How to make MDM profile non-removable (newbie in Casper Suite)

karoliens
New Contributor

Hello,

We are enrolling iPads using Apple Configurator or User-Initiated Enrollment. The problem is that students can remove MDM Profile and this allows them to evade any restrictions we made. Is the any solution to this? DEP is not available in my country. Thank you.

14 REPLIES 14

plawrence
Contributor II

@karoliens Hi

Without DEP I don't know of a way to prevent the removal of the MDM Profile. To enforce restrictions on our campus we create a profile in Apple Configurator and change its 'Can it be removed' setting to Never (at the bottom of the General section). The only downside to this configuration is that the profile settings can only ever be removed/updated by plugging into the Configurator laptop.

Patrick

apizz
Valued Contributor

@karoliens, we got around this issue by creating a configuration profile which restricts the Profiles preference pane in System Preferences. This way no one can access the MDM Profile in the first place.

If we need to access the Profiles pane for whatever reason, we just login as a local admin user, hold down the shift key (or option) and click the arrow next to the password field to login (not enter/return). This will then give you the option to disable management so you can access all restricted system preference panes on the machine

karoliens
New Contributor

Thank you for such a quick response plawrence. When I try to edit profile I get error message "FISKL is a mobile device management enrolment profile and cannot be edited". Other solution would be hiding settings tab on iPad. Is this possible?

karoliens
New Contributor

@aporlebeke Under which tab you could restrict access to Profiles preference pane. There is no such option under Restrictions tab in Configuration Profiles. Thank you.

plawrence
Contributor II

@karoliens

Unfortunately you cant edit your enrolment profile in Configurator, you will need to create a new Configuration Profile using Apple Configurator with the settings you want restricted and then install that onto your devices.
To answer your other question, there isn't a profile option to hide the Settings app on an iOS device, I think aporlebeke was referring to OS X configuration profiles.

Goober22
New Contributor III

It all really depends on the setup that you have and how easily you can get the devices in hand. If you can get the devices to run them all through a Mac then configurator would be the best option if the devices are not already supervised. If this is not an option then you may have to look at something like they were saying above. Supervision is the only way to actually make it so that the profile itself can not be removed, but there are other ways around it to make it harder to do so.

adamcodega
Valued Contributor

Yes to clarify, an iPad can be supervised, and thus the MDM Profile is not removable, using the Device Enrollment Program or Apple Configurator. For Apple Configurator, you can download an Enrollment Profile from the JSS and import it into Apple Configurator to get started.

rchawla
New Contributor III

Adam, I've deployed a test iPad via configurator and JSS - it is supervised - and I can remove the profile by knowing the passcode to open the iPad. Presumably the student user will also know this 4-digit code. How can I restrict the removal of the mdm profiles? What am I missing?

Raj

adamcodega
Valued Contributor

The iPad must be Supervised, if it is than the profile should not be removable.

apizz
Valued Contributor

rchawla
New Contributor III

Adam, I was not looking in Configurator at first. I see what you mean now, thank you.

cgiordano
Contributor

I'm with @aporlebeke. Setting up the restriction to Profiles is the way to go. We do that currently in our environment have had great luck :)

CJeffery
New Contributor

This is a very interesting topic.

I had also noticed you could remove the MDM profile so locked it down in system prefs.

However the trick mentioned above really caught my attention to disable policy enforcement. Holding down the shift key while logging in with a admin user account. It's not working for me though. I am presented with the box as described above and clicking disable but all the policy enforcement is still very much active.

Does this option have anything to do with the option under login window? (Computer Administrators may refresh or disable management) As i have this option ticked and the profile is assigned to the computer i am testing it on.

exno
Contributor

So i finally get to play in iOS world again and found this thread while trying to find the same answers as the OP.

From what i have found out. MDM profiles on iOS can not be made to "not be removable" by design, Unless deployed via DEP. Apple has an Opt-out/Opt-in mentality for iOS for some reason... great for BYOD but horrible for trying to manage devices when DEP is not seen as a priority.

Apple configurator will allow specific profiles to not be removable, but Jamf does that as well. The difference being that the Apple configurator ones won't disappear when the MDM is removed.

So while I wait for DEP to get approved I have to bake in the Security profiles via Apple configurator and then enroll mainly for inventory and app installs. I forgot how annoying iOS devices were for management..

Hope my findings help out anyone else that comes across this feed.

- I am @exno or @exnozero on almost everything that exists.