/usr/libexec/mdmclient should be able to enroll into DEP mdm

Number:rdar://35295502 Date Originated:November 1 2017
Status:Open Resolved:
Product:macOS + SDK Product Version:
Classification: Reproducible:
Something not on this list

macOS 10.13.2 is about to hit with user approved MDM.  We don't manage our Macs with MDM today, but instead we use root agents.  We've got many thousands of Macs deployed today, and most of them are in our DEP portal.

Our options to get into MDM in the current state aren't great.  We can rush MDM out the door and get grandfathered on 10.13.1 and lower, or to bother users with `/usr/libexec/mdmclient dep nag`.  The nag option just pops up an ignorable notification, and the option for grandfathered enrollment is going to disappear soon.

There's frankly no way for us to comprehensively enroll our thousands of already-deployed Macs globally into MDM in a sane way right now.   We don't know when 10.13.2 is actually going to ship.

While getting non-DEP Macs into DEP is a separate issue, we do have the vast majority of our Macs in there already.  We just need a way to enroll them as root, in an automated fashion.  I support the direction of UAKEL and UAMDM, but for these Macs which we need to get enrolled and have a verifiable ownership though DEP, we believe that we should be able to force them to enroll into the MDM to which they are assigned in DEP.

I don't want to use enrollment profiles, I just want an enhancement to `/usr/libexec/mdmclient dep nag` to be able to actually enroll the device in the background, with no user interaction.  Call it `/usr/libexec/mdmclient dep enroll`.  This would make our lives so much easier, especially long term, and shouldn't impose an additional security risk as root wouldn't be able to enroll a Mac into some rogue MDM, but just to the one it is supposed to be in.


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!