macOS High Sierra 10.13.4 adds "Click Approve"

felixfx2
Here to help

macOS High Sierra 10.13.4 adds "Click Approve"

Recently apple sent a new update that changed something on most of my endpoints and it seems user have to "approve" profiles sent down from MDM.

 

My current deployment of meraki MDM is almost zero touch for my guys... and this adds more undesired human action which i am trying to avoid.

 

 

Anyone facing the same issue?

 

https://support.apple.com/en-us/HT208488

8 REPLIES 8
Dylan_YYC
Getting noticed

Yes, its a new thing Apple rolled out with 10.13 i think. Im a JAMF admin and for user enrolled machines even if they are cooperate owned this is a "feature not a bug" 

vassallon
Kind of a big deal

I ran across this the other day myself. We have a couple of headless Mac Minis that I was updating the client and profiles on and I cannot approve the profiles from Meraki on them. I was at a recent Apple Education meeting where they mentioned this new "feature." I didn't think anything of it at the time but now I will likely be opening up a case with Apple to see how best to handle this without going to each individual location where I have caching servers deployed and clicking at the machine to allow the correct profiles to be installed.

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
jared_f
Kind of a big deal

We have also ran into this, a real pain. The few macs we have (marketing uses them) are enrolled with a pkg I made that installs the MDM profile, Meraki Agent, and a local management account. None of them were hitting Meraki or installing any programs - ended up being this stupid click to approve. It even does it with profiles installed by root.

 

Very stupid, clearly they are pushing DEP, while I am a fan of it for our mobile fleet it is a pain for computers because you have to trigger everything to install from your MDM provider.

Find this helpful? Click the kudos button. Thanks!
vassallon
Kind of a big deal

I know the startosinstall option for the High Sierra installer has some awesome new features to allow for packages to be installed when doing a wipe with the command. The biggest caveat is that the devices need to be running High Sierra to begin with. I believe from the meeting that the packages installed for MDM this way will behave correctly for the approval process. I have not tested this out yet but here is some more documentation on using the command.

 

https://scriptingosx.com/2017/10/imaging-is-dead/

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
sshort
Building a reputation

Yes, Apple did enable User Approved Kernel Extensions and User Approved MDM profile enrollment in the latest 10.13.4 release.

 

The 2 solutions are:

 

1) Enroll your devices in the DEP program (great for future purchases, and the retroactive DEP enrollment on currently deployed devices will assist in the future if that Mac is wiped & re-issued to another user)

2) Enroll your Mac devices using the "standard" Meraki enrollment process of downloading the profile and having an admin (or the user) accept the Meraki enrollment agreement before installing.

 

This is to cut down on malicious profiles from being installed from unknown sources by requiring a known good source (DEP) or an explicit user-approved/user-enabled install. The only true automated action supported by Apple is DEP, so creating your own custom pkg to install the profile will no longer work (even if the pkg has a valid cert).

sshort
Building a reputation

@felixfx2 @jared_f It appears a brave soul has released a workaround for Mac clients that need profiles to be manually approved under the new User Approved MDM policy:

 

https://github.com/jbaker10/Remotely-Approving-UAMDM

vassallon
Kind of a big deal

@sshort That worked like a champ to get the profile approved on a headless Mac Mini caching server we have here.

 

Thank you very much.

Found this helpful? Give me some Kudos! (click on the little up-arrow below)

In regards to this feature you cannot approve it without being in front of the machine. The OS wont allow remote software to approve any profiles, it will only allow connected mice and keyboard to click the approve button. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels