Detecting user approved MDM using the profiles command line tool on macOS 10.13.4
Starting in macOS 10.13.2, Apple introduced the concept of User Approved MDM Enrollment (UAMDM). UAMDM grants mobile device management (MDM) additional management privileges, beyond what is allowed for macOS MDM enrollments which have not been “user approved”. As of macOS 10.13.4, the only additional management privilege associated with UAMDM is that it allows you to deploy a profile which provides a white list for third-party kernel extensions. However, I would anticipate that this list will grow over time.
Starting in macOS 10.13.4, you can use the profiles command line tool to determine if a machine is enrolled into a MDM, and if user-approved MDM is enabled. To do this, run the command shown below:
profiles status -type enrollment
Depending on your MDM enrollment status, you may see one of the following statuses shown below:
No MDM enrollment
computername:~ username$ profiles status -type enrollment Enrolled via DEP: No MDM enrollment: No computername:~ username$
MDM enrolled, without user-approved MDM enabled
computername:~ username$ profiles status -type enrollment Enrolled via DEP: No MDM enrollment: Yes computername:~ username$
MDM enrolled, with user-approved MDM enabled
computername:~ username$ profiles status -type enrollment Enrolled via DEP: No MDM enrollment: Yes (User Approved) computername:~ username$
DEP Enrolled
computername:~ username$ profiles status -type enrollment Enrolled via DEP: Yes MDM enrollment: Yes (User Approved) computername:~ username$
Note: If your Mac is enrolled in Apple’s Device Enrollment Program (DEP), it automatically gets user-approved MDM.
To help detect if a particular Mac has user-approved MDM enabled, I’ve written a script. For more details, please see below the jump.
The script first checks the OS on a particular Mac and verifies that it is running macOS 10.13.4 or later. If the Mac is running an earlier OS, the script reports the following:
Unable To Detect User-Approved MDM On, followed by the OS version.
If the script verifies that the Mac is running macOS 10.13.4 or later, the script continues on to determine if the Mac has user-approved MDM enabled.
If the Mac has user-approved MDM enabled, the script reports the following:
Yes
If the Mac does not have user-approved MDM enabled, the script reports the following:
No
The script is available below, and at the following address on GitHub:
https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/detect_user-approved_mdm
A complementary Jamf Pro Extension Attribute is available at the following address on GitHub:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Script which reports if user-approved mobile device management | |
| # is enabled on a particular Mac. | |
| UAMDMCheck(){ | |
| # This function checks if a Mac has user-approved MDM enabled. | |
| # If the UAMDMStatus variable returns "User Approved", then the | |
| # following status is returned: | |
| # | |
| # Yes | |
| # | |
| # If anything else is returned, the following status is | |
| # returned: | |
| # | |
| # No | |
| UAMDMStatus=$(profiles status -type enrollment | grep -o "User Approved") | |
| if [[ "$UAMDMStatus" = "User Approved" ]]; then | |
| result="Yes" | |
| else | |
| result="No" | |
| fi | |
| } | |
| # Check to see if the OS version of the Mac includes a version of the profiles tool which | |
| # can report on user-approved MDM. If the OS check passes, run the UAMDMCheck function. | |
| osvers_major=$(/usr/bin/sw_vers -productVersion | awk -F. '{print $1}') | |
| osvers_minor=$(/usr/bin/sw_vers -productVersion | awk -F. '{print $2}') | |
| osvers_dot_version=$(/usr/bin/sw_vers -productVersion | awk -F. '{print $3}') | |
| if [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -ge 14 ]]; then | |
| UAMDMCheck | |
| elif [[ ${osvers_major} -eq 10 ]] && [[ ${osvers_minor} -eq 13 ]] && [[ ${osvers_dot_version} -ge 4 ]]; then | |
| UAMDMCheck | |
| else | |
| # If the OS check did not pass, the script sets the following string for the "result" value: | |
| # | |
| # "Unable To User-Approved MDM On", followed by the OS version. (no quotes) | |
| result="Unable To Detect User-Approved MDM On $(/usr/bin/sw_vers -productVersion)" | |
| fi | |
| echo "$result" |
Leave a comment
Recent Comments
 | Ben LeRoy on Losing a giant |
 | Peter-Erik on Downloading installer packages… |
 | nathanhaggard on Losing a giant |
 | andras0602 on Disabling login window clock d… |
 | Jeff on Losing a giant |
Der Flounder 
What functionality is limited?
Alternative code below… essentially the same thing, but with a different way of checking the OS version. That is a common thing to need to do in extension attribute scripts, like for different versions of fdesetup, etc.
(This needs testing…)
#!/bin/bash
# Extension attribute to return UAMDM status
# Uses ‘profiles status’ command that is only available in 10.13.4 and above.
# Returns “yes”, “no”, or “Unable To check UAMDM. macOS version: {os_version}”
function version { echo “$@” | awk -F. ‘{ printf(“%d%03d%03d%03d\n”, $1,$2,$3,$4); }‘; }
function osAtLeast {
local targetVersion=“$1″
local macOS=$(/usr/bin/sw_vers -productVersion)
[[ $(version “$macOS” ) -ge $(version “$targetVersion”) ]] && echo “y” || echo “n”
}
function UAMDMCheck {
# This function checks if there is an enrollment profile and if status is “user approved”
UAMDMStatus=$(profiles status -type enrollment | grep -o “User Approved”)
[[ “$UAMDMStatus” = ‘User Approved’ ]] && echo “Yes” || echo “No”
}
osMessage=“Unable To check UAMDM. macOS version: $(/usr/bin/sw_vers -productVersion)”
[[ $(osAtLeast “10.13.4”) == “y” ]] && echo $(UAMDMCheck) || echo “$osMessage”
That’s functionally similar to the blog post, just with a different solution for figuring out what dot-version of the OS is running.
The advantage of this way is you can paste the functions into a script and then just say ‘osAtLeast “whatever” ‘. The advantage of the more traditional “nested if statements” way is that normal people can actually follow what the heck is going on.
Does this check the machine’s OS to see if it is in DEP or does it check via the internet if it is in DEP. (I buy and refurbish Macbook Pros and install a fresh OS on machines and it would be good to know if it’s in DEP before I sell them! Sometimes if it is in DEP it can take days before you get a DEP enrollment message)