MDM-Enabled Local User Accounts
User accounts on computers can be MDM-enabled (formerly MDM-capable) to allow an MDM solution to manage certain user-specific management settings. You need MDM-enabled users to do the following:
Deploy user-level configuration profiles.
Receive the EDU profile via the user channel for managed classes. For more information, see Classes.
In most Jamf Pro enrollment scenarios, the primary user account is enabled for MDM when an MDM profile is installed and the computer is enrolled. User accounts on a computer are considered MDM-enabled in Jamf Pro if they are listed in the MDM Capable Users criteria in the computer inventory record.
When the primary user on the computer is not MDM-enabled, administrators can modify which
user is MDM-enabled after computer enrollment using the jamf agent. The jamf agent can
interact with the profiles binary to re-enroll the MDM profile to enable
the primary user. This modification method is not possible in the following scenarios:
The MDM profile was set to be non-removable by deselecting the Allow MDM Profile Removal checkbox in the computer PreStage Enrollment settings.
The computer has macOS 11 or later. Computers with macOS 11 or later cannot silently install or reinstall MDM profiles using the
profilesbinary.
To enable a different user account for MDM on computers enrolled using these methods, a full unenroll and re-enroll with Jamf Pro is required.
Enrollment Methods that Enable MDM for Users
The following table explains several methods that enable a user for MDM in Jamf Pro:
Method | OS Requirement | Description |
|---|---|---|
Computer PreStage enrollment | N/A | When enrolling a computer via a PreStage enrollment using Automated Device Enrollment (formerly DEP), users created during the Setup Assistant will be MDM-enabled. The local user account will not be MDM-enabled if at least one of the following is true:
|
User-initiated enrollment | N/A | By default, the logged-in user on the computer will be MDM-enabled after enrollment. |
Agent-based enrollment with a QuickAdd.pkg or the Jamf management framework | macOS 10.15.7 or earlier | The logged-in user will be MDM-enabled. |
User-level configuration profile installation through Self Service for macOS | macOS 10.15.7 or earlier | Self Service will attempt to enable the logged-in user for MDM if the user is not already MDM-enabled and the computer has a removable MDM profile. |
Network and mobile user accounts are MDM-enabled by default in Jamf Pro, no matter the enrollment method that was used.
For computers with macOS 10.12 or later, only one local user account can be MDM-enabled on a computer at a time. If a second local user account becomes MDM-enabled on the computer, the first local user account will no longer be MDM-enabled.
MDM-Enabled User Modification
If you want to enable a different local user account for MDM, you can execute the following command to enable MDM for the currently logged-in user on computers with macOS 10.15.7 or earlier and a removable MDM profile:
sudo jamf mdm -userLevelMdmFor computers with macOS 10.13.2–10.15.7, this command will set the User Approved MDM status to “No” in the Jamf Pro inventory record. To re-enable User Approved MDM status, see the Managing User Approved MDM with Jamf Pro article. If you use this command as a part of existing workflows, you should evaluate the impact of these changes.
To change the MDM-enabled user on a computer with macOS 11 or later, you must completely unenroll and then re-enroll the computer in Jamf Pro by doing one of the following:
- Computers with a removable MDM profile—
Execute the
sudo jamf removeframeworkcommand. After the computer is unenrolled, you can re-enroll it using a PreStage enrollment or user-initiated enrollment. - Computers with an unremovable MDM profile—
Execute the
sudo jamf removeframeworkcommand and then send the Remove MDM Profile remote command using Jamf Pro. After the computer is unenrolled, you can re-enroll it using a PreStage enrollment or user-initiated enrollment.