Meta pixel
Fleet logo
Integrations Vulnerability management Endpoint operations Device management (MDM) Reporting and automation
Docs Releases Device health Explore data Support
GUIDES Deployment guides How-to guides
Community
Announcements Security Engineering Podcasts Reports
CONTRIBUTE Join the conversation Contribute to Fleet
RESOURCES Handbook Logos & artwork
Pricing Try it out
All platforms
Windows
Linux
macOS
ChromeOS
search

A menu icon Tables {{numberOfTablesDisplayed}}

right chevron down chevron

Tables{{numberOfTablesDisplayed}}

macOS logo Windows logo Linux logo macOS logo

mdm

Information on the device's MDM enrollment.

Column Type Description
access_rights integer The access rights of the payload. The resulting number is the total of every AccessRight added up.
checkin_url text The URL the Mac checks in with, which should point to your MDM server.
dep_capable text Indicates if the computer is DEP capable or not, even if it is not currently enrolled into MDM.
enrolled text Indicates if the computer is enrolled into MDM.
has_scep_payload text Indicates if the computer has a certificate used by the MDM server to authenticate it.
identity_certificate_uuid text The UUID of the SCEP certificate.
install_date text The date on which the MDM payload was installed on the Mac.
installed_from_dep text Indicates if the MDM payload was installed via DEP or not.
payload_identifier text The identifier of the MDM payload.
server_url text The URL of the MDM server used by this computer.
sign_message text Indicates if messages sent and received from the MDM server must be signed.
topic text The topic MDM listens to for push notifications.
user_approved text Indicates if this MDM payload was approved by the user.

Example

Identify Macs that are DEP capable but have not been enrolled to MDM.

SELECT * FROM mdm WHERE dep_capable='true' AND enrolled='false';

Notes

This table is not a core osquery table. It is included as part of Fleetd, the osquery manager from Fleet. Fleetd can be built with fleetctl.

Code based on work by Kolide.

Due to changes in macOS 12.3, the output of profiles show -type enrollment can only be generated once a day. If you are running this command with another tool, you should set the PROFILES_SHOW_ENROLLMENT_CACHE_PATH environment variable to the path you are caching this. The cache file should be json with the keys dep_capable and rate_limited present, both booleans representing whether the device is capable of DEP enrollment and whether the response from profiles show -type enrollment is being rate limited or not.

Edit page

Need more help?

Slack logo Ask the community on Slack