Home > Jamf Pro, JSS, Mac administration, macOS > User-initiated computer enrollment now using MDM profile enrollment in Jamf Pro 10.3

User-initiated computer enrollment now using MDM profile enrollment in Jamf Pro 10.3

One of the changes introduced in Jamf Pro 10.3 is that user-initiated computer enrollment now has two modes:

  • macOS High Sierra: Uses an MDM profile to enroll the Mac, with the Jamf Pro agent being installed once MDM enrollment is complete.
  • macOS Sierra and earlier: Uses a QuickAdd installer package to enroll the Mac, with MDM enrollment and installation of the Jamf Pro agent being handled by the QuickAdd package.

Why the difference?

Using the MDM enrollment method on macOS High Sierra will automatically enable User Approved MDM, which is necessary for full management privileges on the Mac in question. The reason is that since the user is installing the MDM profile, the user is also logically approving the MDM management and satisfying Apple’s conditions for enabling User Approved MDM.

For more details, please see below the jump.

The installation of the MDM profile can be configured two ways:

  1. The installation of a CA certificate, followed by an MDM profile
  2. The installation of the MDM profile only.

The difference between the two depends on if your Jamf Pro server is using a trusted third-party SSL certificate, either directly on your Jamf Pro server or on a load balancer which is handling SSL termination for the Jamf Pro server.

If one of the two conditions mentioned above applies, where your Jamf Pro server is using a trusted third-party SSL certificate, you can set the CA certificate installation to be skipped using the following procedure:

1. Log into your Jamf Pro server using an account with administrator privileges.
2. Go to the management settings
3. Click on Global Management
4. Select User-Initiated Enrollment

Screen Shot 2018 03 29 at 6 56 42 PM

5. Check the Skip certificate installation during enrollment checkbox.

Screen Shot 2018 03 29 at 6 57 45 PM

If you’re not sure, leave the Skip certificate installation during enrollment checkbox unchecked. This will allow the installation of the CA certificate before the installation of the MDM profile.

Screen Shot 2018 03 29 at 6 57 42 PM

Enrolling by installing a CA certificate, followed by an MDM profile

Pre-requisites

  • macOS 10.13.0 or later

1. Go to https://server.name.here:8443/enroll
2. Enter your username and password, then click the Login button.

Screen Shot 2018 03 29 at 7 08 11 PM

3. Click the Enroll button.

Screen Shot 2018 03 29 at 7 09 15 PM

4. When notified that you’ll need to install the CA certificate, click the Continue button.

Screen Shot 2018 03 29 at 7 09 50 PM

5. When prompted to install the CA certificate, click the Continue button.

Screen Shot 2018 03 29 at 7 10 28 PM

6. When asked to verify that you want to install the CA certificate, click the Install button.

Screen Shot 2018 03 29 at 7 12 18 PM

A new CA Certificate profile should now appear in the User Profiles section of the Profiles preference pane.

Screen Shot 2018 03 29 at 7 12 35 PM

7. When prompted to enroll the MDM profile, click the Continue button.

Screen Shot 2018 03 29 at 7 12 49 PM

8. When prompted to install the Profile Service Enrollment profile, click the Install button.

Screen Shot 2018 03 29 at 7 13 08 PM

9. When prompted to configure your Mac using a certificate, mobile device management and SCEP enrollment, click the Continue button.

Screen Shot 2018 03 29 at 7 13 26 PM

10. When prompted to enroll the MDM profile, click the Install button.

Screen Shot 2018 03 29 at 7 13 41 PM

11. When prompted for admin credentials, provide the username and password of a user with admin credentials.

Screen Shot 2018 03 29 at 7 14 05 PM

The profile will install and should appear as verified.

Screen Shot 2018 03 29 at 7 14 06 PM

Screen Shot 2018 03 29 at 7 14 07 PM

The enrollment page should report that enrollment is complete.

Screen Shot 2018 03 29 at 7 14 08 PM

Enrolling by installing an MDM profile

Pre-requisites

  • macOS 10.13.0 or later

1. Go to https://server.name.here:8443/enroll
2. Enter your username and password, then click the Login button.

Screen Shot 2018 03 29 at 7 08 11 PM

3. Click the Enroll button.

Screen Shot 2018 03 29 at 7 09 15 PM

4. When prompted to enroll the MDM profile, click the Continue button.

Screen Shot 2018 03 31 at 4 53 29 PM

5. When prompted to install the Profile Service Enrollment profile, click the Install button.

Screen Shot 2018 03 31 at 4 53 37 PM

6. When prompted to configure your Mac using a certificate, mobile device management and SCEP enrollment, click the Continue button.

Screen Shot 2018 03 31 at 4 53 55 PM

7. When prompted to enroll the MDM profile, click the Install button.

Screen Shot 2018 03 31 at 4 54 21 PM

8. When prompted for admin credentials, provide the username and password of a user with admin credentials.

Screen Shot 2018 03 29 at 7 14 05 PM

The profile will install and should appear as verified.

Screen Shot 2018 03 29 at 7 14 06 PM

Screen Shot 2018 03 29 at 7 14 07 PM

The enrollment page should report that enrollment is complete.

Screen Shot 2018 03 29 at 7 14 08 PM

  1. piagetblix
    April 27, 2018 at 3:18 pm

    Is there anyway to accept enrollment via ARD?

  2. Sunny
    September 9, 2018 at 2:55 am

    Does this install the jamf binary for running policy?

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: