Jamf Nation Community

@karoliens, we got around this issue by creating a configuration profile which restricts the Profiles preference pane in System Preferences. This way no one can access the MDM Profile in the first place.

If we need to access the Profiles pane for whatever reason, we just login as a local admin user, hold down the shift key (or option) and click the arrow next to the password field to login (not enter/return). This will then give you the option to disable management so you can access all restricted system preference panes on the machine

Thank you for such a quick response plawrence. When I try to edit profile I get error message "FISKL is a mobile device management enrolment profile and cannot be edited". Other solution would be hiding settings tab on iPad. Is this possible?

@aporlebeke Under which tab you could restrict access to Profiles preference pane. There is no such option under Restrictions tab in Configuration Profiles. Thank you.

@karoliens

Unfortunately you cant edit your enrolment profile in Configurator, you will need to create a new Configuration Profile using Apple Configurator with the settings you want restricted and then install that onto your devices.
To answer your other question, there isn't a profile option to hide the Settings app on an iOS device, I think aporlebeke was referring to OS X configuration profiles.

It all really depends on the setup that you have and how easily you can get the devices in hand. If you can get the devices to run them all through a Mac then configurator would be the best option if the devices are not already supervised. If this is not an option then you may have to look at something like they were saying above. Supervision is the only way to actually make it so that the profile itself can not be removed, but there are other ways around it to make it harder to do so.

Yes to clarify, an iPad can be supervised, and thus the MDM Profile is not removable, using the Device Enrollment Program or Apple Configurator. For Apple Configurator, you can download an Enrollment Profile from the JSS and import it into Apple Configurator to get started.

Adam, I've deployed a test iPad via configurator and JSS - it is supervised - and I can remove the profile by knowing the passcode to open the iPad. Presumably the student user will also know this 4-digit code. How can I restrict the removal of the mdm profiles? What am I missing?

Raj

The iPad must be Supervised, if it is than the profile should not be removable.

@karoliens

Adam, I was not looking in Configurator at first. I see what you mean now, thank you.

I'm with @aporlebeke. Setting up the restriction to Profiles is the way to go. We do that currently in our environment have had great luck :)

This is a very interesting topic.

I had also noticed you could remove the MDM profile so locked it down in system prefs.

However the trick mentioned above really caught my attention to disable policy enforcement. Holding down the shift key while logging in with a admin user account. It's not working for me though. I am presented with the box as described above and clicking disable but all the policy enforcement is still very much active.

Does this option have anything to do with the option under login window? (Computer Administrators may refresh or disable management) As i have this option ticked and the profile is assigned to the computer i am testing it on.

So i finally get to play in iOS world again and found this thread while trying to find the same answers as the OP.

From what i have found out. MDM profiles on iOS can not be made to "not be removable" by design, Unless deployed via DEP. Apple has an Opt-out/Opt-in mentality for iOS for some reason... great for BYOD but horrible for trying to manage devices when DEP is not seen as a priority.

Apple configurator will allow specific profiles to not be removable, but Jamf does that as well. The difference being that the Apple configurator ones won't disappear when the MDM is removed.

So while I wait for DEP to get approved I have to bake in the Security profiles via Apple configurator and then enroll mainly for inventory and app installs. I forgot how annoying iOS devices were for management..

Hope my findings help out anyone else that comes across this feed.