10.13.4 is now live! With this release we get the final form of User-Accepted Mobile Device Management (UAMDM) or at least a more polished version.

What changed?

In 10.13.0 through 10.13.3 if a mac was enrolled into a MDM server User-Approved Kernel Extension Loading (UAKEL) would be disabled. This would allow enterprise administrators to install tools like Santa, anti-virus, virtualization software, etc. without prompting end users to allow the KEXT to be loaded.

Now with 10.13.4 the com.apple.syspolicy.kernel-extension-policy profile will have to be deployed allow to KEXTs to load without end user prompts.

I would also read Apple’s Tech Note: Prepare your institution for macOS High Sierra 10.13.4

End-point status

Also in this release we get the ability to determine if a machine is enrolled into a MDM, and if the machine is user approved.

DEP Enrolled
Mac:~ vagrant$ profiles status -type enrollment
Enrolled via DEP: Yes
MDM enrollment: Yes (User Approved)

No enrollment profile
Mac:~ vagrant$ profiles status -type enrollment
Enrolled via DEP: No
MDM enrollment: No

Installed manually via CLI
Mac:~ vagrant$ sudo profiles install -path enroll.mobileconfig 
Password:
Mac:~ vagrant$ profiles status -type enrollment
Enrolled via DEP: No
MDM enrollment: Yes

Manually approved the manual CLI install via System Preferences
Mac:~ vagrant$ profiles status -type enrollment
Enrolled via DEP: No
MDM enrollment: Yes (User Approved)

Prior to 10.13.4 this information was only available to your MDM Sever in the SecurityInfo payload. Since we can now determine this status correctly on the end-point this allows us as administrators to create workflows to correct the state of the machine.