@K.Norus If I might ask, where did this computer come from? If you computer is attempting to enroll in a corporation's MDM, then that company still thinks they own it. If they no longer have possession of it and have willingly discarded it, they should have taken the steps to remove it from their MDM and retire it from their DEP portal before giving up possession. I would reach out to the company you obtain this computer from and discuss with them.
My experience is very different than the above thread. Everyone discusses as if stolen or other nefarious activity. I ordered and paid for my MacBook at the Apple store. My wife's company has a 5% discount offered for all Apple products. Apple said great and they applied the 5% discount under her company name. And I am stuck with this stupid pop up that even Apple at the store cannot rid. My wife's company says they have no idea what it is and they are glad to help, but simply are not able. So...now what? It is super annoying. Is it worth 5%? No.
@aalamerican It sounds like when the Apple Store sold you the computer, they actually sold it under your wife's companies account. So what happened is that the serial number that was sold was associated with the company's account, uploaded in to their Apple Business Manager account, and then associate with the company MDM. To get rid of this, the company needs to log in to their Apple Business Manager account and "Release" the serial number from their ABM. I would also recommend that you restore the MacBook to a factory O/S and set it up again. Somebody on the IT team should have access to the company ABM account. You might just need to find the right person (likely not a first level help desk person). They should also delete any record that may exist in their MDM.
Otherwise, I would recommend you return the computer the store you purchased it and purchase a new one under a personal account and not a business account.
Good luck.
I'm going to try to address many historical and current questions on this topic below...
If a device is in a company's ABM/ASM (DEP) account that means it was purchased and assigned to an institutional (company) account at Apple. If you have a device that is popping up a message like this, then it was a registered as an institutional purchase.
Apple will not remove a device from a companies account as they do not know if it was stolen. This is the responsibility of the original owner of the device. This is just like Activation Lock or signing into iCloud on an iPhone (to prevent its use if it's been stolen).
So the first thought is a device was stolen if you are getting this pop up. If it's not, you should contact the company that sold it. (Maybe it was an oversight as one person mentioned.) Companies that have ABM/ASM accounts are Legally Obligated to release device from their ABM/ASM accounts that they no longer own, per the terms and conditions of the program. I do know my own organization fails to properly address devices like this and I strive to educate our techs on this, but unfortunately, most do not understand the impact or even the stress of using Automated Device Enrollment (DEP) in the first place. Also, just because a device is new in box, does not mean the device is not stolen.
For the suggestion to pay for a service to re-program the Serial Number, this is an illegal service not condoned or supported by Apple. (If the device was under warranty, it would likely be voided.) The suppliers of this type of service are supporting the theft of devices, whether directly or indirectly, as that is the only reason to re-program a serial number. When another serial number is programmed in, you now have the serial number of another device some where in the word, which could cause issues in and of itself. Going forward with new hardware release (as announced at WWDC 2020) this type of service (re-programming serial numbers) will be much harder as the serial number will be completely unique and no longer be able to identify the device. So you won't be able to simply change a single value and it be valid.
Yes, there are ways to "remove" the notification from a Mac itself, but those are likely temporary. The next time the Mac connects to Apple's activation servers, it will pop up again. You can never remove it from ABM/ASM, only the institution can do that.
Yes, you can not connect to the internet during the setup of the device, but again, this is likely only temporary. The device will eventually check-in with Apple's activation server, and the message will pop up.
If you cannot find enough suitable information after reviewing the MDM Profile that the notification wants to install, you can run the command, which should give information on the organization that the device is registered too:
sudo profiles show -type enrollment
For the comments that mention that the device was removed (released) from the ABM/ASM (DEP) account, but the device is popping up the notification, this is normal/expect at this time. When the device checks in to Apple's activation servers, it downloads its activation record and saves it to disk (see above command -- this is the same content save to disk). The device doesn't check-in again to see if the record is "gone" -- that's not an expected scenario that Apple would bother programming for. You have two options: wipe and reinstall (strong and dumb approach) or delete the files that store this information. The files are stored in a SIP protected directory in modern versions of macOS, but you can reboot into the Recovery Volume and delete the files. This command will work from recovery to delete the related files:
rm /Volumes/Macintosh HD/var/db/ConfigurationProfiles/Settings/.cloudConfig*
For those that have legit purchases... Seeing this message/notification does not mean the device is enrolled and no, the organization cannot access your files/device. But if it has been enrolled, then yes, they can take over, view, and lock your device as well as apply configurations, restrictions, requirements, etc.
For the instructions above about removing profiles, etc. That is not possible once the MDM Profile is installed if the organizations required the MDM Profile to be installed (in other words, configured the Profile to not allow un-enrollment), which is a requirement (no longer an option to configure) going forward with macOS Catalina 10.15 and newer.
Finally, @aalamerican, we've seen similar scenarios with our primary vendor or even phone carrier stores. Staff will say they're an employee with our organization to receive a discount and the vendor will incorrectly add the device to our company's ABM/ASM account. Then the device will attempt to enroll. You should be able to go back to that store, explain the situation, provide your paid receipt, and they should be able to remove it. (Besides the "purchasing institution" only the originally selling vendor can/will remove a device from ADE/DEP.) My recommendation, if what you're telling the normal Joe/Jane you speak with in the store is flying over their head, ask to speak with someone from the business team in the store. The business team should understand ADE/DEP to some degree and at least be able to discuss the topic (where a normal employee likely only ever deals with consumer sales which this will never touch).
Hope this information helps someone.
@MLBZ521 Thank you for your thorough explaination. But, I tried using your command to delete the related files but it showed "No such file or directory".
I purchased this MacBook Pro from an authorised Apple reseller and found out later that it is enrolled in DEP of a local University. I emailed the seller, and they managed to remove the DEP enrolment according to their response. But, the annoying prompt still shows from time to time. I am not sure if it's the issue at Apple's end or the seller did not actually remove the enrolment.
@chcxuyang Once a device gets its activation record, it doesn't go away on its own. Even if it was removed from Apple's side. You can try running: sudo profiles renew -type enrollment
If that clears the record, then you're good. You can verify with this command: sudo profiles show -type enrollment
If a dictionary of info is returned, it didn't work, however, if it returns empty {} then you're good. If not, you have to delete the files (or nuke and pave, aka wipe the drive, which is drastic).
Verify you have typed the path correctly. You can try using tab completion, that may help.
What OS version are you running? To be honest, I have only tested this on macOS 10.15 Catalina and maybe macOS 10.14 Mojave, but not sure on the latter.
@MLBZ521 I am running macOS Mojave 10.14.6.
I tried sudo profiles renew -type enrollment, and it still returned the Device Enrollment notification. sudo profiles show -type enrollment does the same. Does it mean that this device is still under the organization's DEP account?
I did manage to delete the related files using your command this time. I hope that the notification won't show up periodically anymore. But, my understanding is that this method does not solve problem once for all, and I will have to type the command every time I re-install macOS? (I re-install system very often)
@chcxuyang If the device was properly released/removed by the vendor, it shouldn't happen again. Only the selling vendor can add the device to an organization's Apple Business (or School) Manager account, not even Apple can do this (unless they sell the device).
Once you delete those files, you should be able to run sudo profiles renew -type enrollment again and if it returns empty {} then you're good. You shouldn't receive that notification again.
If you run cat /Volumes/Macintosh HD/var/db/ConfigurationProfiles/Settings/.cloudConfigRecordFound you should see very similar output as the sudo profiles show -type enrollment command, except that it is in a plist format.
The renew command grabs the information, and saves it to a file (.cloudConfigRecordFound ) on the disk. This is what causes your machine to prompt to enroll, even after it was removed from ABM/ASM, because the information is cached locally on the drive.
I attempted the:
sudo profiles show -type enrollment
as suggested, though what I got as a prompt for a "password" and a key icon. Did this via terminal. Is this correct? or is there a different command prompt that I should be doing this from?
@gnf Any statement that starts with sudo requires Super User (aka administrative) privileges. So, you'll need to be running with an account that has admin privileges and enter that users' password.
@CasperAdminNet-I would love to see the code to this if you can-
@https://www.jamf.com/jamf-nation/discussions/17517/remove-my-laptop-from-device-enrollment-program-prompt
Ive seen the code here:
(https://apple.stackexchange.com/questions/311052/why-do-i-get-a-remote-management-step-when-installing-high-sierra)
For me it doesnt work...maybe because Im trying to install a fresh OS from Recovery and not from a USB install..what are your thoughts?
Greetings to every one!
I bought one MBP 2019 from craigslist and was running very smoothly. I did not encounter any pop ups. My issue happens when i updated catalina. I am attaching some photos. I cannot get past the last sign in stage. Please help.
@Snabi You bought a stolen computer. Ask for a refund.
@LAJAAMS2020 The instructions that CasperAdminNet referred to are not a "fix", just a work around. As well, they will no longer work moving forward in Big Sur and laster and the profiles command will not be able to perform the actions that they can today. In addition, the profiles command can only remove Profiles that are marked as removable -- however, most Automated Enrollment Profiles are not marked as removable (and cannot be on newer versions of macOS and iOS).
I would highly recommend reviewing my post in this thread for full details on the situation you're in, how things work, options available to you, etc.
@Snabi As Pat mentioned, that device was very likely stolen.
I saw a case where the device was misdelivered by FedEx and not discovered for weeks while it sat on the inventory shelf. FedEx replaced the device to the company they should have delivered the package.
I HAVE removed / unassigned my devices from our DEP system - and our users are STILL getting that pop-up with no way to remove it. I inherited the DEP system from an employee who is no longer at our organization. After a long, arduous process with Apple, I was able to get / reset the Apple ID associated with our account and unassigned all devices from our DEP - and our users are STILL getting the pop-up. Help! How do I remove the pop-up? I do not want to have to totally wipe the laptops and re-install in order for it to go away. Any thoughts / suggestions would be very, very appreciated! Thanks!
and unassigned all devices from our DEP
@PW7 I hope these devices are not still institutionally owned. If so, you've just crippled yourself when it comes to device management.
If you review my post above, I go into great detail on this. But, in short:
A device checks Apple's activation servers and caches whether it has a Device Enrollment configuration record. Once the device caches that information, it's cached locally on the internal disk. The device will always prompt with the ADE Nag notification (it does not check to see if it no longer has a Device Enrollment configuration record). The only way to resolve this is to delete the cached information. (Again this is all described in my earlier post with resolution instructions.)
@MLBZ521 can you please advise where exactly you entered this command:
rm /Volumes/Macintosh HD/var/db/ConfigurationProfiles/Settings/.cloudConfig*
I tried in the Recovery disk -> Utilities -> Terminal, however got back the "File not found..." message.
I also tried without the "" sign and then again with replacing the "" with "/", same result.
When I run the "ls" command in the same place, I don't see the Volumes directory.
I am on MacOS Catalina.
@Acovid It is entered in to Terminal from within Recovery. I've only ever used it on Catalina to be honest, so I know it should work on that.
The spaces and forward/back slash are important. You can try to start typing the words and then pressing the TAB key to autocomplete the text. That has helped several end users get it typed correctly that are remote.
Are you saying, that executing ls /Volumes does not return any mounted volumes? Ensure that your disk is unlocked and mounted (see Disk Utility).
@MLBZ521 Thank you for in-depth post above, very helpful!
I won't go into my boring/long story but essentially I have a 3rd/4th-hand 2018 macbook pro (off of a third party seller) which has the 'Allow Device Enrolment?' pop up coming up and am currently unable to get hold of the original owner or FB (obviously).
The bit in your post where you say "For those that have legit purchases... Seeing this message/notification does not mean the device is enrolled and no, the organization cannot access your files/device."
From this pop up, would you agree that my device isn't actually enrolled with FB? I.e. am I at any risk of them being in a position to control/wipe my device? Or are there any long term implications/downsides of being in my current set-up? So far all I have noticed is the lack of access to 'Profiles' in system settings
If so then fine - the pop ups don't bother me too much and I can always try to follow your advice in removing them. I just obviously don't want to be in a position where I'm at risk of that happening.
Thanks so much for any insight you can offer and anyone else!
@emyj18 It's not enrolled until you click "allow" and the MDM profile installs. So no, they can't control or wipe.
While the correct fix it to get removed from DEP another thing you can do and this is only on the first boot after imaging. This is where DEP starts the process. You can bypass all the prompts by setting the mac up off network. This stops it from being able to check with apple and get directed to a MDM server.
As DEP is designed to run the first boot if there is a network it will keep looking for the MDM server as Apple told it to. However off network you will bypass this. After setup completes DEP will not run again. This will skip DEP setup. It will come back next time you get imaged.
What Pat said above.
@MikeF That's not completely true. A device can check-in to Apple's activation servers after device setup. We've had plenty of our devices do that because an end user went and purchased something themselves, didn't involve IT, set it up off network and then later get prompted to enroll. Then we get questions from their IT support going "How do we make this go away?" Answer: "Enroll it, that's how." :)
Hello all,
Thank you for all the information everyone shared. I purchased a 2017 MBP when I was in US and got this MDM pop-up for the last 3 years. Found some code on web to run in recovery to prevent pop-ups just like someone suggested above.
But with the macOS 11 Big Sur, I can't see updates. For ex; I'm on 11.3.1 now and don't see 11.4 in Software Update. I suppose this happens because Apple changed the way MDM devices handle updates. So Amazon handles when my Mac get macOS updates. Up until now I had to download the whole macOS setup from App Store (12 GB or so everytime!) even for minor updates.
So my question is; when I contact Amazon.com and ask them to remove this from DEP, if this is a stolen device and they figure it out (REALLY REALLY HOPE I DIDN'T GIVE HUNDREDS OF DOLLARS FOR A STOLEN DEVICE!!) will they be able to lock, wipe or do something to my Mac although it's not enrolled? I couldn't take this chance until now because there is no way I can afford to lose this Mac or buy another one anytime soon. If someone can tell me what can happen when I contact them, I'd really appreciate it. This was a big lesson to me to not to buy used electronic devices outside of my home country.
This was purchased through Amazon, or it’s in Amazon’s DEP account?
If it was purchased through Amazon, but via a third party seller, Amazon is not going to be able to remove it from DEP. It’s probably stolen in this case. Only the company that is on the enrollment can remove it. You should have returned it as soon as you saw the problem.
If it’s actually in Amazon’s DEP account, you’re going to have to try getting ahold of someone in their IT Dept, but it’s probably still stolen so they might not release it.
