Luke
Smith

Everything you need to know about Apple’s User Approved MDM

Luke Smith

Dec 17, 2021

5 min read

Apple brought about the User-approved MDM (UAMDM) Enrolment feature, along with the macOS High Sierra 10.13.2 update. With the 10.13.0 update and all the way to 10.13.3, any device enrolled into an MDM using Automated Device Enrolment (previously known as DEP) would automatically achieve “User Approved” status. Unfortunately, this resulted in disabling “User Approved Kernel Extension Loading,” disallowing any approvals for enrolment from the user’s end. (Kernel Extensions, ‘kexts’ in short, are a piece of developer code that often performs tasks or access parts of the operating system that standard software cannot)

User-approved MDM enrollment is a form of enrolment method used to grant authority to the employees in order for them to approve the enrolment request on their own devices. This feature brings about the right balance between privacy and security.

Introduction to UAMDM

UAMDM requires approval for device enrollment during the end-users’ actual enrollment process. It is no longer said to be as simple as installing a silent package with the help of an existing management or patching tool. Until and unless the employees give IT their approval, the Mac devices will be difficult to manage as they will be heavily restricted.

User-approved MDM was introduced to manage specific security-sensitive settings on a Mac enrolment that are not done through Automated Device enrolment. Managing security-sensitive settings for devices enrolled through Automated Device Enrolment can be done with no restrictions since the device attains “User Approved” status through this method.

Methods for a device to get user-approved

A device can attain the status of “User Approved” in two different ways. They are:

    • Approval based on Automated Device Enrolment:

If the device is enrolled via Automated Device Enrolment into an MDM, it is immediately granted “User Approved” status. Implementing UAMDM would be irrelevant in these cases.

    • Approval based on User Interactions:

If a device is enrolled in an MDM manually, it’s labeled with “User Approved” status, although the employees themselves must complete enrolment. Apple has ensured not to approve the devices if the enrolment method is done by automation, screen sharing, or scripts.

There is also a particular case where devices that used to be enrolled in an MDM before upgrading to 10.13.2 were automatically considered to be “User Approved.”

Note:

Another unconventional case is when a Mac is enrolled in an MDM that is not user-approved in macOS 10.13.4. The profile gets installed but the communication between the MDM and the device does not go through, until and unless the end user authenticates the profile with the admin credentials. This is done by the following steps:

  • Click on “System Preferences”
  • Click on “Profiles”
  • Find and click on the enrolment profile (It will have a badge on it)
  • Click “Approve” and follow the onscreen instructions.

The benefit UAMDM brings to the table

Presently, the benefit of UAMDM is primarily under one area of performance: Kernel Extensions. UAMDM helps in allowing IT administrators to whitelist third-party kexts for macOS and allow or deny enabling the usage of kext by users. Moreover, macOS 10.13.2 successfully disables the loading of third-party kernel extensions on devices enrolled in non-user-approved MDMs.

As of macOS 10.13.4, UAMDM is mandatorily required for the Kernel Extension Policy payload on macOS. The KEP payload helps in the managing and loading of user-approved kernel extensions. Additionally, this payload allows IT admins to work out the critical information when it comes down to kernel extensions in company devices while also selecting what extensions should be loaded without the employee’s consent and, finally, if employees should be allowed to accept additional kernel extensions.

Featured resource

Apple device management and endpoint security for fully remote teams

Find out how UEM helps in taking out the hassle in remotely managing Apple devices.

Download White paper

Hexnode’s UAMDM Feature

We should treat personal electronic data with the same care and respect as weapons-grade plutonium – it is dangerous, long-lasting, and once it has leaked, there’s no getting it back.

— Cory Doctorow.

Hexnode offers UAMDM in the form of Authenticated, Self-enrolment of devices by the users themselves and Automated Device Enrolment for all macOS devices with version 10.7 and above.

Email or SMS enrolment: In this method, an enrolment request and the credentials are pushed to the device via email or SMS. The mail will contain the Username and Password required to enroll the device into the MDM portal.

Self-Enrolment: In this method, users can enroll their devices with their relevant Active Directory/Okta/Google/Azure Active Directory user credentials. The admin has the ability to create a default user, and password manually or also has the ability to assign a common password for all other users.

It should be noted that both these methods offer the “User Approved” procedure and thus makes it a UAMDM technique for macOS.

This feature is supported only on Pro, Enterprise, Ultimate and Ultra pricing plans of Hexnode UEM. You can add any Apple devices running OS X 10.9 or later to your Automated Device Enrolment account and then take advantage of Apple Business/School Manager enrolment.
This is because ADE allows businesses to configure the initial start-up of a new device. The device can be configured to skip setup wizard or assistant and automatically install the necessary software, meeting company guidelines. This enables an accurate zero-touch device setup, allowing IT administrators to skip setting up the device when shipping new hardware to the employees. Thus, the process results in the device attaining the “User Approved” status.

Conclusion

The benefits of being “User Approved” bring about the ease of pushing policies, and other security updates to the devices enrolled without the authorization of the MDM from the users’ end. This helps in making various setup wizards and initial preparations of a device obsolete, hence saving the time spent setting up the device.

Share

Luke Smith

The motto for blogging: B - L to the OG

Share your thoughts