Information on the device's MDM enrollment.
|access_rights||integer||The access rights of the payload. The resulting number is the total of every AccessRight added up.|
|checkin_url||text||The URL the Mac checks in with, which should point to your MDM server.|
|dep_capable||text||Indicates if the computer is DEP capable or not, even if it is not currently enrolled into MDM.|
|enrolled||text||Indicates if the computer is enrolled into MDM.|
|has_scep_payload||text||Indicates if the computer has a certificate used by the MDM server to authenticate it.|
|identity_certificate_uuid||text||The UUID of the SCEP certificate.|
|install_date||text||The date on which the MDM payload was installed on the Mac.|
|installed_from_dep||text||Indicates if the MDM payload was installed via DEP or not.|
|payload_identifier||text||The identifier of the MDM payload.|
|server_url||text||The URL of the MDM server used by this computer.|
|sign_message||text||Indicates if messages sent and received from the MDM server must be signed.|
|topic||text||The topic MDM listens to for push notifications.|
|user_approved||text||Indicates if this MDM payload was approved by the user.|
Identify Macs that are DEP capable but have not been enrolled to MDM.
SELECT * FROM mdm WHERE dep_capable='true' AND enrolled='false';
Code based on work by Kolide.
Due to changes in macOS 12.3, the output of
profiles show -type enrollment can only be generated once a day. If you are running this command with another tool, you should set the
PROFILES_SHOW_ENROLLMENT_CACHE_PATH environment variable to the path you are caching this. The cache file should be
json with the keys
rate_limited present, both booleans representing whether the device is capable of DEP enrollment and whether the response from
profiles show -type enrollment is being rate limited or not.