User-Approved MDM Enrollment

A requirement introduced in macOS High Sierra 10.13.2 where users must manually approve MDM enrollment to grant certain management capabilities.

What to Know

User-Approved MDM (UAMDM) is required on macOS for kernel extensions, system extensions, FileVault escrow, software updates, and other privileged operations. Without user approval, MDM enrollment is limited to basic profile installation and cannot enforce critical security controls. ADE-enrolled devices bypass the user approval requirement, making ADE essential for zero-touch deployment and full management of corporate-owned Macs.

Common Scenarios

Enterprise IT: Manual enrollment of Macs requires users to approve enrollment in System Preferences/Settings, which can be a friction point during onboarding. IT should prioritize ADE enrollment for corporate-owned Macs to eliminate the user approval step. For existing manually-enrolled devices, IT may need to prompt users to approve the enrollment if privileged management features suddenly stop working after a macOS update.

MSP: Clients with legacy Macs that were manually enrolled before ADE adoption may lack user-approved status, causing silent failures when deploying kernel extensions or software updates. MSPs should audit enrollment status and guide clients through the approval process or recommend ADE migration during the next hardware refresh cycle.

Education: School-managed Macs should be ADE-enrolled to avoid requiring students or teachers to manually approve enrollment. In BYOD scenarios where personal Macs connect to school resources, User-Approved MDM provides a balance between institutional control and user consent, though schools should clearly communicate what approval grants access to.

In Addigy

Addigy displays whether a macOS device has user-approved enrollment status in the device details page. For manually-enrolled devices without approval, Addigy provides instructions for users to approve enrollment via System Preferences > Profiles. ADE-enrolled devices automatically have approved status, so admins do not need to track or remediate approval for those devices.