Cut 4293 enrollment prompt if admin user

[jworkmanjc]

Issues

• CUT-4293 - Enrollment script failure while running as root

What does this solve?

It would appear that a recent change in macOS has prevented us and other MDM vendors from running the command profiles renew -type enrollment remotely as root on end user's devices. This is problematic mostly for recovery and re-enrollment scenarios where a device needs to be issued it's MDM profile once again. After further discovery, it was found that running the command in the context of an admin account would re-trigger the enrollment window. This update to the command will check if a local administrator is logged in and issue the enrollment command to run as that user if they are a member of the "admin" group. If the user is not a member of this group, the command will note the admins on the device and exit with code 1.

Is there anything particularly tricky?

How should this be tested?

On a MDM Enrolled Device, issue the command to the device, it should exit 0 noting that the device is "MDM is DEP enrolled already"

Remove MDM from the device, login as a standard user. Issue the command to the device it should exit 1 noting that the signed in user is not an administrator. The list of administrators should be printed in standard out.

Sign into the device as an administrator user, (MDM should not be on the device at this moment). Issue the command to the device, it should prompt the signed in user to enroll into JumpCloud MDM. The command exit code should be "0"

Screenshots