Archive
Detecting user approved MDM using the profiles command line tool on macOS 10.13.4
Starting in macOS 10.13.2, Apple introduced the concept of User Approved MDM Enrollment (UAMDM). UAMDM grants mobile device management (MDM) additional management privileges, beyond what is allowed for macOS MDM enrollments which have not been “user approved”. As of macOS 10.13.4, the only additional management privilege associated with UAMDM is that it allows you to deploy a profile which provides a white list for third-party kernel extensions. However, I would anticipate that this list will grow over time.
Starting in macOS 10.13.4, you can use the profiles command line tool to determine if a machine is enrolled into a MDM, and if user-approved MDM is enabled. To do this, run the command shown below:
profiles status -type enrollment
Depending on your MDM enrollment status, you may see one of the following statuses shown below:
No MDM enrollment
computername:~ username$ profiles status -type enrollment Enrolled via DEP: No MDM enrollment: No computername:~ username$
MDM enrolled, without user-approved MDM enabled
computername:~ username$ profiles status -type enrollment Enrolled via DEP: No MDM enrollment: Yes computername:~ username$
MDM enrolled, with user-approved MDM enabled
computername:~ username$ profiles status -type enrollment Enrolled via DEP: No MDM enrollment: Yes (User Approved) computername:~ username$
DEP Enrolled
computername:~ username$ profiles status -type enrollment Enrolled via DEP: Yes MDM enrollment: Yes (User Approved) computername:~ username$
Note: If your Mac is enrolled in Apple’s Device Enrollment Program (DEP), it automatically gets user-approved MDM.
To help detect if a particular Mac has user-approved MDM enabled, I’ve written a script. For more details, please see below the jump.
New automated restart option added to macOS 10.13.4’s softwareupdate command line tool
With the release of macOS 10.13.4, Apple has added a new option to the softwareupdate command line tool. As part of the installation options, softwareupdate now includes the option to automatically restart or shutdown (as appropriate) following the installation of updates that need a restart or shutdown to complete properly.
-R | --restart Automatically restart (or shut down) if required to complete installation.
As an example, to use the new option to restart if needed after installing all available updates, please run the command shown below with root privileges:
softwareupdate --install --all --restart
In the event that no updates require a restart or shutdown, the Mac is not restarted.
Session videos available from MacAD UK Conference 2018
A number of session videos (including mine) have been posted from MacAD UK 2018. For those interested, the videos are available on YouTube via the link below:
https://www.youtube.com/playlist?list=PLe6gxSMzV0S_puM4DliqV0JD4pwlGgO1m
For convenience, I’ve linked my session here.
Cancelling an unwanted FileVault deferred enablement
There are sometimes occasions when FileVault deferred encryption has been enabled for a particular Mac and then needs to be turned off. Since FileVault is not yet turned on at this point, there is no obvious way to turn off this deferred enablement.
However, it is possible to turn off a deferred enablement if needed. For more details, please see below the jump.
Der Flounder 
Recent Comments