Is there any way to prevent the removal of the MDM/management profile from a Mac, if the user is an admin? We usually lock the "Profiles" pref pane using a Config Profile, but I'm wondering if there's a way to keep the user from deleting the management profile if we unlock that pref pane? In my testing, I've not been able to stop an admin-level user from deleting whatever profiles they want.
Question
Preventing removal of MDM Profile?
+11
+11Ah, yes...I should have known - is there anything that man doesn't know? :)
Thank you - I'll check out that post.
+11Okay, I've looked it over, and it looks as though it works only for manually installed config profiles. Is there a way to make this change to pre-existing profiles, such as the one that gets installed during JSS enrollment?
+19Try a smart group looking for MDM Enrollment Not Enrolled, and then scope a policy to run jamf manage to pull it back down.
+3@jkarpenske did you ever get this working for pre-existing profiles? We're trying to get Jamf set up for our faculty, and password-protecting that profile sure would be nice...
Thanks!
+7I just found this thread and have a (maybe stupid) question:
from my understanding you have to add the code
<dict>
<key>Description</key>
<string>Enter the password in the RemovalPassword key to remove this profile</string>
<key>PayloadType</key>
<string>com.apple.profileRemovalPassword</string>
<key>PayloadUUID</key>
<string>CA7AE3B9-9A50-4596-A2F5-EFDE48AD4431</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>RemovalPassword</key>
<string>PasswordGoesHere!</string>
</dict>into the MDM profile so it can't be removed, right?
How am I doing this? I can't edit it in JAMF afaik
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.