Jamf configuration profile disable in ventura

yifan
New Contributor

Since our client is renting an Apple device(Mac), client are using the user-initiated enrollment method to register the device with jamf pro.

 

Also, through Jamf pro, the profile item was disabled to use jamf pro restrict configuration profiles -> restrictions -> preference -> disable profile item.

 

The end-point with Monterey installed is normally graded out, but the profile is not disabled on the end-point with Ventura installed.

 

Are you experiencing any issues like this or have you solved them?

If you have one, please share it with us.

4 REPLIES 4

AJPinto
Honored Contributor II

Someone asked this exact same question on reddit the other day.

Its not possible to restrict System Settings > General > Profiles on macOS 13+. The long explanation is General no longer exists in /System/Library/PreferencePanes, and therefor can no longer be restricted by MDM commands targeting /System/Library/PreferencePanes. Apple did this intentionally and did not implement a way to restrict anything in General on MacOS 13, this not a bug in macOS or JAMF. JAMF still has the button in configuration profiles for macOS 12 and lower, macOS 13 will just ignore the payload.

 

TL;DR: What you are seeing is macOS working as intended by Apple, you simply need to update your process. To prevent a user from removing the MDM Profile the only option is to use Automated Device Enrollment.

 

 

 

 

gachowski
Valued Contributor II

I would be a little conservative/think log and hard about preventing the removal of the MDM profile with the Jamf. if you do that it limits your ability to troubleshoot profile issues and some other random edges cases. It's not an easy solution. It might be a better solution to use a different security tool to "monitor" the MDM profile and then notify secuity when the MDM profile is removed.  : ) 

AJPinto
Honored Contributor II

I have only needed to remove the MDM profile a small hand full of times. So long as the device can talk to JAMF, you can use a MDM Command to remove the MDM Profile. If the device cannot talk to JAMF, you can do some stuff in safe mode to remove all profiles. MacOS can also be reinstalled nondistructivly in about 15 minutes without losing user data. If the MDM framework is so jacked none of this works, macOS needs a wipe and load anyway. Knowing how to use the tools we have is far better than configuring those tools poorly because we may not know better. 

In short, do it right or dont do it at all. I am sure there are many under qualified admins out there with outdated or uneducated concepts and ideas of how MDM should work.

jhdfbsjgbfg
New Contributor

Beyond its file transfer capabilities, Xender APK offers a range of additional features to enhance your sharing experience.