In macOS 10.13.4, Apple introduced a new type of Mobile Device Management (MDM) Profile. MDM Profiles are now split into two categories: approved profiles and not-approved. While not-approved profiles can still perform many of MDM's capabilities, Apple is continually adding to the features that can only be achieved through an approved profile.


In macOS 10.13.4, the only feature which is limited to approved profiles is kernel extension whitelisting, but Apple continues to add features to this list with every major release. In macOS Mojave, Apple introduced new Privacy Controls that can only be managed using an approved profile.


Below is an example of an MDM Profile that has not yet been approved.



Prerequisites

Of course, the first step in getting approved MDM Profiles onto your devices is to complete the setup of your Addigy MDM integration. Head over to our article Addigy Apple Push Certificates to start setting it up if you haven't completed it already.


How to Approve A Profile

There are two ways to get an approved MDM Profile on a device:


1) A user with administrator permissions on the device can approve the Profile in System Preferences. Go to the Profiles pane in System Preferences, select the MDM Profile deployed from Addigy, click Approve... and enter an administrator username and password to complete the process.


Note: Apple has gone to great lengths to prevent "spoofing" of this process. It is not possible to select the Approve option through most remote control tools (including ScreenConnect and Addigy Remote Control).


2) Using Addigy's integration with Apple's Device Enrollment Program (DEP), the MDM Profile will be installed on the device during the DEP enrollment process that happens during Apple Setup Assistant on a fresh install of macOS. MDM Profiles installed this way will always be approved. For information about configuring this integration, see our article Configuring Apple's Device Enrollment Program (DEP) Integration with Addigy.


Checking if a Profile Has Been Approved

To verify if any devices have an approved profile head over to the Devices page and run the Check for User Approved MDM Profiles command on your device(s).


This command will run successfully if the MDM Profile is approved or if the device is on an older version of macOS that does not support profile approval, and it will fail it the MDM Profile has not yet been approved.


If you have issues with approving your MDM Profiles after reviewing these two methods, please reach out to Addigy Support for further assistance.