How to restrict removal of Profiles

We are having the same problem on MacBooks. Seems like you need admin access to remove individual profiles but anyone can remove the MDM enrollment profile which doesnt make sense.

On the iPad there is currently no way to prevent the removal of the MDM profile. Apple considers MDM for iOS to be opt-in, which means that anyone can opt-out at any time. I always found/find it infuriating when the engineers at the Apple Edu Tech Updates say to use the "carrot" method for keeping iPads enrolled in MDM, meaning "don't tell them the wireless password, have wireless tied to MDM enrollment", which is absolute CRAP for a district of 130+ schools, all of which know their wireless passwords.

My information on iOS MDM is very outdated at this point, but I thought it was possible to lock the profile when using iOS devices in Supervised mode. I know Supervised mode is not viable in many environments, but that's how I understood things to be. Again, my info on this is fuzzy, so I may be wrong.

It would be nice if Apple would bend a little on this point. In large environs, its crazy that a student can simply un-enroll their devices within seconds with a few taps.

If you have access the to WWDC 2013 session videos, I would suggest checking out session 300 for a glimpse of what may should be coming with regard to the MDM spec.

Ah the vaporware video...

Yep, Apple is clearly too busy selling iPhones/iPads to consumers to put much effort into extending the MDM spec. Very VERY frustrating for us enterprise customers. By the time they figure it out and MDM vendors adopt any new functionality, Google Chromebooks will have gained a big foothold in our district. At least we can lock those into our Google domain / Google management.

I can only imagine how it is going with the LAUSD iPad rollout....

To protect the MDM enrollment it needs to be part of the supervision. That's the only way to lock it in. Yes, the WWDC vaporware video just makes me roll my eyes right now, but hearing about ongoing beta programs in the industry, it seems like we're actually getting close on this now. Of course, you'll need to re-supervise when we get there most likely which means a wipe. So, the carrot method is the only way right now. That, or just alert on students removing the profile and it becomes a discipline matter then... Those are your choices! There is a support paradigm shift there as well that needs to happen which makes things more difficult. I'll admit I chuckle a bit when I see Chromebooks as the threat to iPads, because let's be real, they're two completely different things with their own issues; the reason they're gaining a foothold is the price point.

Has this been updated at all? I'd like to use Configurator to prevent the MDM enrollment cert from being removed from a classroom set of iPads. Is this at all possible?

With iOS 8, you can't use Configurator to enroll the device and make the MDM profile unremovable. You have to use DEP.

Repeat after me. "There is no Configurator. There is only Zuul-, err, DEP."

Configurator makes me want to punch kittens.. I avoid it like the plague.

Does anyone know if this is possible yet for iPads?

@rchawla You can restrict removal if you setup the iPads with a pre-stage enrolment from DEP.

@Matt_Sim Is that done via JAMF or from Apple DEP?

To repeat and simplify the answer to the original question:

We have students using ipads that are removing the MDM profile. Is there a way to prevent this?

Using Apple's Device Enrollment Program (DEP) is the only way to enroll an iOS device into a Mobile Device Management solution such as The Casper Suite and have that enrollment be non-removable.

Apple's Device Enrollment Program for Education

Can you please note HOW to do this?

We just got our DEP set up and I have a device that is showing as supervised but I can still remove the profile just as before with the IPAD login password. Like most Aple things this is a shitty by design.

You need to set up a PreStage Enrollment with the options to Supervise Devices and Make MDM Profile Mandatory. You then assign iPads to the Prestage enrollment. When it boots for the first time it will try to activate and then configure the device according to the PreStage Enrollment. You will have to erase and reset any you have already done in order to get these new settings.

Has anyone seen this actually work? I have supervised devices with DEP enrollment profiles set to make MDM mandatory and prevent unenrollment... but users can still remove the management profile. Or is there a way to restrict viewing profiles on iOS similar to how it's done on macOS?

This has worked as expected for us for a few years now. How exactly are the users removing it? I'd like to try.

rickwhois
are the devices enrolled in DEP via the portal?

@rickwhois

Were your iPads actually enrolled by DEP during setup assistant? If you turned on the pre-stage enrollment after the fact, and the devices were originally enrolled some other way (manually, configurator, etc.) then the enrollment profile won't be mandatory. If that device is wiped, it will be forced into DEP with mandatory profiles during setup assistant. But you have to wipe it to force it to setup assistant to get to that stage.

@Emmert a user can open Settings.app, go General> Device Management>MDM Profile> and select Remove Management. From that point, the device is unmanaged and I can't talk to the device any longer.

@kerouak & @weldon I've got DEP setup in Apple Schools Manager and have our Pre-Stage Enrollment scoped out to the iOS devices. So they get enrolled out of the box. With my test iPads, I am wiping to be sure it gets the current Pre-Stage Enrollment. (a la Settings>General> Reset> Erase All Content & Settings)

I appreciate your feedback. If this process is working for you guys, there must be something awry with my jss. I may have to reach out to my jamf buddy.

@rickwhois

Did you find out what the issue was with users being able to remove the MDM profile? I'm seeing the exact same thing with some of our DEP devices.

Ah, I see it's the following as I'm adding older devices to DEP via Configurator:

For a period of 30 days after provisional enrollment, users are able to remove MDM and opt out of DEP. The lock screen will display small text, instructing users that they can “leave remote management in Settings:”

@s.gaynor I ended up creating new prestage enrollments and removed the old ones that were not working right. Everything seems to be working fine now that I had done that

Apple school manage has a lockdown policy has to if you add your device in ASM it will make the profile non-removable in 21 days .