Default MDM Profile is removable??

yellow
Contributor

Maybe I'm going crazy, but I don't remember the JSS default MDM profile created when the Mac is enrolled in Casper as being removable. Now it is in Macs enrolled in our JSS (v9.72).. I can't seem to find any setting that specifies removable or not.

2 ACCEPTED SOLUTIONS

dpertschi
Valued Contributor

When you remove that profile, the computer record attribute "MDM Capable" changes from Yes to No.

Create a smart group looking for 'No' and then create an ongoing policy to re-manage those device.

View solution in original post

davidacland
Honored Contributor II
Honored Contributor II

Is it the "Verify MDM enrollment" option on smart group criteria?

View solution in original post

19 REPLIES 19

davidacland
Honored Contributor II
Honored Contributor II

Thats normal. You can passcode protect any other profiles deployed as part of the management, but Apple always allow the user to "opt-out" of the management by removing the top level MDM profile.

DEP can help with this by ensuring any devices running through the setup assistant get enrolled by default.

yellow
Contributor

That seems... odd. Removing the top level MDM Profile then removes all other Profiles.. effectively removing any of my enforced settings that I've enforced via profile.

davidacland
Honored Contributor II
Honored Contributor II

Tell me about it, pretty annoying!

It stems from Apple's view that the device belongs to the user and its their choice. My method is to link email access, VPN, apps etc to MDM. If the user un-enrolls, they lose the lot. Apart from a few hardcore resistance fighters, most usually re-enroll soon after!

yellow
Contributor

For the time being, I'm testing an alternate Profile that disables access to the profiles prefpane, unless a device is part of a particular 'department', which removes that restriction.

dpertschi
Valued Contributor

When you remove that profile, the computer record attribute "MDM Capable" changes from Yes to No.

Create a smart group looking for 'No' and then create an ongoing policy to re-manage those device.

yellow
Contributor

@dpertschi - I don't see this in the pre-defined list of smart group criteria, are you using an extension attribute for this?

davidacland
Honored Contributor II
Honored Contributor II

Is it the "Verify MDM enrollment" option on smart group criteria?

yellow
Contributor

No it is not.. but that's because it's an extension attribute. I just found it in the pre-built-template list. It'll be on here shortly.

davidacland
Honored Contributor II
Honored Contributor II

Ah, got it. I must have added that EA a while ago and forgot about it!

yellow
Contributor

That's going to work perfectly. Thanks folks!!

nkalister
Valued Contributor

I was just looking at doing this the other day, totally missed the extension attribute template.
So, to re-enroll- is there a built-in function for that that I'm also missing somewhere? If not, how are you getting the machines re-enrolled for MDM?

edit: when in doubt, check with Rich

dpertschi
Valued Contributor
So, to re-enroll- is there a built-in function for that that I'm also missing somewhere? If not, how are you getting the machines re-enrolled for MDM?

Just use jamf binary manage command in the Files/Processes > Execute Command field: jamf manage

nkalister
Valued Contributor

You might run into timing issues with that, see Rich's article here

Using

jamf mdm -verbose

if you're running 9.4 or higher avoids that.

BVikse
New Contributor III

Is there a quick and easy method to re-enroll iPads? The thread so far looks great for managing desktops and laptops. iPads have the same issue.

adamcodega
Valued Contributor

This is slightly off topic to this thread @BVikse, iPads should be Supervised when they are enrolled using Apple Configurator or DEP so the MDM profiles are not removable. Plus, you get other perks to an iPad being supervised.

If an iPad is enrolled by going to the enrollment URL on the iPad I believe it can not be supervised, useful in a situation like BYOD where you Supervision isn't relevant because it's not your iPad but you want to be able to push apps etc.

BVikse
New Contributor III

That is not the case we are seeing with our iPads. We have about a hundred iPads that are not in DEP which we run through Configurator. It is set up to use the JSS's supervision identity so iPads can be set up managed and supervised by Configurator.

It runs perfectly with iPads in DEP by the cart-full, MDM profile can't be removed. Not in DEP, still managed and supervised, communicate with the JSS just fine, but the MDM profile is removable.

bentoms
Release Candidate Programs Tester

@BVikse & @adamcodega Only way to have an iPad enrolled with an MDM profile that's not removable is DEP, Supervision from Configurator allows you to remove the profile.

But, look at some of the WWDC videos when released (especially the one on Management).. about some changes that might happen here.

bentoms
Release Candidate Programs Tester

And the video has already been posted [here](lhttps://developer.apple.com/videos/play/wwdc2017/304/)

CorpIT_eB
Contributor II

I hate to bring back a dead thread but was there ever any updates in this processes as I am noticing that two of my main MDM profiles have the option to be removed I want to disable that on "ALL" profiles without having to disable the whole Profiles tab all together.

This would greatly be appreciated.