Jamf Nation Community

pseudopunk · ‎02-08-2023

What is the best way to identify endpoints with removable MDM profiles? I suspect that some computers in my environment may have been deployed that way before I was hired.

pseudopunk · ‎02-11-2023

Update: I spoke with Jamf support and was told that there is no way to determine removability of MDM profiles without inspecting each device manually.

View solution in original post

bfrench · ‎02-08-2023

Allow MDM profile removal is set in a prestage - so you may be able to create a smart group based on a prestage that allows it.

pseudopunk · ‎02-08-2023

Yeah, I realize that it is set in pre-stage. It looks like that the pre-stage I'm worried about was also removed from Jamf at some point because the name is blank in the computer record. Any other ideas?

sdagley · ‎02-08-2023

@pseudopunk Try running the following command on a Mac you know has a non-removable MDM Profile:

sudo profiles show -all -verbose -output stdout-xml > ~/Desktop/InstalledProfiles.xml

Search through the output for the "MDM Profile" data, and see if there is an associated ProfileRemovalDisallowed Key with a true string attribute following it. That will indicate a non-removable profile. I'll note that on the Mac I'm using right now I do _not_ see a ProfileRemovalDisallowed for the MDM Profile, but I know it isn't removable. I'll have to check another machine to see if that's a fluke or not later.

pseudopunk · ‎02-08-2023

Thank you, but we have hundreds of endpoints and I need a way to identify which would need remediation.

sdagley · ‎02-08-2023

@pseudopunk I'm looking to see how the MDM Profile in your deployment to a good Mac looks. Once you know that the next step is to create an Extension Attribute that checks all of your Macs for the indication of a removable MDM Profile so you can identify problem machines.

pseudopunk · ‎02-08-2023

Thank you. I do see that key and it is set to true.

pseudopunk · ‎02-08-2023

Actually, I take it back. It looks like all of the other profiles have that key but not the MDM profile itself.

sdagley · ‎02-09-2023

@pseudopunk That seems wrong, but I'm seeing he same thing here. I don't have any Macs that have a removable MDM Profile to compare to, but without that key to indicate removability I don't know of another mechanism to use for a check.

bfrench · ‎02-08-2023

How many of your hundreds currently do not have an affiliated Prestage? How long ago were they enrolled? They might not have been enrolled via a prestage if they have been around awhile. Are they offsite? Are your staff prone to fiddling with management settings? Or are these student devices? How much longer will your devices be in service?

pseudopunk · ‎02-11-2023

Thank you for your response. There are maybe 20 without an affiliated pre-stage. The computer record says they were enrolled with a pre-stage, but does not indicate a specific pre-stage used. They were enrolled in 2018. These are staff machines in a remote work environment. They are generally not "fiddled with," but one user did upon exiting the company and now I need to assess risk in an environment that is very new to me.

After much back and forth with Jamf support, the answer I received from them is that there is no way to determine removability without checking the device itself to see if the minus sign is greyed out for profile removal.

pseudopunk · ‎02-11-2023

Update: I spoke with Jamf support and was told that there is no way to determine removability of MDM profiles without inspecting each device manually.

abbs · ‎05-22-2023

This is incorrect. This status can be pulled as part of the `sudo profiles show -type enrollment` command

Jamf Nation Community

Identifying machines with removable MDM