Help

Do we really need JAMF? Then why can a user remove the MDM management from an IPAD?

GeraldDavenport
New Contributor II

yesterday

I just removed the mdm management from an ipad, FROM THE IPAD (not through jamf, but on the ipad).

 
It is an ipad that I was going to remove from Jamf, but I kept seeing the remove management when looking at it on the ipad and wondered what it did. Now I know.
 
Back in JAMF I have no ability to manage that ipad anymore even though it shows it in JAMF.
 
Which means the user can remove the mdm management from the ipad and we have no control of that ipad?
 
I just sent in a support question and they sent me nothing that is relatable to my concern.
 
Why is the user able to remove the mdm management from the device?

I have no idea how these ipads were enrolled, they were done before the job was handed to me.
 
The past year they have been added to Apple Business Manager, then into JAMF. This was not one of those, but a previous enrollment.  Not self enrolled but through apple configurator.
0 Kudos
Reply
3 REPLIES 3

Jason33
Contributor III

yesterday

Is 'Prevent Unenrollment' not enabled in your PreStage? 

Reply

TheAngryYeti
Contributor II
Contributor II

yesterday

A few things here that might help out.
If the iPad was supervised with Apple Configurator and then manually enrolled into Jamf the MDM profile will be removable.  Once you add the device to ABM and pass it through a Jamf prestage you will have the option (in the prestage) to make the profile non-removable.  This is the only way to accomplish a non-removable MDM profile.

Reply

AJPinto
Esteemed Contributor

12 hours ago

I recommend taking a few moments to understand the different enrollment types and the pros and cons of each type.

 

In summary the only enrollment type Apple considers to be for an Organizationally Owned Device is Automated Device Enrollment. If you are not using Automated Device Enrollment, Apple views the device as a personally owned device and the user is free to remove the MDM profile at their discretion. If you want to prevent the user from removing the MDM profile you need to be using Automated Device Enrollment, and to select the option to not allow removing the MDM profile.

 

https://it-training.apple.com/tutorials/apt-deployment/#enabling-automated-device-enrollment

https://support.apple.com/guide/deployment/enrollment-methods-for-apple-devices-dep08f54fcf6/web

0 Kudos
Reply