With macOS High Sierra 10.13.2, Apple introduces the concept of User Approved MDM enrollment (UAMDM). UAMDM grants MDM software additional privileges beyond what is allowed for macOS MDM enrollments that have not been "user approved".
What makes an MDM Enrollment User Approved?
- The device is enrolled using the Apple Device Enrollment Program (DEP)
- The enrollment is completed interactively, by the user on the device. Enrollment using an automation, script, or even screen share will not qualify as an interactive enrollment.
As a migration path, Apple has provided an exception to this rule. Devices upgraded to 10.13.2 that are enrolled with an MDM before upgrading will be considered user approved.
Using automation or even attempting to enroll a device remotely via Screen Sharing will not result in User Approved enrollment.
If your Mac was enrolled in MDM without the User Approved option, you can approve your existing enrollment to manage security-sensitive settings. Open System Preferences > Profiles and locate your enrollment profile that has a badge:
Select your enrollment profile, click the Approve button on the right, and follow the prompts.