With macOS 10.13.2, Apple introduced the concept of User Approved MDM enrollment. User Approved MDM grants MDM software additional privileges beyond what is allowed for macOS MDM enrollments that have not been "user approved".
There are a number of ways in which a macOS computer can achieve a User Approved MDM status:
The device is enrolled using automated device enrollment (formerly DEP).
The enrollment is completed interactively, by the user on the device.
Note: Using automation or attempting to enroll a device remotely via Screen Sharing does not qualify as an interactive enrollment and will not result in User Approved enrollment.
As a migration path, Apple has provided an exception to this rule. Devices upgraded to 10.13.2 that are enrolled with an MDM before upgrading will be considered user approved.
If your macOS computer was enrolled in MDM without the User Approved option, you can approve your existing enrollment to manage security-sensitive settings:
Open System Preferences > Profiles, and select your enrollment profile that has a badge .
Click the Approve button on the right and follow the prompts.