Managing User Approved MDM with Jamf Pro

Updated: 01 July 2021

Product: Jamf Pro

This article includes information on User Approved MDM management in Jamf Pro. User Approved MDM is required for certain performance and security enhancements, like managing certain payload settings in configuration profiles. For more information about the payloads that require User Approved MDM, see User-approved MDM payloads from Apple's support website.

General Requirements

Computers with macOS 10.13.2 or later

Methods to Achieve a User Approved MDM Status

There are a number of ways in which a computer can achieve a User Approved MDM status in Jamf Pro:


Enrollment Type	Description
Enrollment via DEP	Enrollment via DEP using a PreStage enrollment is one of the methods which results in a User Approved MDM status. For detailed information on computer PreStage enrollments, see Computer PreStage Enrollments in the Jamf Pro Administrator's Guide.
User-initiated enrollment with an MDM profile	User-initiated enrollment with an MDM profile is one of the methods which results in a User Approved MDM status. During the user-initiated enrollment process, the user will be prompted to download and install a CA certificate (`CA Certificate.mobileconfig`) and then an MDM profile (`enrollmentProfile.mobileconfig`). Users must manually return to the enrollment portal webpage after CA certification installation to install the MDM profile and complete the enrollment process. Note: In environments with a trusted third-party signed SSL certificate in Jamf Pro, such as Jamf Cloud, administrators may choose to skip the installation of the CA certificate and only require the installation of the MDM profile. To allow the CA certificate installation to be skipped, navigate to Settings > Global Management > User-Initiated Enrollment and select the Skip certificate installation during enrollment checkbox. For detailed information on Computer PreStage enrollments and the user-initiated enrollment experience, see User-Initiated Enrollment for Computers and User-Initiated Enrollment Experience for Computers in the Jamf Pro Administrator's Guide.
Enrollment in MDM prior to being upgraded to macOS 10.13.4	A computer with macOS that was enrolled in MDM prior to being upgraded to macOS 10.13.4 or later will retain the User Approved MDM status after the upgrade.

In addition, if a computer was enrolled without the User Approved MDM option, you can change the existing enrollment to a User Approved MDM status.

To approve an existing enrollment for an eligible computer, navigate to System Preferences > Profiles. Select the enrollment profile under Device Profiles, click the Approve button, and follow the prompts.

Notifying Users in Self Service and in Notification Center

As of Jamf Pro 10.4.0, you can choose to notify users in Self Service and in Notification Center that they must approve your organization's MDM profile.

Note:

This feature is enabled by default. However, the Notification Center notifications will not be sent unless Self Service Notifications are enabled and a valid proxy server token is uploaded to Jamf Pro. For more information, see Jamf Self Service for macOS Configuration Settings in the Jamf Pro Administrator's Guide.

To access this feature in Jamf Pro, navigate to the Self Service for macOS Configuration settings and select the Enable User Approved MDM Profile Notification checkbox. Users with eligible computers are notified via a pop-up dialog when they launch Self Service and via a Notification Center notification that is automatically sent once per week or after Tomcat is restarted.

Note:

After the user clicks Open System Preferences and navigates back to Self Service, the SecurityInfo command is queued in Jamf Pro.

Note:

The Self Service pop-up dialog may continue to display for up to five minutes after the MDM profile is approved.

Reporting Capabilities in Jamf Pro

Jamf Pro stores detailed inventory information for each computer. You can view status of the User Approved MDM attribute in the General category of a computer's inventory information. This information is collected and displayed for macOS 10.13.2 or later only.

A computer will be reported as "Yes" for User Approved MDM during inventory collection if it is enrolled via DEP or with user-initiated enrollment with an MDM profile, is enrolled in MDM prior to being upgraded to macOS 10.13.4, or manually approved in System Preferences > Profiles.

To display the User Approved MDM attribute field in inventory, navigate to Settings > Computer Management > Inventory Display and select the User Approved MDM checkbox.

You can also use an advanced computer search and a smart computer group to report on the User Approved MDM status.

Note:

When you view the results of an advanced search or a smart group, the inventory information returns "Unsupported OS Version" for computers with macOS 10.13.1 or earlier.

Jamf Pro Handling of Profiles that Require User Approved MDM

As of version 10.6.0, Jamf Pro includes "install or queue for retry" logic to handle configuration profile payloads that require User Approved MDM enrollment for installation. When attempting to install a profile that requires User Approved MDM, if an eligible computer does not have a User Approved MDM status, the profile stays queued and automatically attempts to re-install when the computer meets the User Approved MDM status.

Troubleshooting

If an eligible computer does not have a User Approved MDM status, you can approve it by navigating to System Preferences > Profiles, choosing the enrollment profile, and clicking the Approve button.