Preventing removal of MDM Profile?

jkarpenske
New Contributor III

Is there any way to prevent the removal of the MDM/management profile from a Mac, if the user is an admin? We usually lock the "Profiles" pref pane using a Config Profile, but I'm wondering if there's a way to keep the user from deleting the management profile if we unlock that pref pane? In my testing, I've not been able to stop an admin-level user from deleting whatever profiles they want.

8 REPLIES 8

Nix4Life
Valued Contributor

@jkarpenske,

As usual Rich has it covered

Larry

jkarpenske
New Contributor III

Ah, yes...I should have known - is there anything that man doesn't know? :)

Thank you - I'll check out that post.

jkarpenske
New Contributor III

Okay, I've looked it over, and it looks as though it works only for manually installed config profiles. Is there a way to make this change to pre-existing profiles, such as the one that gets installed during JSS enrollment?

dpertschi
Valued Contributor

Try a smart group looking for MDM Enrollment Not Enrolled, and then scope a policy to run jamf manage to pull it back down.

jkarpenske
New Contributor III

@dpertschi I'll give that a try - thank you!

nfriedl
New Contributor

@jkarpenske did you ever get this working for pre-existing profiles? We're trying to get Jamf set up for our faculty, and password-protecting that profile sure would be nice...

Thanks!

leonwun
Contributor

I just found this thread and have a (maybe stupid) question:

from my understanding you have to add the code

        <dict>
            <key>Description</key>
            <string>Enter the password in the RemovalPassword key to remove this profile</string>
            <key>PayloadType</key>
            <string>com.apple.profileRemovalPassword</string>
            <key>PayloadUUID</key>
            <string>CA7AE3B9-9A50-4596-A2F5-EFDE48AD4431</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>PayloadEnabled</key>
            <true/>
            <key>RemovalPassword</key>
            <string>PasswordGoesHere!</string>
        </dict>

into the MDM profile so it can't be removed, right?

How am I doing this? I can't edit it in JAMF afaik

nikjamf
New Contributor III

Hello, I'm new to the JAMF world. Where can I find this script to modify?