User Accepted MDM Profile Impacts MDM Management

Number:rdar://35284230 Date Originated:October 31 2017
Status:Closed Resolved:
Product:MacOS Product Version:10.13.2 17C60c
Classification: Reproducible:Yes

User acceptance prompt introduced with 10.13.2 beta 1 (17C60c) will negatively impact fresh/new enrollments into Jamf Pro MDM. As an administrator for hundreds of machines, with new machines being enrolled weekly, I can not reliably trust end users to successfully approve the MDM profile with each occurrence. This will negatively impact my organizations ability to properly manage machines and utilize MDM. 

Per the release notes, this approval feature is disabled for machines enrolled in DEP, but not all organizations can make use of DEP at this time. DEP is the future, but not everyone is there yet. 

This change has the potential to impact over 1700 Macs. 

Steps to Reproduce:
A working Jamf Pro instance is required to properly replicate this process. My testing was done with Jamf Pro JSS 9.101.0-t1504998263 but the process should be the same for the recently released Jamf Pro v10.0.0.

Enroll a Mac into Jamf Pro management using the Quick Add installer package for your Jamf system. Once the enrollment has successfully completed, launch System Preferences, navigate to Profiles and then select the MDM Profile from the Profiles list on the left. With 10.13.2 beta 1, end users will be presented with a warning, “This profile was installed without user consent”. Click the “Details” button which will expose a drop-down sheet with further instructions, including the option to approve the profile.

Expected Results:
The MDM profile delivered by the Jamf Pro server should be immediately accepted by the OS with out any end user interaction.

Actual Results:
End users are expected to approve the MDM profile. Failure to approve the profile impacts MDM performance. 


Jamf Pro Server JSS 9.101.0-t1504998263 
Jamf Pro QuickAdd.pkg
macOS client


Closed by Apple due to changes they made in UI in. 10.13.2 and clarification that change will only impact, at least at this time, MDM-delivered profile that is whitelisting thrid-party KEXTs

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!