What is User Approved MDM (UAMDM)?

What is User Approved MDM

By Jesse Endahl

User Approved MDM (UAMDM) is a new concept initially introduced by Apple in macOS 10.13.2. It requires real human interaction in order to enroll a device in MDM with full management capabilities. This means scripting MDM enrollment silently in the background is no longer an option—doing so will result in limited management capabilities.

Apple has gone to great lengths to prevent automating the approval process—even preventing clicks via Apple Remote Desktop screen sharing.

Since the introduction of UAMDM, the user must click “Install” themselves during installation.

If background installation is attempted via script, management functionality will be limited until the user manually approves. The manual approval process is as follows:

  1. Open System Preferences
  2. Click on Profiles
  3. Select the MDM enrollment config in the list
  4. Click “Allow” (see screenshot #1)
  5. Click “Allow” again (see screenshot #2)
    Screenshot #1

Screenshot #2

What are the benefits of UAMDM?

Apple has placed certain things deemed sensitive for security or privacy “behind the line” of UAMDM.

Specifically, the following Configuration Profiles are only respected by macOS when they are installed through a User Approved MDM server:

Kernel Extension Policy
com.apple.syspolicy.kernel-extension-policy

Privacy Preferences Policy Control Payload
com.apple.TCC.configuration-profile-policy

  • Privacy Preferences Policy Control (PPPC)
  • Transparency, Consent, and Control (TCC)

Notably, in these cases the .mobileconfig must actually be delivered via MDM. Attempting to install these Payload Types any other way (such as via a bash script) will fail and they will have no effect on the target system.

Apple has hinted that there will be more things added to the list in future macOS releases.

How does UAMDM relate to supervised mode?

UAMDM is an entirely separate concept from supervised mode. Unlike on iOS, supervised mode on macOS does not grant any special management abilities. Furthermore, UAMDM does not exist as a concept on iOS.

How does UAMDM relate to DEP?

Devices enrolled through DEP are automatically treated as being enrolled in User Approved MDM with no further set-up required. This is the only way to get UAMDM without requiring the extra approval step.

Is there a cross-platform term that means “full management capabilities” on macOS and iOS?

Unfortunately there is not, so we coined our own for making this distinction in Fleetsmith. We use the terms “Fully Managed” and “Partially Managed”.

On macOS, a device can gain full management capabilities as long as it’s considered “User Approved, which can be achieved one of two ways:

  1. Automatic enrollment into MDM via DEP. DEP enrollment automatically grants the device “UAMDM” status.
  2. Manual enrollment into MDM by the user, through the UI. This also grants the device “UAMDM” status.

On iOS, a device can gain full management two ways as well, but the criteria is different than on macOS—the device must be both MDM enrolled and also “supervised”. This can also be achieved one of two ways:

  1. Automatic enrollment into MDM via DEP, with supervision enabled automatically by Fleetsmith (only possible for DEP devices).
  2. Manual enrollment into MDM via Configurator, with supervision enabled manually within Configurator.

My fleet is running macOS versions lower than 10.13.4. Can I script MDM enrollment and then gain “grandfathered” UAMDM status upon upgrade?

Yes! All MDM enrollments completed prior to upgrading to macOS 10.13.4 are automatically converted to User Approved Enrollments.

How do I check if a macOS device is Fully Managed?

macOS (command line): profiles status -type=enrollment

Rich Trouton did a great job summarizing the 4 different states that can be returned for this. I will reproduce it here:

No enrollment

computername:~ username$ profiles status -type enrollment
Enrolled via DEP: No
MDM enrollment: No
computername:~ username$

MDM enrollment (limited management capabilities)

computername:~ username$ profiles status -type enrollment
Enrolled via DEP: No
MDM enrollment: Yes
computername:~ username$

UAMDM enrollment (full management capabilities)

computername:~ username$ profiles status -type enrollment
Enrolled via DEP: No
MDM enrollment: Yes (User Approved)
computername:~ username$

DEP Enrollment (automatically grants UAMDM status / full management capabilities)

computername:~ username$ profiles status -type enrollment
Enrolled via DEP: Yes
MDM enrollment: Yes (User Approved)
computername:~ username$

macOS (UI):

Verify that there is no yellow warning badge, with text stating “Functionality may be limited until this profile is approved.”

How does this affect Fleetsmith?

We’ve tried to make it as clear as possible by explaining these concepts within the product. We use the terms "Fully” vs. “Partially” managed to differentiate the functionality achieved via various enrollment methods. For a more in-depth explanation, see our Help Center article titled "What is Full Management, and what are the benefits?

How do I make sure my fleet is fully managed?

We’ve made it easy to tell which devices in your fleet are partially managed. See our Help Center article titled "How do I get my fleet from Partially Managed to Fully Managed?” for instructions.

Does Fleetsmith support whitelisting kernel extensions and TCC?

Yes, in fact we do automatic, “just in time” whitelisting for all apps you manage in the catalog, on a per-device basis. On my own MacBook Pro, Fleetsmith is managing Dropbox, Zoom, Google Santa, iTerm, Sonos, and HP printer drivers and config. And Fleetsmith is automatically whitelisting the kernel extensions and privacy policy config for all of them. See screenshots.

Automatic kernel extension whitelisting

Automatic TCC whitelisting

References

Subscribe to Fleetsmith Blog

Get the latest posts delivered right to your inbox.

or subscribe via RSS with Feedly!