Last updated April 10, 2019
With macOS High Sierra 10.13.2, Apple introduces the concept of User Approved MDM Enrollment (UAMDM). UAMDM grants mobile device management (MDM) software additional privileges beyond what is allowed for macOS MDM enrollments that have not been “user approved”.
Currently, the benefit of UAMDM is in one area of functionality: kernel extensions. UAMDM allows an administrator to whitelist third-party kernel extensions (kext) for macOS, as well as allow or prohibit the user from enabling a kext themselves. MacOS 10.13.2 effectively disables loading third party kernel extension on devices enrolled in MDM that are not user approved.
A kernel extension can be whitelisted one of three ways, by specifying:
Many software solutions, particularly in the realm of system management, security, and network connectivity (like VPN) rely on kernel extensions. If these kernel extensions are not permitted to run, the software will cease to function.
You can view the third party kernel extensions that exist on your macOS computer by running the following from terminal:
kextstat | grep -v com.apple
Moving forward, MDM enrollments are user approved if:
As a migration path, Apple has provided an exception to this rule. Devices upgraded to 10.13.2 that are enrolled with an MDM before upgrading will be considered user approved.
If a device is enrolled with an MDM and is not user approved, the enrollment can still be elevated to user approved status. By visiting the Profiles System Preferences pane, a user will be given the option to approve the MDM enrollment and change to an approved state.
SimpleMDM allows you to define a whitelist of kernel extensions by specifying team identifiers, bundle identifiers, or a combination of the two. Users can also be permitted to approve or restricted from approving third party kernel extensions. Kernel extension policies are defined and then assigned to device groups.
Leave a Reply