10.13.4 is now live! With this release we get the final form of User-Accepted Mobile Device Management (UAMDM) or at least a more polished version.
In 10.13.0 through 10.13.3 if a mac was enrolled into a MDM server User-Approved Kernel Extension Loading (UAKEL) would be disabled. This would allow enterprise administrators to install tools like Santa, anti-virus, virtualization software, etc. without prompting end users to allow the KEXT to be loaded.
Now with 10.13.4 the
will have to be deployed allow to KEXTs to load without end user prompts.
I would also read Apple’s Tech Note: Prepare your institution for macOS High Sierra 10.13.4
Also in this release we get the ability to determine if a machine is enrolled into a MDM, and if the machine is user approved.
DEP Enrolled Mac:~ vagrant$ profiles status -type enrollment Enrolled via DEP: Yes MDM enrollment: Yes (User Approved) No enrollment profile Mac:~ vagrant$ profiles status -type enrollment Enrolled via DEP: No MDM enrollment: No Installed manually via CLI Mac:~ vagrant$ sudo profiles install -path enroll.mobileconfig Password: Mac:~ vagrant$ profiles status -type enrollment Enrolled via DEP: No MDM enrollment: Yes Manually approved the manual CLI install via System Preferences Mac:~ vagrant$ profiles status -type enrollment Enrolled via DEP: No MDM enrollment: Yes (User Approved)
Prior to 10.13.4 this information was only available to your MDM Sever in the SecurityInfo payload. Since we can now determine this status correctly on the end-point this allows us as administrators to create workflows to correct the state of the machine.