Identifying MDM-managed user accounts using System Information on macOS Tahoe
A while back, I had written a post on how to identify MDM-managed user accounts using the mdmclient command line tool. While this method continues to work on macOS Tahoe, it does have a drawback – the mdmclient tool will only report this information if the MDM-managed user account is currently logged in.
There is an alternative way to get this information though, as it is also available via the System Information app included with macOS. This information should be available regardless of whether the MDM-managed user account is logged in or not. For more details, please see below the jump.
In the System Information app, you can access information about the MDM-managed user account by selecting the Profiles section, then clicking on the MDM Profile listing. If this Mac has an MDM-managed user account, it should be listed as Managed User in the Other Info section at the end of the MDM Profile listing’s information.
In place of listing the account’s username, the Managed User information provides two items of information:
- The account’s assigned UUID identifier (also referred to as a GeneratedUID.)
- The account’s assigned user identifier (also referred to as a UID.)
This information can also be obtained using the system_profiler command line tool, where you should only need the account’s assigned UUID identifier in order to identify the account.
To get the UUID identifier information using the system_profiler tool, the following command can be run:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /usr/sbin/system_profiler SPConfigurationProfileDataType | grep "Managed User" | sed -E 's/.* ([0-9A-F-]{36}) .*/\1/' |
Running this command should provide output similar that shown below:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| username@ZWD3QRQYG2 ~ % /usr/sbin/system_profiler SPConfigurationProfileDataType | grep "Managed User" | sed -E 's/.* ([0-9A-F-]{36}) .*/\1/' | |
| 88B48FCB-E137-4D9F-B4E9-7806396ACED7 | |
| username@ZWD3QRQYG2 ~ % |
To get the account username, run the following command with the UUID identifier in the appropriate place:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /usr/bin/dscl . -search /Users GeneratedUID UUID_goes_here | awk '{print $1}' | head -n 1 |
Running this command should provide output similar that shown below:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| username@ZWD3QRQYG2 ~ % /usr/bin/dscl . -search /Users GeneratedUID 88B48FCB-E137-4D9F-B4E9-7806396ACED7 | awk '{print $1}' | head -n 1 | |
| username | |
| username@ZWD3QRQYG2 ~ % |
Using this information, see below for an example script showing how you can get the account’s assigned UUID identifier and then use it to identify the managed user’s username:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/zsh | |
| MDMManagedUserGUID=$(/usr/sbin/system_profiler SPConfigurationProfileDataType | grep "Managed User" | sed -E 's/.* ([0-9A-F-]{36}) .*/\1/') | |
| MDMManagedUserUsername=$(/usr/bin/dscl . -search /Users GeneratedUID "$MDMManagedUserGUID" | awk '{print $1}' | head -n 1 2>/dev/null) | |
| echo "GeneratedUID of the MDM managed user account: $MDMManagedUserGUID" | |
| echo "Username of the MDM managed user account: $MDMManagedUserUsername" |
Running the example script should provide output similar that shown below:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| username@ZWD3QRQYG2 ~ % ./mdm_managed_user_lookup.sh | |
| GeneratedUID of the MDM managed user account: 88B48FCB-E137-4D9F-B4E9-7806396ACED7 | |
| Username of the MDM managed user account: username | |
| username@ZWD3QRQYG2 ~ % |
目录
最新
- Identifying MDM-managed user accounts using System Information on macOS Tahoe
- Reading Self Service+ logging from the unified system logs on macOS
- Unlocking FileVault via SSH on macOS Tahoe
- Slides from the “MDM and DDM 101” session at Jamf Nation User Conference 2025
- Managing SkipSetupItems settings in management profiles on macOS
- Suppressing the Software Update Complete screen with a configuration profile on macOS Tahoe
- Managing Safari settings on macOS Tahoe using Blueprints in Jamf Pro
- Managing Safari bookmarks on macOS Tahoe using Blueprints in Jamf Pro