Hi everybody, thanks for this forum.
I'm hoping you can assist me with the following issue.
A community college sold some old Macs to a used Mac vendor, who sold one of them to me. The community college didn't remove their MDM profiles before they sold the Macs, and as I now know, the vendor doesn't check machines for much of anything before reselling them.
Point being, the MDM profiles are still on the used Mac I purchased, which effectively means it's still under the control of the community college IT department.
My questions are:
1) If/when the community college removes the MDM profiles from their end, will they ever be able to reinstall them? Can I be assured that once the profiles are removed my Mac is then secure?
2) I'm pursuing this diplomatically for the moment, but it's going slow, and may not work. Is there any way to remove the MDM profiles and secure this machine from my end?
Many thanks for any advice, much appreciated!
There are ways of removing profiles from machines providing you have admin access - but in this case you'd probably be better off just erasing and re-installing Mac OS and starting afresh. If the community college didn't use Apple's Device Enrollment Programme the device won't re-enroll into their MDM solution either so you'd be safe to use it as your own Mac.
You can remove the enrollment profile via System Preferences as an admin, or use the CLI tool "profiles" to do so.
Hi Ryan, many thanks for your reply.
I believe I'm on their DEP, as wiping the drive clean and re-installing OSX doesn't work. I've done this a number of times now, and the profiles always reappear. The college will probably remove me from their DEP at some point. Working on that.
I'm trying to learn if they would retain the ability to put me back on the DEP list. If removing a UUID from the DEP list is how you un-enroll a machine, couldn't they put the UUID back on the list too? If that's true, it seems my machine would remain wide open to unknown strangers at the other end.
I'm unclear if the link you kindly shared applies to my situation. If I understand it there's nothing on my machine which can be removed to resolve this given I'm apparently on the DEP.
Thanks to any and all who can help me nail this down. This whole subject is actually pretty interesting, but of course I would have preferred to learn about it in another manner.
It sounds like you'll need to get in touch with the college and ask them to remove the serial number of your Mac from DEP.
If you provide them with the serial they can login to a web portal and disown the device. Then you should be free to reinstall.
Thank you very much for the DEP Guide sswartz, this is very useful. I will turn my attention to that.
Ryan, here's the question no one has been able to answer for me yet.
If the college can remove me from DEP simply by taking my UUID or serial number off a list, what's to stop them from adding those numbers back to the list at some future date?
Yes, I know this sounds paranoid, but please consider this. Would you give me, a total stranger on the Internet, your Mac UUID or serial number based on my assurance that I'm a nice guy who knows what I'm doing? Nobody would do this, right?
I'm trying to determine whether I now have to trust a random collection strangers at Apple and the college, or whether there is some concrete barrier to my re-enrollment in DEP.
If there is no concrete barrier (such as for instance the need to physically access the machine) then everybody who owns a Mac that was previously enrolled in DEP would seem to be wide open to losing control of their Mac at any moment.
I don't know that this is true, and am not claiming that it is. I'm just saying that so far, I've been unable to uncover any evidence that it's not true.
Hopefully the DEP Guide will answer this question in a convincing manner, so I'm on to that. Thanks again sswartz!
Here's what the DEP Guide says....
"Note: If a device is sold, lost, returned to the reseller, or damaged beyond repair, it should be permanently removed from your organization’s list of managed devices using the DEP website per the terms of the agreement. However, once a device is removed from DEP, it can’t be added back."
This is progress for sure, but the question is still not yet definitively answered.
Note how the college has already broken the rules of DEP by not removing the Mac from the DEP list prior to sale.
So when we get to the issue of adding a device back to the DEP, does Apple mean a device shouldn't be added back on the DEP list, or that it literally can not be added back?
As example, suppose I sold this Mac to another college. Could that college add this Mac to their DEP list? Or would they be unable to do so? If I had a DEP account, could I add this Mac back to the DEP list, or would the software prevent me from doing so?
Not an authority and not tested, but another line from the guide. . . .
DEP is available to qualifying businesses, K–12 public and private schools, colleges, and universities that purchase iPad or iPhone devices or Mac computers directly from Apple or participating Apple Authorized Resellers or carriers.
So I do not believe anyone other than the original purchaser of the device from an authorized seller can DEP it.....can DEP be a verb?
I think it is a one and done.
It can't be added back at all as far as I know. You also can't sell it to a school and have them add it to their DEP without you being an Authorized Apple Reseller. It all comes back to the place you purchased it from doing what they are supposed to do and remove it from their DEP. DEP by design makes it difficult/impossible for end users to remove the MDM profiles protecting business/education owned devices and policies. Without it we have little to no control over what students/employees do with company owned equipment since they can just remove the MDM profile and no longer have any management on them.
If you continue reading the DEP guide you will see:
DEP is available to qualifying businesses, K–12 public and private schools, colleges, and universities that
purchase iPad or iPhone devices or Mac computers directly from Apple or participating Apple Authorized
Resellers or carriers.
• Apple Customer Number. If you purchase hardware or software directly from Apple, you’ll receive an
account number assigned to your business or institution. This number is required to connect eligible
orders and devices to your DEP account. If you don’t know this number, contact your purchasing agent
or finance department. Your organization might also have multiple Apple customer numbers, which
you can add during enrollment or on the DEP website once you’re approved.
• DEP Reseller ID. If you purchase hardware or software directly from a participating Apple Authorized
Reseller or carrier, you’ll need to provide your reseller’s DEP Reseller ID. If you don’t know this number,
contact your reseller. If you purchase from multiple resellers, enter the DEP Reseller ID of each.
• Note: In addition to providing your reseller’s DEP Reseller ID, you must tell your reseller that you want
your device purchases submitted to the DEP program. Providing the DEP Reseller ID alone is insufficient
to enroll your devices in DEP.
Thanks for the discussion guys. The best I can contribute here is try to focus us on this question...
It seems clear that once a device is removed from DEP, Apple policy is that it is no longer permitted for anyone to put that device back on the DEP list.
Is this just a policy? Or would Apple's software literally block any attempt to re-enroll a device previously on the DEP list? Does Apple keep track of every device ever enrolled, and check each new device which someone wants to add to DEP against that master list?
I know my concern may sound a bit excessive, even paranoid. But, um, so far everyone involved in this transaction has either lied to me or violated Apple policy so I'm trying to assure myself that Apple will actually prevent anyone from re-enrolling this device at any time for any reason. I'm guessing this is the case, but I'm hoping to find something from Apple which specifically makes this promise.
Duh.... Perhaps I should be asking, how do I get in touch with the DEP managers at Apple? Anybody know how to do that?
Once devices are disowned from DEP they simply cannot be re-added without really pushing Apple. Depending on the source of the device originally, they're assigned to the college's DEP ID via Apple or an authorised reseller, but if a device is disowned only Apple are able to overrule this. No administrators of any DEP account are able to add serial numbers back into DEP without it being assigned first. Officially, you're not allowed to but unless the college provides proof of purchase of that device and jumps through all the hoops with Apple to get the device added back to DEP (I don't see why they would).
I don't think you have anything to worry about once it's been disowned and formatted.
Thank you for the continuing discussion. Ok, it seems I will have to settle for "not likely" instead of "impossible". Or I'll need to return this machine to vendor, which I'm considering.
Perhaps the following questions will advance the thread.
How will I know when my Mac has been removed from DEP?
I have two installs of OSX. On one hard drive the MDM profiles were auto-installed as you'd expect. On the other hard drive I'm being relentlessly nagged to install the profiles. The internal hard drive on the affected Mac has been erased of everything.
What will happen when the Mac is removed from DEP? Will the MDM profiles and nag screens all vanish from both existing OSX drives?
Or, would I need to start over and reinstall OSX from scratch to get a clean drive free of all things MDM?
You'd be reliant on the College informing you of when the device is removed from DEP as it's only the DEP admin who was in control of that device that will be made aware of changes. To clear the machine of any MDM enrolment it would be easiest to erase and re-install the OS then at the point the device activates during the initial setup wizard you should find that the device proceeds without enrolling to the MDM. If you don't want to completely flatten the machine you'd have to look into removing the enrollment profile from System Preferences > Profiies or using the Profiles CLI tool I mentioned before. If the MDM of choice the machine is enrolled into is Casper / JAMF Pro, you'll also have to run this command in Terminal.
sudo jamf -removeFramework
This will remove the JAMF binary from the machine so it can't be managed anymore.
Thank you Ryan. I think it will be best for me to erase the drive and reinstall OSX from scratch. I don't understand the terminal command line discussion, and would probably do more harm than good.
So it's possible the machine has already been un-enrolled and I don't know it because nobody bothered to tell me? Do I understand that right?
Does the fact that it keeps nagging me to install MDM updates tell me anything about whether I'm still enrolled or not?
After talking to the used Mac vendor, it sounds like Sloppy College is doing this to a number of people, perhaps many. Have any advice regarding whether I should bother to try to contact the DEP department at Apple and report the violation of their rules? Would anything constructive come of that, or just a waste of time?
Appreciate your assistance as always.
That's fair enough! :-)
It's possible if you've asked them to, but I'd still call / email them to say have you removed this serial number from your DEP portal yet just to be sure, for your own times' sake over anything else. If you reinstall and they haven't removed your machine it'll just re-enroll again, annoyingly!
I would imagine the nag screen is because you're still enrolled, too.
If you contacted Apple and gave them your serial number they may be able to disown it on behalf of the college but other than that I wouldn't imagine it'd do much other than cause a fuss.
Just a thought here and I know this is a old post but modifying various configurations in the EFI bootloader for the computer would allow anyone to change the reported serial number, UUID, model, OS version, etc. of a Mac to anything you'd like. This also is how people can run macOS on non-apple devices. I'm guessing it could be used to change the enrollment credentials of a devices enrolled in DEP to those which would not automatically reenroll a device and also could be used to fake the serial number of a previously enrolled device to allow it to be put back into the system.
Kind of makes me wonder what the vetting process is for those "qualified businesses" who are allowed to use DEP. Not trying to put down Apple, but in reality their impenetrable-fortress-stealth-firewall has nearly 6,500 NIST Common Vulnerabilities and Exposures IDs, kernels are no longer signed, code signing is broken, developer certificates are available to anyone with 2 mouse clicks, the Mac App Store has distributed a lot of Trojan horse malware files which can take months and years to get removed, to name a few doubts. Which all makes me wonder what if some of their rhetoric is just marketing magic making it possible for a malware developer to enroll devices into DEP ensuring they have persistent access to a device. The solution always recommended by the copy and pasters on the Apple Communities forum whenever anyone thinks their system has been compromised is to "reinstall your OS." Done properly someone would not even know that they're device is being "managed".
To the best of my knowledge only hardware vendors have the ability to enroll hardware devices into the Apple Business Portal at the time of purchase. The pain point in this process is to continually remind them to enroll the devices so we can properly supervise our devices. "Zero touch" - LOL
1. Turn of system integrity.
Shut down computer.
Boot up computer while holding (command + R)
Type (csrutil disable)
2. Give terminal root files access.
Open ‘Privacy and Security’ in ‘System Preferences’.
Press ‘Complete Disk Access’
Unlock with the lock button at the bottom left
3. Terminal Commands
Type: ‘sudo jamf -removeFramework’ into terminal, press enter.
Type: ‘sudo -i’ into terminal, press enter and enter your password, press enter.
Type: ‘cd /var/db/‘ into terminal, press enter.
Type: ‘mv ConfigurationProfiles ConfigurationProfilesOLD’ into terminal, press enter.
Type: ‘logout’ into terminal, press enter.
4. Final steps.
hey!! thanks @adambrest it worked for me. All the profiles were deleted. But when i restart the mac on the lock screen it still has the message " This computer is managed by ....." how do I remove it?
@Dipsol - that'll be a custom Login Window configuration...if you run the following it should return the message:
defaults read /Library/Managed Preferences/com.apple.loginWindow LoginwindowText
To remove, run
defaults delete /Library/Managed Preferences/com.apple.loginWindow LoginwindowText
You can then run the first command again to verify it has gone.
Hi, I followed adambrest's directions above to the letter and it worked - all profiles were removed. However, two strange things have happened: The Profile icon and function is no longer in System Preferences. A search in Spotlight finds Profiles and I can open it; the icon and function temporarily returns to System Preferences, but disappears again after a restart. When I manage to get Profiles to display after the Spotlight search it says I have no Profiles installed, but it should show the OS X 10.15.6 Beta profile that I installed after following adambrest's instruction. Did I do something wrong? How can I get Profiles permanently back in System Preferences?
The second oddity is that I'm still occasionally getting a device enrollment notification (see attached). How do I permanently get rid of this notification?
It looks like your computer is enrolled in the University's Automated Enrollment program. That is why you are getting the pop-ups.
Who owns this computer? You or the University? If the university owns it, why would you delete all the profiles? They were installed to properly manage your computer and ensure that you have access to University applications and resources?
If this is your personal computer, you need to work with the University to remove it from their ABM account.