After DEP enrollment of some iOS 12 devices (Manually using Apple Configurator) and then adding in ASM and eventually JAMF pre-enrollment, it seems any end user can remove the MDM profile.
Once set up, JAMF cloud shows the MDM Profile Removable as "No", but I can navigate to settings > general > profiles and remove the MDM profile (and proceeds to erase the device and removes it from ASM).
I went to the moved Parental Controls section under Screen Time and added a restrictions password. While this stops the user from erasing the device under general > reset, I can still erase the device by deleting the MDM profile (which triggers an erase).
Anyone have any pointers if I'm doing something wrong or is this a new issue?
If you're using JAMF Pro, I'd think it'd be easier to make sure the devices you have are in ASM, then just run them through a JAMF prestage accordingly so they get supervised accordingly and you have the option to say the MDM isn't removable (unless it's enrolled OTA because it's not a DEP device) that way you don't have to use apple configurator at all. Granted I haven't enrolled any devices on iOS 12 lately so I'm not totally sure how well the process works, but generally speaking it's fine and fairly smooth.
We just today discovered that the Jamf MDM profile is removable which might explain why our missing devices have not responded to lost mode.
So my question is... How do we protect our equipment from theft (after supervising and managing) if any user/thief can remove the MDM profile and then erase the device?
Note: DEP is not available in our country (been fighting that battle for years), so please avoid recommending it.