MDM Profile Removal

smcnew2015
New Contributor

I have devices that were ran through Apple Configerator and moved into JAMF within Apple Business Manager. The devices show up as supervised within JAMF but when imaging its allowing the individual to remove the profile off the device and it then removal it completely from Apple Business Manager.

How do I prevent the removal of the profile on a supervised device?

3 REPLIES 3

vincent_bonnin
New Contributor II

Hi smcnew2015,

This behavior is normal because when you manually enroll a device with Apple Configurator and then pass it into JAMF, Apple gives the device user a possibility to remove its profile during 30 days. After those 30 days, your devices won't be able to remove their profile if you don't allow them to.

I believe this is a security protocol to prevent people from enrolling anyone's device in their DEP instantly with no way to go back easily.

Here is a link with the same explanation at the bottom of the page.

davehale
New Contributor II

And here is the official Apple info on the 30 day countdown.

Prepare devices manually - Apple Configurator 2 Help
https://help.apple.com/configurator/mac/2.5/#/cad99bc2a859

Manually add devices to the Device Enrollment Program (part of Apple School Manager and Apple Deployment Programs)
You can choose to add iOS and tvOS devices to the Device Enrollment Program (part of Apple School Manager and Apple Deployment Programs) using Apple Configurator 2, even if the devices weren’t purchased directly from Apple, an Apple Authorized Reseller or an authorized cellular carrier. When you set up a device that has been manually enrolled, it behaves like any other enrolled device, with mandatory supervision and mobile device management (MDM) enrollment. For devices that weren’t purchased directly, the user has a 30-day provisional period to remove the device from enrollment, supervision, and MDM. The 30-day provisional period begins after the device is activated.

There are ways to add devices to one of the programs:

• You don’t enable “Activate and complete enrollment”: You have a new or existing device that requires unique user authentication to enroll in MDM. The device is left at the Setup Assistant, and the user completes the enrollment.

• You enable “Activate and complete enrollment”: You have an existing device that already has a record in, and is managed by, your MDM. This can include managing all the Setup Assistant steps so the user gets a device that’s ready to use.

Does that mean that I have to run the 30 day gauntlet of potentially a user removing the MDM profile from the iPad they are using - thus undoing all the effort I have put into administering the ipad.

If so and this does happen, is there a quick way of installing the profile again rather than having to go through the whole prepare process - whilst you wait for the 30 day countdown to expire?

Declan