Programmatically determine UAMDM

Originator:clburlison
Number:rdar://35442079 Date Originated:2017-11-09
Status:Open Resolved:Fixed 10.13.4b2 17E150f
Product:macOS + SDK Product Version:10.13.2b1 17C60c
Classification:Enhancement Reproducible:
 
On 10.13.2b1 Apple has introduced the idea of User Accepted MDM (UAMDM) enrollment profiles. These are different from enrollment profiles that have been installed via DEP while at Setup Assistant or via the DEP Nag (notification center) message. System administrators need a method to programmatically determine if a machine is in this UAMDM state.

With 10.13 Apple introduced the `profiles status -type enrollment` option which helps to determine if a machine is enrolled into MDM via a DEP method. With this new UAMDM option we need a third output message.

Current output is:
DEP - An enrollment profile is currently installed on this system
Non-DEP - There is no enrollment profile installed on this system

Suggested output:
DEP - An enrollment profile is currently installed on this system
Non-DEP - There is no enrollment profile installed on this system
UAMDM - An enrollment profile is currently accepted on this system

Realistically adding a verbose option that gives more details about the status of this enrollment profile would be extremely helpful. IE -

MDM Profile installed: True
DEP Enrolled: True
UAMDM Profile accepted: True

Comments

clburlison February 7 2018, 1:40 PM

This has been fixed with 10.13.14 beta2 17E150f

The output is now:

DEP Enrolled
Mac:~ vagrant$ profiles status -type enrollment
Enrolled via DEP: Yes
MDM enrollment: Yes (User Approved)

No enrollment profile
Mac:~ vagrant$ profiles status -type enrollment
Enrolled via DEP: No
MDM enrollment: No

Installed manually via CLI
Mac:~ vagrant$ sudo profiles install -path enroll.mobileconfig
Password:
Mac:~ vagrant$ profiles status -type enrollment
Enrolled via DEP: No
MDM enrollment: Yes

Manually approved the manual CLI install via System Preferences
Mac:~ vagrant$ profiles status -type enrollment
Enrolled via DEP: No
MDM enrollment: Yes (User Approved)

By clburlison at Feb. 7, 2018, 7:41 p.m. (reply...)

clburlison

Hi, I've just updated a test machine and can confirm that changes were made but they don't solve the issues I'm describing.

Issue 1) profiles status -type enrollment still doesn't properly show if a device is has UAMDM when approved via System Preferences. Issue 2) profiles status -type enrollment should show output when an enrollment profile is installed. You can test this by doing profiles install -path enroll.mobileconfig and then checking the status at which point you will get the following incorrect output "There is no enrollment profile installed on this system"

Since this data is already being send to the MDM server in the 'SecurityInfo' request maybe it would be easier to get this data to output with the mdmclient command via /usr/libexec/mdmclient QuerySecurityInfo. Currently other arguments like QueryDeviceInformation, and QueryNetworkInformation work so it would make sense for the SecurityInfo payload to be available as well. If that works we would then have access to the ManagementStatus dictionary which give my employer the information they need so we can properly report on device data.

Reference: https://developer.apple.com/library/content/documentation/Miscellaneous/Reference/MobileDeviceManagementProtocolRef/3-MDM_Protocol/MDM_Protocol.html#//apple_ref/doc/uid/TP40017387-CH3-SW19

By clburlison at Jan. 26, 2018, 5:21 p.m. (reply...)

Apple Developer Relations

We believe this issue has been resolved in the latest macOS 10.13.4 beta.

Please test with the latest beta. If you still have issues, please update your bug report with any relevant logs or information that could help us investigate.

By clburlison at Jan. 26, 2018, 5:21 p.m. (reply...)

Apple Developer Relations November 28 2017, 1:21 PM

A solution is under investigation. We will follow up with you again when it is available.

By clburlison at Dec. 8, 2017, 6:28 p.m. (reply...)

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!