Home > Mac administration, macOS, Mobile Device Management > Identifying MDM-managed user accounts on macOS Sequoia
When enrolling a device into an MDM server using device enrollment, a couple of things happen as part of the MDM enrollment process:
There’s additional details on what it means to be a managed user, but one of the most important is that in this context, being a managed user means that that local user account can be managed via user-level MDM profiles. Other local accounts on the Mac cannot be managed by user level MDM profiles.
Note: Network users (for example, Active Directory mobile user accounts) who log in to the device can become managed users on login, so that a Mac can have multiple managed users. However, when only dealing with local accounts, you would just have one managed user in the context of being managed by the MDM service.
It’s not obvious from the Mac’s end to see which local user account is the MDM managed user, but it is possible to use the mdmclient command line tool to get this information. For more details, please see below the jump.
To get information on the MDM management status of the device, including information on the managed user, the following command can be run with root privileges:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/usr/libexec/mdmclient QueryDeviceInformation |
Running this command should provide output similar that shown below:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
username@computername ~ % sudo /usr/libexec/mdmclient QueryDeviceInformation | |
Password: | |
=== CPF_GetInstalledProfiles === (<Device>) | |
Number of <Device> profiles found: 35 (Filtered: 0) | |
Daemon response: { | |
QueryResponses = { | |
ActiveManagedUsers = ( | |
"6E39891B-C387-491A-B8BE-F84175E42A52" | |
); | |
AutoSetupAdminAccounts = ( | |
); | |
AvailableDeviceCapacity = 37; | |
AwaitingConfiguration = 0; | |
BatteryLevel = "-1"; | |
BluetoothMAC = "00:00:00:00:00:00"; | |
BuildVersion = 24E248; | |
CurrentConsoleManagedUser = "6E39891B-C387-491A-B8BE-F84175E42A52"; | |
DeviceCapacity = 62; | |
DeviceName = computername; | |
EACSPreflight = "Bootstrap Token provided by MDM failed to verify."; | |
EthernetMAC = "82:2b:cb:6b:44:e5"; | |
HasBattery = 0; | |
HostName = computername; | |
IsActivationLockEnabled = 0; | |
IsActivationLockSupported = 1; | |
IsAppleSilicon = 1; | |
IsSupervised = 1; | |
LocalHostName = computername; | |
MDMOptions = { | |
ActivationLockAllowedWhileSupervised = 1; | |
BootstrapTokenAllowed = 1; | |
}; | |
Model = "VirtualMac2,1"; | |
ModelName = "Virtual Machine"; | |
ModelNumber = "VM0001LL/A"; | |
OSUpdateSettings = { | |
AutoCheckEnabled = 1; | |
AutomaticAppInstallationEnabled = 0; | |
AutomaticOSInstallationEnabled = 1; | |
AutomaticSecurityUpdatesEnabled = 1; | |
BackgroundDownloadEnabled = 1; | |
CatalogURL = "https://swscan.apple.com/content/catalogs/others/index-15-14-13-12-10.16-10.15-10.14-10.13-10.12-10.11-10.10-10.9-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog.gz"; | |
IsDefaultCatalog = 1; | |
PreviousScanDate = "2025-04-04 15:04:55 +0000"; | |
}; | |
OSVersion = "15.4"; | |
OSXSoftwareUpdateStatus = { | |
AutoCheckEnabled = 1; | |
AutomaticAppInstallationEnabled = 0; | |
AutomaticOSInstallationEnabled = 1; | |
AutomaticSecurityUpdatesEnabled = 1; | |
BackgroundDownloadEnabled = 1; | |
CatalogURL = "https://swscan.apple.com/content/catalogs/others/index-15-14-13-12-10.16-10.15-10.14-10.13-10.12-10.11-10.10-10.9-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog.gz"; | |
IsDefaultCatalog = 1; | |
PreviousScanDate = "2025-04-04 15:04:55 +0000"; | |
}; | |
PINRequiredForDeviceLock = 1; | |
PINRequiredForEraseDevice = 0; | |
ProductName = "VirtualMac2,1"; | |
ProvisioningUDID = 88b4b5ae13a610f22996e3bbc1db929eb47c6889; | |
SerialNumber = computername; | |
SoftwareUpdateDeviceID = VMA2MACOSAP; | |
SupplementalBuildVersion = 24E248; | |
SupportsLOMDevice = 0; | |
SupportsiOSAppInstalls = 1; | |
SystemIntegrityProtectionEnabled = 1; | |
UDID = "55D75D45-E87C-5896-B842-CD25AF7801CC"; | |
XsanConfiguration = { | |
role = unconfigured; | |
}; | |
iTunesStoreAccountIsActive = 0; | |
}; | |
} | |
Agent response: { | |
QueryResponses = { | |
AvailableDeviceCapacity = 37; | |
AwaitingConfiguration = 0; | |
BatteryLevel = "-1"; | |
BluetoothMAC = "00:00:00:00:00:00"; | |
BuildVersion = 24E248; | |
DeviceCapacity = 62; | |
DeviceName = computername; | |
EthernetMAC = "82:2b:cb:6b:44:e5"; | |
HasBattery = 0; | |
HostName = computername; | |
IsAppleSilicon = 1; | |
IsSupervised = 1; | |
LocalHostName = computername; | |
MDMOptions = { | |
ActivationLockAllowedWhileSupervised = 1; | |
BootstrapTokenAllowed = 1; | |
}; | |
Model = "VirtualMac2,1"; | |
ModelName = "Virtual Machine"; | |
ModelNumber = "VM0001LL/A"; | |
NotOnConsole = 0; | |
OSVersion = "15.4"; | |
ProductName = "VirtualMac2,1"; | |
ProvisioningUDID = 88b4b5ae13a610f22996e3bbc1db929eb47c6889; | |
SerialNumber = computername; | |
SoftwareUpdateDeviceID = VMA2MACOSAP; | |
SupplementalBuildVersion = 24E248; | |
SupportsiOSAppInstalls = 1; | |
UDID = "55D75D45-E87C-5896-B842-CD25AF7801CC"; | |
UserID = "6E39891B-C387-491A-B8BE-F84175E42A52"; | |
UserLongName = "User Name"; | |
UserShortName = username; | |
iTunesStoreAccountIsActive = 0; | |
}; | |
} | |
username@computername ~ % |
From this output, this should provide information on the managed user:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ActiveManagedUsers = ( | |
"6E39891B-C387-491A-B8BE-F84175E42A52" | |
); |
In place of the account’s username, the account’s assigned UUID identifier (also referred to as a GeneratedUID) is listed. To get just that UUID, the following command can be run with root privileges:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/usr/libexec/mdmclient QueryDeviceInformation | awk '/ActiveManagedUsers/ , /;/ {print $NF}' | sed -e '1d;$d' -e 's/"//g' |
Running this command should provide output similar that shown below:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
username@computername ~ % sudo /usr/libexec/mdmclient QueryDeviceInformation | awk '/ActiveManagedUsers/ , /;/ {print $NF}' | sed -e '1d;$d' -e 's/"//g' | |
Password: | |
6E39891B-C387-491A-B8BE-F84175E42A52 | |
username@computername ~ % |
To get the account username, run the following command with the UUID identifier in the appropriate place:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/usr/bin/dscl . -search /Users GeneratedUID UUID_goes_here | awk '{print $1}' | head -n 1 |
Running this command should provide output similar that shown below:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
username@computername ~ % /usr/bin/dscl . -search /Users GeneratedUID 6E39891B-C387-491A-B8BE-F84175E42A52 | awk '{print $1}' | head -n 1 | |
username | |
username@computername ~ % |
Using this information, see below for an example script showing how you can get the account’s assigned UUID identifier and then use it to identify the managed user’s username::
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
MDMManagedUserGUID=$(/usr/libexec/mdmclient QueryDeviceInformation | awk '/ActiveManagedUsers/ , /;/ {print $NF}' | sed -e '1d;$d' -e 's/"//g' 2>/dev/null) | |
MDMManagedUserUsername=$(/usr/bin/dscl . -search /Users GeneratedUID "$MDMManagedUserGUID" | awk '{print $1}' | head -n 1 2>/dev/null) | |
echo "GeneratedUID of the MDM managed user account: $MDMManagedUserGUID" | |
echo "Username of the MDM managed user account: $MDMManagedUserUsername" |
Running the example script with root privileges should provide output similar that shown below:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
username@computername ~ % sudo /Users/username/mdm_enabled_user.sh | |
Password: | |
GeneratedUID of the MDM managed user account: 6E39891B-C387-491A-B8BE-F84175E42A52 | |
Username of the MDM managed user account: username | |
username@computername ~ % |