Using /usr/libexec/mdmclient DumpManagementStatus to get information about MDM management

Using /usr/libexec/mdmclient DumpManagementStatus to get information about MDM management
文章介绍了在macOS中使用`mdmclient DumpManagementStatus`工具获取MDM管理状态信息的方法，展示了不同 enrollment 方式的输出结果，并提供了提取服务器URL、检查ADE enrollment等命令示例。 2025-3-16 17:20:58 Author: derflounder.wordpress.com(查看原文) 阅读量:43 收藏

Home > Mac administration, macOS, Mobile Device Management > Using /usr/libexec/mdmclient DumpManagementStatus to get information about MDM management

Using /usr/libexec/mdmclient DumpManagementStatus to get information about MDM management

On macOS, you can use the DumpManagementStatus function of the mdmclient command line tool to provide a lot of useful information if your Mac is enrolled with an mobile device management (MDM) server. This function outputs information in a JSON-like format that looks similar to this:

	Management status: {
	DeviceIsSupervised = 1;
	EnrolledInDEP = 0;
	MDMDeniesActivationLock = 0;
	MDMs = {
	"95953F77-BD20-461B-87DE-41C96D796CF6" = {
	AdminRemovalDisallowed = 0;
	DeniesActivationLock = 0;
	IsActivationLockManageable = 1;
	IsAnyMDM = 1;
	IsDEP = 0;
	IsMDMv1 = 1;
	IsManagementSeparated = 0;
	IsSupervised = 1;
	IsUserApproved = 1;
	IsUserEnrollment = 0;
	OrigInstallOSVersion = "15.3.2";
	PayloadOrgName = "Company Name";
	ProfileOrgName = "Company Name";
	ServerType = 1;
	ServerURL = "https://mdm.server.goes.here/mdm/ServerURL";
	};
	};
	MajorOSUpdatesManaged = 1;
	ManagedViaMDM = 1;
	UserApprovedMDMs = (
	"95953F77-BD20-461B-87DE-41C96D796CF6"
	);
	}

The above output is how MDM management may look if a Mac was enrolled using a profile, as opposed to being enrolled via Automated Device Enrollment (ADE). A Mac which was enrolled via ADE may display information which looks like this:

	Management status: {
	DEPEnrolledMDMs = (
	"FD6D884A-CE08-4136-BD84-00DB5A6DC786"
	);
	DeviceIsSupervised = 1;
	EnrolledInDEP = 1;
	MDMDeniesActivationLock = 1;
	MDMs = {
	"FD6D884A-CE08-4136-BD84-00DB5A6DC786" = {
	AdminRemovalDisallowed = 0;
	DeniesActivationLock = 1;
	IsActivationLockManageable = 1;
	IsAnyMDM = 1;
	IsDEP = 1;
	IsMDMv1 = 1;
	IsManagementSeparated = 0;
	IsSupervised = 1;
	IsUserApproved = 1;
	IsUserEnrollment = 0;
	OrganizationInfo = {
	OrganizationAddress = "1234 Main Street , Suite 548, Anytown, NJ 12345";
	OrganizationAddressLine1 = "1234 Main Street";
	OrganizationAddressLine2 = "Suite 548";
	OrganizationCity = Anytown;
	OrganizationCountry = USA;
	OrganizationDepartment = "Information Technology";
	OrganizationEmail = "[email protected]";
	OrganizationMagic = F026E1B424194FA3B6DFCCB01983FB6F;
	OrganizationName = "Company Name";
	OrganizationPhone = "+1 (555) 867-5309";
	OrganizationSupportEmail = "[email protected]";
	OrganizationSupportPhone = ""+1 (555) 867-5309";
	OrganizationZipCode = 12345;
	};
	OrigInstallOSVersion = "15.3.2";
	PayloadOrgName = "Company Name";
	ProfileOrgName = "Company Name";
	ServerType = 1;
	ServerURL = "https://mdm.server.goes.here/mdm/ServerURL";
	};
	};
	MajorOSUpdatesManaged = 1;
	ManagedViaMDM = 1;
	UserApprovedMDMs = (
	"FD6D884A-CE08-4136-BD84-00DB5A6DC786"
	);
	}

Meanwhile, a Mac which is not enrolled with an MDM server may display output which looks like this:

Management status: (null)

For more information, please see below the jump.

The information provided by this tool can be used in a variety of ways. For example, if you want to get the URL of your MDM server, you can run the following command:

/usr/libexec/mdmclient DumpManagementStatus | awk '/ServerURL/ {print $3}' | sed -e 's/"//g' -e 's|$\(/[^/]*$\{2\}\).*|\1|' 2>/dev/null

You should get output which looks similar to this:

	username@computername ~ % /usr/libexec/mdmclient DumpManagementStatus \| awk '/ServerURL/ {print $3}' \| sed -e 's/"//g' -e 's\|$\(/[^/]$\{2\}\).\|\1\|' 2>/dev/null
	https://mdm.server.goes.here
	username@computername ~ %

If you want to check if your Mac was enrolled via ADE, you can run the following command:

/usr/libexec/mdmclient DumpManagementStatus | awk '/IsDEP/ {print $NF}' | sed 's/;//'

A Mac which is enrolled via ADE should return output which looks like this:

	username@computername ~ % /usr/libexec/mdmclient DumpManagementStatus \| awk '/IsDEP/ {print $NF}' \| sed 's/;//'
	1
	username@computername ~ %

A Mac which not is enrolled via ADE should return output which looks like this:

	username@computername ~ % /usr/libexec/mdmclient DumpManagementStatus \| awk '/IsDEP/ {print $NF}' \| sed 's/;//'
	0
	username@computername ~ %

If you want to check if your Mac was enrolled via Account Driven User Enrollment (ADUE) or via profile-based user enrollment, you can run the following command:

/usr/libexec/mdmclient DumpManagementStatus | awk '/IsUserEnrollment/ {print $NF}' | sed 's/;//'

A Mac which is enrolled via ADUE or via profile-based user enrollment should return output which looks like this:

	username@computername ~ % /usr/libexec/mdmclient DumpManagementStatus \| awk '/IsUserEnrollment/ {print $NF}' \| sed 's/;//'
	1
	username@computername ~ %

A Mac which not is enrolled via ADUE or via profile-based user enrollment should return output which looks like this:

	username@computername ~ % /usr/libexec/mdmclient DumpManagementStatus \| awk '/IsUserEnrollment/ {print $NF}' \| sed 's/;//'
	0
	username@computername ~ %

If you want to check and see if your Mac was enrolled via Account Driven Device Enrollment (ADDE) vs being enrolled via ADE or a profile-based device enrollment, you can run the following command:

/usr/libexec/mdmclient DumpManagementStatus | awk '/ServerType/ {print $NF}' | sed 's/;//'

A Mac which is enrolled via ADDE should return output which looks like this:

	username@computername ~ % /usr/libexec/mdmclient DumpManagementStatus \| awk '/ServerType/ {print $NF}' \| sed 's/;//'
	5
	username@computername ~ %

A Mac which is enrolled via via ADE or a profile-based device enrollment should return output which looks like this:

	username@computername ~ % /usr/libexec/mdmclient DumpManagementStatus \| awk '/ServerType/ {print $NF}' \| sed 's/;//'
	1
	username@computername ~ %

One thing to be aware of is that this output is not actually in JSON format, though it looks like it is. The output is in Apple’s property list (plist) format, which can be expressed in a JSON-like format. The reason I mention this is that trying to parse the output using tools like jq may result in errors similar to what’s shown below:

	username@computername ~ % /usr/libexec/mdmclient DumpManagementStatus \| jq .

	jq: parse error: Invalid numeric literal at line 1, column 11
	username@computername ~ %

文章来源: https://derflounder.wordpress.com/2025/03/16/using-usr-libexec-mdmclient-dumpmanagementstatus-to-get-information-about-mdm-management/
如有侵权请联系:admin#unsafe.sh