name: mdm
notes: Requires [macadmins-extension](https://github.com/macadmins/osquery-extension/), which is included by default on osquery packages built with [fleetctl](https://fleetdm.com/docs/using-fleet/adding-hosts#osquery-installer).<p> Code based on work by [Kolide](https://github.com/kolide/launcher). <p> Due to changes in macOS 12.3, the output of `profiles show -type enrollment` can only be generated once a day. If you are running this command with another tool, you should set the `PROFILES_SHOW_ENROLLMENT_CACHE_PATH` environment variable to the path you are caching this. The cache file should be `json` with the keys `dep_capable` and `rate_limited present`, both booleans representing whether the device is capable of DEP enrollment and whether the response from `profiles show -type enrollment` is being rate limited or not.
description: Information on the device's MDM enrollment.
platforms: darwin
evented: false
examples: >-
  Identify Macs that are DEP capable but have not been enrolled to MDM.

  ```
  
  SELECT * FROM mdm WHERE dep_capable='true' AND enrolled='false';
  
  ```
columns:
  - name: access_rights
    description: The access rights of the payload. The resulting number is the total of every [AccessRight](https://developer.apple.com/documentation/devicemanagement/mdm) added up.
    required: false
    type: integer
  - name: checkin_url
    description: The URL the Mac checks in with, which should point to your MDM server.
    required: false
    type: text
  - name: dep_capable
    description: Indicates if the computer is DEP capable or not, even if it is not currently enrolled into MDM.
    required: false
    type: text
  - name: enrolled
    description: Indicates if the computer is enrolled into MDM.
    required: false
    type: text
  - name: has_scep_payload
    description: Indicates if the computer has a certificate used by the MDM server to authenticate it.
    required: false
    type: text
  - name: identity_certificate_uuid
    description: The [UUID](https://en.wikipedia.org/wiki/Universally_unique_identifier) of the [SCEP](https://en.wikipedia.org/wiki/Simple_Certificate_Enrollment_Protocol) certificate.
    required: false
    type: text
  - name: install_date
    description: The date on which the MDM payload was installed on the Mac.
    required: false
    type: text
  - name: installed_from_dep
    description: Indicates if the MDM payload was installed via DEP or not.
    required: false
    type: text
  - name: payload_identifier
    description: The identifier of the MDM payload.
    required: false
    type: text
  - name: server_url
    description: The URL of the MDM server used by this computer. 
    required: false
    type: text
  - name: sign_message
    description: Indicates if messages sent and received from the MDM server must be signed.
    required: false
    type: text
  - name: topic
    description: The topic MDM listens to for push notifications. 
    required: false
    type: text
  - name: user_approved
    description: Indicates if this MDM payload was approved by the user.
    required: false
    type: text