bool(false)

What is User Approved MDM Enrollment?

in Explained on November 1, 2017

User Approved MDM

With macOS High Sierra 10.13.2, Apple introduces the concept of User Approved MDM Enrollment (UAMDM). UAMDM grants mobile device management (MDM) software additional privileges beyond what is allowed for macOS MDM enrollments that have not been “user approved”.

Third Party Kernel Extensions

Currently, the benefit of UAMDM is in one area of functionality: kernel extensions. UAMDM allows an administrator to whitelist third-party kernel extensions (kext) for macOS, as well as allow or prohibit the user from enabling a kext themselves. MacOS 10.13.2 effectively disables loading third party kernel extension on devices enrolled in MDM that are not user approved.

A kernel extension can be whitelisted one of three ways, by specifying:

  1. the team identifier that signed the kernel extension, or
  2. the team identifier and bundle identifier of a specific kernel extension, or
  3. or the bundle identifier of a specific un-signed kernel extension

Why does this matter?

Many software solutions, particularly in the realm of system management, security, and network connectivity (like VPN) rely on kernel extensions. If these kernel extensions are not permitted to run, the software will cease to function.

You can view the third party kernel extensions that exist on your macOS computer by running the following from terminal:

kextstat | grep -v com.apple

What makes an MDM Enrollment User Approved?

Moving forward, MDM enrollments are user approved if:

  1. The device is enrolled using the Apple Device Enrollment Program (DEP)
  2. The enrollment is completed interactively, by the user on the device. Enrollment using an automation, script, or even screen share will not qualify as an interactive enrollment.

As a migration path, Apple has provided an exception to this rule. Devices upgraded to 10.13.2 that are enrolled with an MDM before upgrading will be considered user approved.

If a device is enrolled with an MDM and is not user approved, the enrollment can still be elevated to user approved status. By visiting the Profiles System Preferences pane, a user will be given the option to approve the MDM enrollment and change to an approved state.

How do I Whitelist Kernel Extensions with SimpleMDM?

The Kernel Extension Policy definition interface within SimpleMDM.

SimpleMDM allows you to define a whitelist of kernel extensions by specifying team identifiers, bundle identifiers, or a combination of the two. Users can also be permitted to approve or restricted from approving third party kernel extensions. Kernel extension policies are defined and then assigned to device groups.

Additional Reading

Leave a Reply

Your email address will not be published. Required fields are marked *

Start your 30-day free trial of SimpleMDM

Start My Free Trial
  • A macOS MDM Primer. What's Possible?

    By on February 20, 2019
    Read more
  • What is the Apple Volume Purchase Program (Apple VPP)?

    By on August 10, 2018
    Read more
  • Explained: InstallEnterpriseApplication MDM Command

    By on July 31, 2018
    Read more

Test-Drive SimpleMDM Right Now. No Credit Card Required.

Start My Free Trial