Please document the new 10.13.2 User-Approved MDM Enrollment and new MDM payloads outside of AppleSeed

Originator:eriknicolasgomez
Number:rdar://35307623 Date Originated:11-01-2017
Status:Open Resolved:
Product:Server (macOS Server) Product Version:10.13.2
Classification:Enhancement Reproducible:
 
With the release of 10.13 appleseed/developer beta1 a new featured, SKEL (ultimately USKEL) was announced and a Technical Note was issued here: https://developer.apple.com/library/content/technotes/tn2459/_index.html

With the release of 10.13.2 appleseed/developer beta1, there are new features that will significantly impact MDM developers and macadmins, but these release notes were not part of the developer beta1 release notes. 

Please add the following from the AppleSeed release notes to the Developer release notes, so macadmins can publicly discuss this in the developer forums. These crucial bits of information should not be gated behind AppleSeed.

Announcements:
For increased security, macOS High Sierra 10.13.2 Beta introduces the concept of “User Approved” MDM Enrollment. This optional enrollment type allows MDM management of certain security-sensitive settings. In order to use this new enrollment type, users must manually install an MDM enrollment profile using System Preferences. Using automation or even attempting to enroll a device remotely via screen sharing will not result in User Approved enrollment. Enrolling a device in MDM does not currently require User Approved MDM enrollment. The only configuration payload which presently requires User Approved MDM enrollment is the one to manage User Approved Kernel Extension Loading (com.apple.syspolicy.kernel- extension-policy). Be aware of the following:
• All devices enrolled in the Device Enrollment Program (DEP) are considered to have been enrolled in MDM with User Approved enrollment.
• All devices currently in MDM will behave as if they’d been enrolled with User Approved enrollment once they are upgraded to macOS High Sierra 10.13.2 Beta and later. However, if they are subsequently removed and re-enrolled in MDM, they won’t automatically be enrolled with User Approved enrollment.
• If you enroll your Mac in MDM without the User Approved option, and then wish to update its enrollment type to User Approved, you can do so in the Profiles System Preferences pane. Select your enrollment profile, click the Details button, and follow the prompts.
• At this time, User Approved Kernel Extension Loading will be disabled for devices enrolled in MDM. It will be enabled (but managed) if you use User Approved enrollment and install a com.apple.syspolicy.kernel-extension-policy configuration payload which contains the AllowedKernelExtensions or AllowUserOverrides keys.

Comments

I have a question - on 10.13.2 I'm seeing some behavior that doesn't match the release notes in Apple Seed.

Test 1: No MDM / newly booted OS - Install package with kext. - Receive USKEL popup

Test 2: install UAMDM / newly booted OS, kext profile - Install package with kext - Do not receive USKEL popup

Test 3: install UAMDM / newly booted OS, no kext profile - Install package with kext - Do not receive USKEL popup

I thought with the changes to 10.13.2, Test 3 would no longer work?

Should we expect 10.13.2 to be similar to the behavior in 10.13.0 and 10.13.1 in that having MDM installed (user installed profile or DEP) continues to allow all kexts and another future version of macOS (10.13.3 or whatever) will block this, or is this a bug?

The way I read the AppleSeed notes, it sounded like 10.13.2 required MDM for kexts and only upgrades were grandfathered in.

By eriknicolasgomez at Nov. 14, 2017, 12:58 a.m. (reply...)

For now, UAMDM enrollment disables UAKEL just as MDM enrollment has done to this point in High Sierra. You can enable and manage the kext policy with the new com.apple.syspolicy.kernel-extension-policy payload, and you can begin transitioning to that model to plan for an eventual scenario where UAMDM does not disable UAKEL.

By eriknicolasgomez at Nov. 14, 2017, 12:58 a.m. (reply...)

Also, please add the notes about the new payloads,

New MDM Payloads

Kernel Extension Policy Payload The Kernel Extension Policy payload is designated by specifying com.apple.syspolicy.kernel-extension-policy as the PayloadType. This payload controls restrictions and settings for User Approved Kernel Extension Loading on macOS v10.13.2 and later. The profile containing the payload must be delivered via a User Approved MDM server, and its PayloadScope key must be set to System. In addition to the settings common to all payloads, this payload defines the following keys:

• AllowUserOverrides - Boolean Indicates whether users are allowed to approve additional kernel extensions not explicitly allowed by configuration profiles.

• AllowedTeamIdentifiers - Array of Strings An array of team identifiers for which all validly signed kernel extensions will be allowed to load.

• AllowedKernelExtensions - Dictionary mapping team identifier (keys) to arrays of bundle identifiers A dictionary representing a set of kernel extensions that will always be allowed to load on the machine. For unsigned legacy kernel extensions, use an empty key for the team identifier.

By eriknicolasgomez at Nov. 2, 2017, 2:33 a.m. (reply...)

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!