Jamf Now non-removable enrollment profile?

subevenis
New Contributor

I administer a small office using Apple Business Manager and Jamf Now. Most of the Macs were added to ABM via Configurator on the iPhone, and are thus supervised. I've set up Jamf Now as an MDM server, done the certificate shuffle to hook it up to ABM (and unchecked the "allow MDM to release devices" that's offered as part of that procedure), and assigned the devices to my newly-created Jamf Now MDM in Apple Business Manager. The newly-added devices show up in the Auto-Enrollment tab in Jamf Now, and I'm able to assign them to users, assign blueprints and thus push all the appropriate settings etc.

So far so good, but end users with admin privileges are able to go into the Profiles prefpane on their Macs and delete the Enrollment Profile, removing the devices from Jamf Now and kicking the devices in Apple Business Manager to "Released" status, requiring a full backup/wipe/re-enrollment with ABM in order to be able to put them back into Jamf via Auto-Enrollment (and yes, I could still add them in Open Enrollment, but that's not the point, dammit).

I don't like that. It stands to reason that if I have a user who can just unenroll their laptop from the device end, kicking it out of both Jamf and simultaneously releasing it from Business Manager, then there's absolutely nothing at all from preventing that user from wiping and selling the thing to feed their drug habits. Not that they'd do that. Okay, most of them wouldn't do that. Probably.

I've poked around Jamf Nation and The Internet™, and have arrived at the point where I cannot for the life of me figure out if this is a) expected behavior, and that I am an idiot, b) if I've done something blindingly obviously wrong, or c) if there's something I haven't done at all. I would very much like to be able to push a non-removable Jamf Now enrollment profile to those machines so that people would stop breaking things and I could go back to drinking on the job and taking long naps. It's important to have hobbies, after all.

1 REPLY 1

chaz
New Contributor III
New Contributor III

Hey @subevenis,

You are correct that Auto-enrolled devices should have non-removable MDM profiles installed by default. There is one "gotcha" that can come up with Macs that have enrolled via the iOS Apple Configurator enrollment workflow where devices are Provisionally Enrolled for 30 days after enrollment. To put it simply, devices that are provisionally enrolled can have their MDM profiles removed by end users 30 days after their initial enrollment into MDM. After that 30 days is up, the MDM profile is no longer removable and the minus button under System Preferences > Profiles can no longer be clicked. Removing devices during the Provisional Enrollment period will also release them from ABM like you mentioned as well.

 

Here is more information on Provisional Enrollment for reference: 

https://docs.jamf.com/jamf-now/documentation/Using_Apple_Configurator_2-5_or_Later_to_Prepare_Mobile... (Provisional Enrollment referenced at the bottom of the article)

 

Hopefully this helps!