Detecting user approved MDM using the profiles command line tool on macOS 10.13.4

March 30, 2018 2 comments

Starting in macOS 10.13.2, Apple introduced the concept of User Approved MDM Enrollment (UAMDM). UAMDM grants mobile device management (MDM) additional management privileges, beyond what is allowed for macOS MDM enrollments which have not been “user approved”. As of macOS 10.13.4, the only additional management privilege associated with UAMDM is that it allows you to deploy a profile which provides a white list for third-party kernel extensions. However, I would anticipate that this list will grow over time.

Starting in macOS 10.13.4, you can use the profiles command line tool to determine if a machine is enrolled into a MDM, and if user-approved MDM is enabled. To do this, run the command shown below:

profiles status -type enrollment

Depending on your MDM enrollment status, you may see one of the following statuses shown below:

No MDM enrollment

computername:~ username$ profiles status -type enrollment
Enrolled via DEP: No
MDM enrollment: No
computername:~ username$

MDM enrolled, without user-approved MDM enabled

computername:~ username$ profiles status -type enrollment
Enrolled via DEP: No
MDM enrollment: Yes
computername:~ username$

MDM enrolled, with user-approved MDM enabled

computername:~ username$ profiles status -type enrollment
Enrolled via DEP: No
MDM enrollment: Yes (User Approved)
computername:~ username$

DEP Enrolled

computername:~ username$ profiles status -type enrollment
Enrolled via DEP: Yes
MDM enrollment: Yes (User Approved)
computername:~ username$

Note: If your Mac is enrolled in Apple’s Device Enrollment Program (DEP), it automatically gets user-approved MDM.

To help detect if a particular Mac has user-approved MDM enabled, I’ve written a script. For more details, please see below the jump.

Read more…

New automated restart option added to macOS 10.13.4’s softwareupdate command line tool

March 29, 2018 2 comments

With the release of macOS 10.13.4, Apple has added a new option to the softwareupdate command line tool. As part of the installation options, softwareupdate now includes the option to automatically restart or shutdown (as appropriate) following the installation of updates that need a restart or shutdown to complete properly.

-R | --restart		Automatically restart (or shut down) if required to complete installation.

Screen Shot 2018 03 09 at 4 24 17 PM

 

As an example, to use the new option to restart if needed after installing all available updates, please run the command shown below with root privileges:

softwareupdate --install --all --restart

In the event that no updates require a restart or shutdown, the Mac is not restarted.

Screen Shot 2018 03 09 at 4 18 59 PM

Categories: Mac administration, macOS

Session videos available from MacAD UK Conference 2018

March 29, 2018 1 comment

A number of session videos (including mine) have been posted from MacAD UK 2018. For those interested, the videos are available on YouTube via the link below:

https://www.youtube.com/playlist?list=PLe6gxSMzV0S_puM4DliqV0JD4pwlGgO1m

For convenience, I’ve linked my session here.

Cancelling an unwanted FileVault deferred enablement

March 12, 2018 Leave a comment

There are sometimes occasions when FileVault deferred encryption has been enabled for a particular Mac and then needs to be turned off. Since FileVault is not yet turned on at this point, there is no obvious way to turn off this deferred enablement.

However, it is possible to turn off a deferred enablement if needed. For more details, please see below the jump.

Read more…

Using installinstallmacos.py to download macOS High Sierra installers

February 27, 2018 1 comment

Starting with macOS Sierra, Apple moved the macOS Installer applications from being exclusively an App Store download to now being included in the regular Software Update catalogs. This means that it’s possible to download macOS installers, including those for macOS betas or hardware-specific macOS builds, using the command-line softwareupdate tool.

To assist with this task, Greg Neagle has written a Python script named installinstallmacos.py. installinstallmacos.py is designed to do the following:

1. Parse a specified Software Update feed.
2. Identify the listed products which appear to be macOS installers.
3. Display a menu of the available choices.

Once you’ve selected from the available options, the script does the following:

4. Creates a disk image and names it with the appropriate information for the specified macOS installer.
5. Mounts the disk image.
6. Downloads all the relevant packages from the Software Update feed for the specified macOS installer.
7. Installs the packages onto the disk image.
8. Unmounts the disk image.
9. Stores the disk image in the current working directory (this is likely going to be the logged-in user’s home folder.)

For more details, please see below the jump.

Read more…

Slides from the “Managing FileVault 2 on macOS High Sierra” Session at MacAD UK 2018 Conference

February 21, 2018 4 comments

For those who wanted a copy of my FileVault 2 management talk at MacAD UK 2018, here are links to the slides in PDF and Keynote format.

PDF – http://tinyurl.com/MacADUK2018pdf

Keynote – http://tinyurl.com/MacADUK2018key

Hat tip to the attendee who brought to my attention that fdesetup sync is not supported on encrypted APFS boot drives. I’ve now updated the slides to reflect that it works on macOS High Sierra for HFS+ drives only.

HFS+

Screen Shot 2018 02 21 at 12 54 13 PM

APFS

Screen Shot 2018 02 21 at 1 04 16 PM

Backing up the contents of an AWS-hosted Jamf Pro cloud distribution point to a local directory

February 15, 2018 Leave a comment

As part of removing unused packages from a Jamf Pro cloud distribution point using @shea_craig‘s Spruce tool, I needed to first make a backup of the contents of the cloud distribution point to a local directory on my Mac. That way, in case I had made an error and deleted the wrong installer package, I had a copy of the package readily available and could re-add the package back to my Jamf Pro server.

The cloud distribution point in question is hosted out in Amazon Web Services’ (AWS) S3 service, so I decided to use AWS’s awscli command line tool‘s S3 functions to run a one-way synchronization process between the cloud distribution point in S3 and my local directory. For more details, please see below the jump.

Read more…

%d bloggers like this: