Thats normal. You can passcode protect any other profiles deployed as part of the management, but Apple always allow the user to "opt-out" of the management by removing the top level MDM profile.

DEP can help with this by ensuring any devices running through the setup assistant get enrolled by default.

That seems... odd. Removing the top level MDM Profile then removes all other Profiles.. effectively removing any of my enforced settings that I've enforced via profile.

Tell me about it, pretty annoying!

It stems from Apple's view that the device belongs to the user and its their choice. My method is to link email access, VPN, apps etc to MDM. If the user un-enrolls, they lose the lot. Apart from a few hardcore resistance fighters, most usually re-enroll soon after!

For the time being, I'm testing an alternate Profile that disables access to the profiles prefpane, unless a device is part of a particular 'department', which removes that restriction.

When you remove that profile, the computer record attribute "MDM Capable" changes from Yes to No.

Create a smart group looking for 'No' and then create an ongoing policy to re-manage those device.

@dpertschi - I don't see this in the pre-defined list of smart group criteria, are you using an extension attribute for this?

Is it the "Verify MDM enrollment" option on smart group criteria?

No it is not.. but that's because it's an extension attribute. I just found it in the pre-built-template list. It'll be on here shortly.

Ah, got it. I must have added that EA a while ago and forgot about it!

That's going to work perfectly. Thanks folks!!

I was just looking at doing this the other day, totally missed the extension attribute template.
So, to re-enroll- is there a built-in function for that that I'm also missing somewhere? If not, how are you getting the machines re-enrolled for MDM?

edit: when in doubt, check with Rich

So, to re-enroll- is there a built-in function for that that I'm also missing somewhere? If not, how are you getting the machines re-enrolled for MDM?

Just use jamf binary manage command in the Files/Processes > Execute Command field: jamf manage

You might run into timing issues with that, see Rich's article here

Using

jamf mdm -verbose

if you're running 9.4 or higher avoids that.

Is there a quick and easy method to re-enroll iPads? The thread so far looks great for managing desktops and laptops. iPads have the same issue.

This is slightly off topic to this thread @BVikse, iPads should be Supervised when they are enrolled using Apple Configurator or DEP so the MDM profiles are not removable. Plus, you get other perks to an iPad being supervised.

If an iPad is enrolled by going to the enrollment URL on the iPad I believe it can not be supervised, useful in a situation like BYOD where you Supervision isn't relevant because it's not your iPad but you want to be able to push apps etc.

That is not the case we are seeing with our iPads. We have about a hundred iPads that are not in DEP which we run through Configurator. It is set up to use the JSS's supervision identity so iPads can be set up managed and supervised by Configurator.

It runs perfectly with iPads in DEP by the cart-full, MDM profile can't be removed. Not in DEP, still managed and supervised, communicate with the JSS just fine, but the MDM profile is removable.

@BVikse & @adamcodega Only way to have an iPad enrolled with an MDM profile that's not removable is DEP, Supervision from Configurator allows you to remove the profile.

But, look at some of the WWDC videos when released (especially the one on Management).. about some changes that might happen here.

And the video has already been posted [here](lhttps://developer.apple.com/videos/play/wwdc2017/304/)

I hate to bring back a dead thread but was there ever any updates in this processes as I am noticing that two of my main MDM profiles have the option to be removed I want to disable that on "ALL" profiles without having to disable the whole Profiles tab all together.

This would greatly be appreciated.