I ran across this the other day myself. We have a couple of headless Mac Minis that I was updating the client and profiles on and I cannot approve the profiles from Meraki on them. I was at a recent Apple Education meeting where they mentioned this new "feature." I didn't think anything of it at the time but now I will likely be opening up a case with Apple to see how best to handle this without going to each individual location where I have caching servers deployed and clicking at the machine to allow the correct profiles to be installed.
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
We have also ran into this, a real pain. The few macs we have (marketing uses them) are enrolled with a pkg I made that installs the MDM profile, Meraki Agent, and a local management account. None of them were hitting Meraki or installing any programs - ended up being this stupid click to approve. It even does it with profiles installed by root.
Very stupid, clearly they are pushing DEP, while I am a fan of it for our mobile fleet it is a pain for computers because you have to trigger everything to install from your MDM provider.
Find this helpful? Click the kudos button. Thanks!
I know the startosinstall option for the High Sierra installer has some awesome new features to allow for packages to be installed when doing a wipe with the command. The biggest caveat is that the devices need to be running High Sierra to begin with. I believe from the meeting that the packages installed for MDM this way will behave correctly for the approval process. I have not tested this out yet but here is some more documentation on using the command.
Yes, Apple did enable User Approved Kernel Extensions and User Approved MDM profile enrollment in the latest 10.13.4 release.
The 2 solutions are:
1) Enroll your devices in the DEP program (great for future purchases, and the retroactive DEP enrollment on currently deployed devices will assist in the future if that Mac is wiped & re-issued to another user)
2) Enroll your Mac devices using the "standard" Meraki enrollment process of downloading the profile and having an admin (or the user) accept the Meraki enrollment agreement before installing.
This is to cut down on malicious profiles from being installed from unknown sources by requiring a known good source (DEP) or an explicit user-approved/user-enabled install. The only true automated action supported by Apple is DEP, so creating your own custom pkg to install the profile will no longer work (even if the pkg has a valid cert).
In regards to this feature you cannot approve it without being in front of the machine. The OS wont allow remote software to approve any profiles, it will only allow connected mice and keyboard to click the approve button.
Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI