search

micromdm / micromdm

Mobile Device Management server
https://micromdm.io
MIT License
2.2k stars 350 forks source link

UserID on macOS enrollment #766

Closed danielerne closed 11 months ago

danielerne commented 3 years ago

What version of micromdm are you using?

1.7.1

What micromdm command did you run?

Enroll

What did you expect to see?

UserId on TokenUpdate

We can not trigger some commands with device ID and it responds that we should use the user ID. Is this supported? As I can read in the Docs it should trigger a second TokenUpdate Response with the UserID value. But it's not available.

The device is enrolled manually.

This is already in our enroll payload:

<key>ServerCapabilities</key>
<array>
<string>com.apple.mdm.per-user-connections</string>
</array>
jessepeterson commented 3 years ago

Yes, MicroMDM can support "user channel" MDM for macOS. You should receive a 2nd TokenUpdate for the user channel after the device's TokenUpdate. You can also list the users with mdmctl. Note there are restrictions on which user is enrolled for the user channel and when - so it's possible a device is enrolled only for the device and does not have user channel enabled.

danielerne commented 3 years ago

Thanks for your fast reply. I checked it with mdmctl but it's empty and I get only one tokenUpdate from the device channel. What restrictions can cause no user channel? I've installed the profile directly.

jessepeterson commented 3 years ago

How are you installing the profile? What OS version? What kind of user (directory or "normal" user)? How is the profile getting installed?

I've had semi-reliable success using the profiles tool running as the user (not root). Of course that's different now with macOS 11 Big Sur anymore.

Some of the "restrictions" off the top of my head: there is only one MDM user channel at a time on macOS. It is only the user that enrolled with MDM (or at enroll-time for ADE/DEP). It cannot be (automatically) changed. Under some conditions you just don't get the user channel (i.e. system-installed manual MDM profile, etc.).

Separate from all that there is the directory users/mobile accounts (UserAuthenticate) messages which MicroMDM simply rejects (doesn't manage).

danielerne commented 3 years ago

The profiles is installed manually. Download from mdm/enroll and install, but profile shows as Device (Managed) OS version ist macOS Bug Sur (11.2.1) User is a local admin/root user

danielerne commented 3 years ago

@jessepeterson Any news about this? Does it work on your side?

jessepeterson commented 3 years ago

@danielerne Yes, this reliably works for us using Big Sur and ABM/ADE. I can also manually get the UserID of the enrolling user on a machine below macOS 11 (Big Sur). I don't have a convenient testing machine with Big Sur to try a manual enrollment to see if this still works—but I assume it does. Have you modified your enrollment profile at all?

danielerne commented 3 years ago

Thanks. We didn't modify the profile much. Only the name.

If it works on your side over ABM, I will try to test it on ABM too.

danielerne commented 3 years ago

@jessepeterson We still have the problem that we don't get a second tokenUpdate with UserID in the payload. We can't use ABM because no Macs are registered there. Is it possible that you can test it without ABM and manually enrolling it? It doesn't work on MacOS 10 (Catalina) either.

These are the only two responses we get:

Bildschirmfoto 2021-08-13 um 18 18 12

Thank you very much in advance

jessepeterson commented 3 years ago

@danielerne any luck with this? This is one of those things that 'just works' for us so I'm not sure where I'd look to try and debug anything. Is your machine bound to any directory system (AD, LDAP, etc.)? I have noticed some inconsistencies with the Profile preferences pane where I have to remove the enrollment profile completely (even in its "staging" state before its installed) before trying to re-enroll again. Sorry I can't be of more help. 🤷

danielerne commented 3 years ago

@jessepeterson Thanks for reaching out again. No, it didn't work. We tried several things. The machine is not bound to any directory system and it does not use ABM. We enrolled it simply with the /enroll Payload. But we don't get a token update event with the user id. We tried it with complete profile remove and enabled the mdm log as well but couldn't find anything. Currently I don't know any next steps ;)

jessepeterson commented 1 year ago

@danielerne just curious how this has worked out for you? Have you seen this work yet?

danielerne commented 1 year ago

@jessepeterson Thanks for asking. It didn't work yet. But we can try it again next week. I will let you know.

jessepeterson commented 1 year ago

@danielerne has this still been the case for you? I was able to duplicate this behavior in Sonoma betas and filed FB12244387 for it. I think @ygini and @dougpenny have also seen this issue on Ventura.

danielerne commented 1 year ago

Hi @jessepeterson Yes, is still the case for us. But at the moment on hold. Thanks for filling a bug.

jessepeterson commented 1 year ago

Hi @jessepeterson Yes, is still the case for us. But at the moment on hold. Thanks for filling a bug.

@danielerne by chance do your enrollment profiles contain PayloadScope=System? I was able to try removing that in my profile and I was able to get user-channel checkins. This is an odd one because this used to work, in Catalina at least. And it still works in ADE/DEP enrollments, oddly. I think @dougpenny was also able to confirm this fix/workaround.

If you get around to testing this and it works for you: feel free to close this issue. :)

danielerne commented 11 months ago

@jessepeterson Great, it works now