Removable MDM Profile

nhubbard
New Contributor III

After much reading, research and now frustration I am throwing this out here in hopes that one of you would have a genius answer for me! I have ipads out to users all over my district where I found out the hard way they can remove the MDM management profile. I enrolled the devices originally by using the browser directly on the device, our url server location and enrolling. I later discovered through this said research that I could do a prestage enrollment and check off that key checkbox of not allowing the user to remove the mdm profile. Of course I had never done that before. Through MORE research, I realized the devices needed to be enrolled in my DEP, which happens to be Apple School Manager. I go to ASM, import a test device, it shows up in my DEP in my JSS. Perfect. I scope this prestage enrollment to that device and nothing happens. Any help? Advice? If you could save my sanity I would greatly appreciate it :)

5 REPLIES 5

bfrench
Contributor III

The settings in a Prestage Enrollment will only take place on setting up the device. Adding a device that is already set up to a prestage will do nothing unless you erase the device and set up again. In your case the only option is to wipe all devices and reset them.

Malcolm
Contributor II

there is also a new method for this which involves manual DEP enrolment via apple configurator 2.5, and will eventually lock the ability to remove the mdm enrolment, for IOS 11 devices, I think the grace period is 90 days.

nhubbard
New Contributor III

Malcom, I do have AC 2.5, is there a guide that you can direct me to on how to do this? Documentation anywhere?

Macpants
New Contributor III

I ran into this before and I seem to remember that the device has to be reset for the enrollment to work. This is because when an iOS device is powered on after a factory reset, it contacts the APNS (Apple Push Notification Server). Normally APNS tells that device "Welcome, you're a legitimate device located in X country." But a DEP enrolled device gets told "Go talk to their server." Which in your case seems like it would be your district's Jamf instance.

After the first power on, it's regarded as "owned" by that user. Once it's reset, it can essentially be assigned a new owner, which in your case would be you and your school district. (This doesn't apply after it's assigned via DEP, as DEP supervision assigns it to the larger entity and makes it possible for IT managers like ourselves to keep devices from wandering off.)

This may be a bit of an over explanation so a) I apologize for that and b) let me know if I can clarify anything

nhubbard
New Contributor III

I would much rather have something over explained to me ;) I actually appreciate it - thank you. At least I'm getting a little clarification now, I was just hoping where they have already been enrolled I wouldn't have to go device to device, wipe them and all their apps as well. .... such is the life of being in IT.