What is the best way to identify endpoints with removable MDM profiles? I suspect that some computers in my environment may have been deployed that way before I was hired.
Solved
Identifying machines with removable MDM
+6Best answer by pseudopunk
Update: I spoke with Jamf support and was told that there is no way to determine removability of MDM profiles without inspecting each device manually.
Allow MDM profile removal is set in a prestage - so you may be able to create a smart group based on a prestage that allows it.
+6Yeah, I realize that it is set in pre-stage. It looks like that the pre-stage I'm worried about was also removed from Jamf at some point because the name is blank in the computer record. Any other ideas?
+25@pseudopunk Try running the following command on a Mac you know has a non-removable MDM Profile:
sudo profiles show -all -verbose -output stdout-xml > ~/Desktop/InstalledProfiles.xml
Search through the output for the "MDM Profile" data, and see if there is an associated ProfileRemovalDisallowed Key with a true string attribute following it. That will indicate a non-removable profile. I'll note that on the Mac I'm using right now I do _not_ see a ProfileRemovalDisallowed for the MDM Profile, but I know it isn't removable. I'll have to check another machine to see if that's a fluke or not later.
+6@pseudopunk Try running the following command on a Mac you know has a non-removable MDM Profile:
sudo profiles show -all -verbose -output stdout-xml > ~/Desktop/InstalledProfiles.xml
Search through the output for the "MDM Profile" data, and see if there is an associated ProfileRemovalDisallowed Key with a true string attribute following it. That will indicate a non-removable profile. I'll note that on the Mac I'm using right now I do _not_ see a ProfileRemovalDisallowed for the MDM Profile, but I know it isn't removable. I'll have to check another machine to see if that's a fluke or not later.
Thank you, but we have hundreds of endpoints and I need a way to identify which would need remediation.
How many of your hundreds currently do not have an affiliated Prestage? How long ago were they enrolled? They might not have been enrolled via a prestage if they have been around awhile. Are they offsite? Are your staff prone to fiddling with management settings? Or are these student devices? How much longer will your devices be in service?
+25Thank you, but we have hundreds of endpoints and I need a way to identify which would need remediation.
@pseudopunk I'm looking to see how the MDM Profile in your deployment to a good Mac looks. Once you know that the next step is to create an Extension Attribute that checks all of your Macs for the indication of a removable MDM Profile so you can identify problem machines.
+6@pseudopunk I'm looking to see how the MDM Profile in your deployment to a good Mac looks. Once you know that the next step is to create an Extension Attribute that checks all of your Macs for the indication of a removable MDM Profile so you can identify problem machines.
Thank you. I do see that key and it is set to true.
+6@pseudopunk I'm looking to see how the MDM Profile in your deployment to a good Mac looks. Once you know that the next step is to create an Extension Attribute that checks all of your Macs for the indication of a removable MDM Profile so you can identify problem machines.
Actually, I take it back. It looks like all of the other profiles have that key but not the MDM profile itself.
+25Actually, I take it back. It looks like all of the other profiles have that key but not the MDM profile itself.
@pseudopunk That seems wrong, but I'm seeing he same thing here. I don't have any Macs that have a removable MDM Profile to compare to, but without that key to indicate removability I don't know of another mechanism to use for a check.
+6Update: I spoke with Jamf support and was told that there is no way to determine removability of MDM profiles without inspecting each device manually.
+6How many of your hundreds currently do not have an affiliated Prestage? How long ago were they enrolled? They might not have been enrolled via a prestage if they have been around awhile. Are they offsite? Are your staff prone to fiddling with management settings? Or are these student devices? How much longer will your devices be in service?
Thank you for your response. There are maybe 20 without an affiliated pre-stage. The computer record says they were enrolled with a pre-stage, but does not indicate a specific pre-stage used. They were enrolled in 2018. These are staff machines in a remote work environment. They are generally not "fiddled with," but one user did upon exiting the company and now I need to assess risk in an environment that is very new to me.
After much back and forth with Jamf support, the answer I received from them is that there is no way to determine removability without checking the device itself to see if the minus sign is greyed out for profile removal.
+6Update: I spoke with Jamf support and was told that there is no way to determine removability of MDM profiles without inspecting each device manually.
This is incorrect. This status can be pulled as part of the `sudo profiles show -type enrollment` command
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.