Disabling Apple's new Lockdown mode?

ega
Contributor III

So in 
https://www.apple.com/newsroom/2022/07/apple-expands-commitment-to-protect-users-from-mercenary-spyw...
Apple Says: "Configuration profiles cannot be installed, and the device cannot enroll into mobile device management (MDM), while Lockdown Mode is turned on."

It seems like we would want to keep the end user from enabling this on MDM devices.  Has anyone seen any documentation on how to disable Lockdown Mode?  I can't see any in any MDM reference publicly available.

2 ACCEPTED SOLUTIONS

sdagley
Esteemed Contributor II

@ega If the device is already enrolled in an MDM enabling Lockdown Mode does not disable MDM, so you probably don't need to worry about disabling it.

View solution in original post

AJPinto
Honored Contributor II

Once MDM has a device lockdown mode does not "break" MDM, you can still deploy new, update and remove old configuration profiles. On the flip side lockdown mode does jackup all kinds of other things like VPN clients. I do see tickets generated by people who enable this and it breaks stuff, but MDM will be fine. Our VPN will not even connect with lockdown mode enabled.

View solution in original post

6 REPLIES 6

sdagley
Esteemed Contributor II

@ega If the device is already enrolled in an MDM enabling Lockdown Mode does not disable MDM, so you probably don't need to worry about disabling it.

Yes that's true. 

AJPinto
Honored Contributor II

Once MDM has a device lockdown mode does not "break" MDM, you can still deploy new, update and remove old configuration profiles. On the flip side lockdown mode does jackup all kinds of other things like VPN clients. I do see tickets generated by people who enable this and it breaks stuff, but MDM will be fine. Our VPN will not even connect with lockdown mode enabled.

sara_mccullar
New Contributor III

I am also trying to find documentation about how to block lockdown mode. We would rather users not  turn it on. I don't see any info in 10.42 documentation or anyway in a config profile block it.

AJPinto
Honored Contributor II

Its not possible to block lockdown mode. For JAMF to block it, Apple would need to make the MDM work flow which they have said they will not be doing. Feedback request time.

Product Feedback - Apple

 

About Lockdown Mode - Apple Support

Configuration profiles and managed devices

If a device is in Lockdown Mode, new configuration profiles can't be installed, and the device can't be enrolled in Mobile Device Management or device supervision. If a user wants to install a configuration profile or management profile, they need to turn off Lockdown Mode, install the profile, and then re-enable Lockdown Mode, if necessary. These restrictions prevent attackers from attempting to install malicious profiles.

A device that is enrolled in Mobile Device Management before Lockdown Mode is enabled remains managed. System administrators can install and remove configuration profiles on that device.

Lockdown Mode is not a configurable option for Mobile Device Management by system administrators, as it’s designed for the very small number of individual users who might be targeted by extreme cyber attacks.



 

dan-snelson
Valued Contributor II

A Mac Admin, who prefers to remain anonymous, mentioned that the output of the following command may prove interesting:

 

% defaults read ~/Library/Preferences/.GlobalPreferences.plist LDMGlobalEnabled