[Deep Dive] User Approved MDM in macOS High Sierra
The release of macOS High Sierra 10.13.2 introduces User Approved Mobile Device Management (MDM) enrollment. This enrollment flow requires the end-user to approve device enrollment before an administrator can manage its security-sensitive settings.
To qualify as a user-approved enrollment type, the MDM profile must install one of the following ways.
- User-Initiated Profile Installation – Performed through the profiles preference panel, this method ensures the user agrees to management and approves the particular system performing the management. However, this method prevents automated installation of the MDM enrollment profile through scripting, remote screen sharing, or other methods.
- DEP Enrollment – As a corporate-owned enrollment flow, DEP enrollment is considered user-approved.
- Automated Enrollment with Manual Approval – This method uses automation to install the MDM enrollment profile. Post-enrollment, the user navigates to the profiles preference panel to manually approve the enrollment profile.
- Pre-Upgrade Enrollment – Devices that enrolled in MDM before upgrading to macOS 10.13.2, get categorized as User Approved MDM by default. However, once unenrolled or wiped, these devices must reenroll using one of the three previously mentioned flows to be user-approved.
User Approved MDM with VMware AirWatch
VMware AirWatch supports all current mechanisms for User Approved MDM enrollment. However, strongly consider implementing Apple DEP as the primary enrollment mechanism for User Approved MDM on macOS. If DEP is not an option right now, use the Web enrollment flow.
The VMware AirWatch Agent for macOS version 2.4.3 and later fully supports User Approved MDM. However, for VMware AirWatch Agent 2.4.2 or earlier, the enrollment process is not user-approved. In these cases, the user must additionally approve the enrollment profile in the profiles preference panel.
Additional Considerations for User Approved MDM
Currently, User Approved MDM is a requirement for one macOS profile payload. This payload, the Kernel Extension Policy, manages user-approved kernel extension loading.
If you are unfamiliar with KEXTs, you might be installing or using them unknowingly – especially if you install hardware drivers and/or software for security/compliance, audio/video, and/or virtualization.
Without the Kernel Extension Policy payload in place, administrators must rely on end-users to manually approve KEXT loading. Many would argue this is a recipe for overburdened help desks, late nights, and angry bosses!
[Learn More: macOS High Sierra User-Approved Kernel Extension Loading]
The following links provide more detail on DEP and iOS deployments: