In macOS 10.13.4, Apple introduced a new type of Mobile Device Management (MDM) Profile. MDM Profiles are now split into two categories: approved profiles and not-approved. While not-approved profiles can still perform many of MDM's capabilities, Apple is continually adding to the features that can only be achieved through an approved profile.
In macOS 10.13.4, the only feature which is limited to approved profiles is kernel extension whitelisting, but Apple continues to add features to this list with every major release. In macOS Mojave, Apple introduced new Privacy Controls that can only be managed using an approved profile.
Below is an example of an MDM Profile that has not yet been approved.
Of course, the first step in getting approved MDM Profiles onto your devices is to complete the setup of your Addigy MDM integration. Head over to our article Addigy Apple Push Certificates to start setting it up if you haven't completed it already.
How to Approve A Profile
There are two ways to get an approved MDM Profile on a device:
1) A user with administrator permissions on the device can approve the Profile in System Preferences. Go to the Profiles pane in System Preferences, select the MDM Profile deployed from Addigy, click Approve... and enter an administrator username and password to complete the process.
Note: Apple has gone to great lengths to prevent "spoofing" of this process. It is not possible to select the Approve option through most remote control tools (including ScreenConnect and Addigy Remote Control).
2) Using Addigy's integration with Apple's Device Enrollment Program (DEP), the MDM Profile will be installed on the device during the DEP enrollment process that happens during Apple Setup Assistant on a fresh install of macOS. MDM Profiles installed this way will always be approved. For information about configuring this integration, see our article Configuring Apple's Device Enrollment Program (DEP) Integration with Addigy.
Checking if a Profile Has Been Approved
To verify if any devices have an approved profile head over to the Devices page and check out our latest device fact Has MDM Profile Approved. This device fact will reflect if a device has User Approved MDM even after it goes offline.
This device fact will show success if the MDM Profile is approved or if the device is on an older version of macOS that does not support profile approval, and it will fail if the MDM Profile has not yet been approved.
If you need additional help creating a table view like the one above, check out our KB article: Customizing the Devices Table.
Addigy Pro Tip:
When managing devices with MDM, there are a few key device facts that are critical to monitor as an admin. Those device facts are as follows:
Has MDM Profile Approved - will reflect if the MDM Enrollment Profile has User Approval
Has MDM - will reflect if you have Addigy MDM
Installed Profiles - will list all installed MDM profiles on the device
Additionally, all device facts available to you in our Devices page can also be seen on a per-device-basis through GoLive.
If you have issues with approving your MDM Profiles after reviewing these two methods, please reach out to Addigy Support for further assistance.