the operations to complete.
In my own shop, this was going to be an issue. Our Casper server does not communicate with its clients over the Internet, so my users would see this message whenever they logged in while off of the office network. After working with Apple support, I now have a solution that works while a better one is hopefully being developed. See below the jump for the details.
It is possible to disable the MDM check that is causing both the login delay and the Updating Managed Settings message to appear. You can disable the check by running the following command with root privileges:
defaults write /Library/Preferences/com.apple.mdmclient BypassPreLoginCheck -bool YES
Here’s what /Library/Preferences/com.apple.mdmclient.plist looked like on my Mac once the command had been run:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>BypassPreLoginCheck</key> <true/> </dict> </plist>
Effects of disabling the login check
Disabling the login check causes any pending profiles that contain user-level managed preferences not to be applied until the following login. The point of the delay was to make sure that the MDM server had a chance to apply settings; bypassing the login check-in will affect that.
For my own shop, the solution above is an acceptable trade-off but different shops have different needs. Evaluate your own needs carefully.
Update – 11-13-2013: I’ve now built a script and payload-free package to disable the login check. Both are available here on my GitHub repo: