Preventing removal of MDM Profile?

New Contributor III

Is there any way to prevent the removal of the MDM/management profile from a Mac, if the user is an admin? We usually lock the "Profiles" pref pane using a Config Profile, but I'm wondering if there's a way to keep the user from deleting the management profile if we unlock that pref pane? In my testing, I've not been able to stop an admin-level user from deleting whatever profiles they want.


Valued Contributor


As usual Rich has it covered


New Contributor III

Ah, yes...I should have known - is there anything that man doesn't know? :)

Thank you - I'll check out that post.

New Contributor III

Okay, I've looked it over, and it looks as though it works only for manually installed config profiles. Is there a way to make this change to pre-existing profiles, such as the one that gets installed during JSS enrollment?

Valued Contributor

Try a smart group looking for MDM Enrollment Not Enrolled, and then scope a policy to run jamf manage to pull it back down.

New Contributor III

@dpertschi I'll give that a try - thank you!

New Contributor

@jkarpenske did you ever get this working for pre-existing profiles? We're trying to get Jamf set up for our faculty, and password-protecting that profile sure would be nice...



I just found this thread and have a (maybe stupid) question:

from my understanding you have to add the code

            <string>Enter the password in the RemovalPassword key to remove this profile</string>

into the MDM profile so it can't be removed, right?

How am I doing this? I can't edit it in JAMF afaik

New Contributor III

Hello, I'm new to the JAMF world. Where can I find this script to modify?