Is there any way to prevent the removal of the MDM/management profile from a Mac, if the user is an admin? We usually lock the "Profiles" pref pane using a Config Profile, but I'm wondering if there's a way to keep the user from deleting the management profile if we unlock that pref pane? In my testing, I've not been able to stop an admin-level user from deleting whatever profiles they want.
Okay, I've looked it over, and it looks as though it works only for manually installed config profiles. Is there a way to make this change to pre-existing profiles, such as the one that gets installed during JSS enrollment?
I just found this thread and have a (maybe stupid) question:
from my understanding you have to add the code
<dict> <key>Description</key> <string>Enter the password in the RemovalPassword key to remove this profile</string> <key>PayloadType</key> <string>com.apple.profileRemovalPassword</string> <key>PayloadUUID</key> <string>CA7AE3B9-9A50-4596-A2F5-EFDE48AD4431</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadEnabled</key> <true/> <key>RemovalPassword</key> <string>PasswordGoesHere!</string> </dict>
into the MDM profile so it can't be removed, right?
How am I doing this? I can't edit it in JAMF afaik