Identifying MDM-managed user accounts on macOS Sequoia

Identifying MDM-managed user accounts on macOS Sequoia
文章介绍如何在macOS Sequoia上识别由MDM管理的用户账户，并通过`mdmclient`命令获取受管用户的UUID和用户名。 2025-4-4 19:41:1 Author: derflounder.wordpress.com(查看原文) 阅读量:12 收藏

Home > Mac administration, macOS, Mobile Device Management > Identifying MDM-managed user accounts on macOS Sequoia

Identifying MDM-managed user accounts on macOS Sequoia

When enrolling a device into an MDM server using device enrollment, a couple of things happen as part of the MDM enrollment process:

The device becomes a managed device.
The local user account which installs the MDM enrollment profile becomes a managed user.

There’s additional details on what it means to be a managed user, but one of the most important is that in this context, being a managed user means that that local user account can be managed via user-level MDM profiles. Other local accounts on the Mac cannot be managed by user level MDM profiles.

Note: Network users (for example, Active Directory mobile user accounts) who log in to the device can become managed users on login, so that a Mac can have multiple managed users. However, when only dealing with local accounts, you would just have one managed user in the context of being managed by the MDM service.

It’s not obvious from the Mac’s end to see which local user account is the MDM managed user, but it is possible to use the mdmclient command line tool to get this information. For more details, please see below the jump.

To get information on the MDM management status of the device, including information on the managed user, the following command can be run with root privileges:

/usr/libexec/mdmclient QueryDeviceInformation

Running this command should provide output similar that shown below:

	username@computername ~ % sudo /usr/libexec/mdmclient QueryDeviceInformation
	Password:
	=== CPF_GetInstalledProfiles === (<Device>)
	Number of <Device> profiles found: 35 (Filtered: 0)
	Daemon response: {
	QueryResponses = {
	ActiveManagedUsers = (
	"6E39891B-C387-491A-B8BE-F84175E42A52"
	);
	AutoSetupAdminAccounts = (
	);
	AvailableDeviceCapacity = 37;
	AwaitingConfiguration = 0;
	BatteryLevel = "-1";
	BluetoothMAC = "00:00:00:00:00:00";
	BuildVersion = 24E248;
	CurrentConsoleManagedUser = "6E39891B-C387-491A-B8BE-F84175E42A52";
	DeviceCapacity = 62;
	DeviceName = computername;
	EACSPreflight = "Bootstrap Token provided by MDM failed to verify.";
	EthernetMAC = "82:2b:cb:6b:44:e5";
	HasBattery = 0;
	HostName = computername;
	IsActivationLockEnabled = 0;
	IsActivationLockSupported = 1;
	IsAppleSilicon = 1;
	IsSupervised = 1;
	LocalHostName = computername;
	MDMOptions = {
	ActivationLockAllowedWhileSupervised = 1;
	BootstrapTokenAllowed = 1;
	};
	Model = "VirtualMac2,1";
	ModelName = "Virtual Machine";
	ModelNumber = "VM0001LL/A";
	OSUpdateSettings = {
	AutoCheckEnabled = 1;
	AutomaticAppInstallationEnabled = 0;
	AutomaticOSInstallationEnabled = 1;
	AutomaticSecurityUpdatesEnabled = 1;
	BackgroundDownloadEnabled = 1;
	CatalogURL = "https://swscan.apple.com/content/catalogs/others/index-15-14-13-12-10.16-10.15-10.14-10.13-10.12-10.11-10.10-10.9-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog.gz";
	IsDefaultCatalog = 1;
	PreviousScanDate = "2025-04-04 15:04:55 +0000";
	};
	OSVersion = "15.4";
	OSXSoftwareUpdateStatus = {
	AutoCheckEnabled = 1;
	AutomaticAppInstallationEnabled = 0;
	AutomaticOSInstallationEnabled = 1;
	AutomaticSecurityUpdatesEnabled = 1;
	BackgroundDownloadEnabled = 1;
	CatalogURL = "https://swscan.apple.com/content/catalogs/others/index-15-14-13-12-10.16-10.15-10.14-10.13-10.12-10.11-10.10-10.9-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog.gz";
	IsDefaultCatalog = 1;
	PreviousScanDate = "2025-04-04 15:04:55 +0000";
	};
	PINRequiredForDeviceLock = 1;
	PINRequiredForEraseDevice = 0;
	ProductName = "VirtualMac2,1";
	ProvisioningUDID = 88b4b5ae13a610f22996e3bbc1db929eb47c6889;
	SerialNumber = computername;
	SoftwareUpdateDeviceID = VMA2MACOSAP;
	SupplementalBuildVersion = 24E248;
	SupportsLOMDevice = 0;
	SupportsiOSAppInstalls = 1;
	SystemIntegrityProtectionEnabled = 1;
	UDID = "55D75D45-E87C-5896-B842-CD25AF7801CC";
	XsanConfiguration = {
	role = unconfigured;
	};
	iTunesStoreAccountIsActive = 0;
	};
	}
	Agent response: {
	QueryResponses = {
	AvailableDeviceCapacity = 37;
	AwaitingConfiguration = 0;
	BatteryLevel = "-1";
	BluetoothMAC = "00:00:00:00:00:00";
	BuildVersion = 24E248;
	DeviceCapacity = 62;
	DeviceName = computername;
	EthernetMAC = "82:2b:cb:6b:44:e5";
	HasBattery = 0;
	HostName = computername;
	IsAppleSilicon = 1;
	IsSupervised = 1;
	LocalHostName = computername;
	MDMOptions = {
	ActivationLockAllowedWhileSupervised = 1;
	BootstrapTokenAllowed = 1;
	};
	Model = "VirtualMac2,1";
	ModelName = "Virtual Machine";
	ModelNumber = "VM0001LL/A";
	NotOnConsole = 0;
	OSVersion = "15.4";
	ProductName = "VirtualMac2,1";
	ProvisioningUDID = 88b4b5ae13a610f22996e3bbc1db929eb47c6889;
	SerialNumber = computername;
	SoftwareUpdateDeviceID = VMA2MACOSAP;
	SupplementalBuildVersion = 24E248;
	SupportsiOSAppInstalls = 1;
	UDID = "55D75D45-E87C-5896-B842-CD25AF7801CC";
	UserID = "6E39891B-C387-491A-B8BE-F84175E42A52";
	UserLongName = "User Name";
	UserShortName = username;
	iTunesStoreAccountIsActive = 0;
	};
	}
	username@computername ~ %

From this output, this should provide information on the managed user:

	ActiveManagedUsers = (
	"6E39891B-C387-491A-B8BE-F84175E42A52"
	);

In place of the account’s username, the account’s assigned UUID identifier (also referred to as a GeneratedUID) is listed. To get just that UUID, the following command can be run with root privileges:

/usr/libexec/mdmclient QueryDeviceInformation | awk '/ActiveManagedUsers/ , /;/ {print $NF}' | sed -e '1d;$d' -e 's/"//g'

Running this command should provide output similar that shown below:

	username@computername ~ % sudo /usr/libexec/mdmclient QueryDeviceInformation \| awk '/ActiveManagedUsers/ , /;/ {print $NF}' \| sed -e '1d;$d' -e 's/"//g'
	Password:
	6E39891B-C387-491A-B8BE-F84175E42A52
	username@computername ~ %

To get the account username, run the following command with the UUID identifier in the appropriate place:

/usr/bin/dscl . -search /Users GeneratedUID UUID_goes_here | awk '{print $1}' | head -n 1

Running this command should provide output similar that shown below:

	username@computername ~ % /usr/bin/dscl . -search /Users GeneratedUID 6E39891B-C387-491A-B8BE-F84175E42A52 \| awk '{print $1}' \| head -n 1
	username
	username@computername ~ %

Using this information, see below for an example script showing how you can get the account’s assigned UUID identifier and then use it to identify the managed user’s username::

	#!/bin/bash

	MDMManagedUserGUID=$(/usr/libexec/mdmclient QueryDeviceInformation \| awk '/ActiveManagedUsers/ , /;/ {print $NF}' \| sed -e '1d;$d' -e 's/"//g' 2>/dev/null)
	MDMManagedUserUsername=$(/usr/bin/dscl . -search /Users GeneratedUID "$MDMManagedUserGUID" \| awk '{print $1}' \| head -n 1 2>/dev/null)

	echo "GeneratedUID of the MDM managed user account: $MDMManagedUserGUID"
	echo "Username of the MDM managed user account: $MDMManagedUserUsername"

Running the example script with root privileges should provide output similar that shown below:

	username@computername ~ % sudo /Users/username/mdm_enabled_user.sh
	Password:
	GeneratedUID of the MDM managed user account: 6E39891B-C387-491A-B8BE-F84175E42A52
	Username of the MDM managed user account: username
	username@computername ~ %

文章来源: https://derflounder.wordpress.com/2025/04/04/identifying-mdm-managed-user-accounts-on-macos-sequoia/
如有侵权请联系:admin#unsafe.sh