On the iPad there is currently no way to prevent the removal of the MDM profile. Apple considers MDM for iOS to be opt-in, which means that anyone can opt-out at any time. I always found/find it infuriating when the engineers at the Apple Edu Tech Updates say to use the "carrot" method for keeping iPads enrolled in MDM, meaning "don't tell them the wireless password, have wireless tied to MDM enrollment", which is absolute CRAP for a district of 130+ schools, all of which know their wireless passwords.
My information on iOS MDM is very outdated at this point, but I thought it was possible to lock the profile when using iOS devices in Supervised mode. I know Supervised mode is not viable in many environments, but that's how I understood things to be. Again, my info on this is fuzzy, so I may be wrong.
It would be nice if Apple would bend a little on this point. In large environs, its crazy that a student can simply un-enroll their devices within seconds with a few taps.
Yep, Apple is clearly too busy selling iPhones/iPads to consumers to put much effort into extending the MDM spec. Very VERY frustrating for us enterprise customers. By the time they figure it out and MDM vendors adopt any new functionality, Google Chromebooks will have gained a big foothold in our district. At least we can lock those into our Google domain / Google management.
I can only imagine how it is going with the LAUSD iPad rollout....
To protect the MDM enrollment it needs to be part of the supervision. That's the only way to lock it in. Yes, the WWDC vaporware video just makes me roll my eyes right now, but hearing about ongoing beta programs in the industry, it seems like we're actually getting close on this now. Of course, you'll need to re-supervise when we get there most likely which means a wipe. So, the carrot method is the only way right now. That, or just alert on students removing the profile and it becomes a discipline matter then... Those are your choices! There is a support paradigm shift there as well that needs to happen which makes things more difficult. I'll admit I chuckle a bit when I see Chromebooks as the threat to iPads, because let's be real, they're two completely different things with their own issues; the reason they're gaining a foothold is the price point.
To repeat and simplify the answer to the original question:
We have students using ipads that are removing the MDM profile. Is there a way to prevent this?
Using Apple's Device Enrollment Program (DEP) is the only way to enroll an iOS device into a Mobile Device Management solution such as The Casper Suite and have that enrollment be non-removable.
You need to set up a PreStage Enrollment with the options to Supervise Devices and Make MDM Profile Mandatory. You then assign iPads to the Prestage enrollment. When it boots for the first time it will try to activate and then configure the device according to the PreStage Enrollment. You will have to erase and reset any you have already done in order to get these new settings.
Were your iPads actually enrolled by DEP during setup assistant? If you turned on the pre-stage enrollment after the fact, and the devices were originally enrolled some other way (manually, configurator, etc.) then the enrollment profile won't be mandatory. If that device is wiped, it will be forced into DEP with mandatory profiles during setup assistant. But you have to wipe it to force it to setup assistant to get to that stage.
@Emmert a user can open Settings.app, go General> Device Management>MDM Profile> and select Remove Management. From that point, the device is unmanaged and I can't talk to the device any longer.
@kerouak & @weldon I've got DEP setup in Apple Schools Manager and have our Pre-Stage Enrollment scoped out to the iOS devices. So they get enrolled out of the box. With my test iPads, I am wiping to be sure it gets the current Pre-Stage Enrollment. (a la Settings>General> Reset> Erase All Content & Settings)
I appreciate your feedback. If this process is working for you guys, there must be something awry with my jss. I may have to reach out to my jamf buddy.
Ah, I see it's the following as I'm adding older devices to DEP via Configurator:
For a period of 30 days after provisional enrollment, users are able to remove MDM and opt out of DEP. The lock screen will display small text, instructing users that they can “leave remote management in Settings:”