Remove my laptop from Device Enrollment Program prompt

amolsarva
New Contributor II

I bought a used Macbook and have updated it to the latest Mavericks. From when I first powered it on I have been getting prompts to enroll the device. I can't get them to go away...only cancel them and they reappear dozens of times per day.

I guess the folks who sold the machine have it in their DEP server? Or there is an agent that keeps checking?

How can I disable the agent that keeps prompting me to join?

Could not figure out after 30 minutes searching JAMF and other sites discussions of the various woes of school IT admins. :(

adb9ef6145564b2883745018bc339934
7fbdce94235544bf9946a75d334f9dd2

61 REPLIES 61

Look
Valued Contributor III

Until the original owner removes it from DEP it will basically continue to do this.
There are two places the info is stored.
Apple has the device listed as belonging to a certain organisation.
That organisation has the device set to auto enroll.
Both listings are effectively controlled by the organisation so they are the ones to contact to stop it.
It's an inbuilt function within OS X not something that is installed or added later so not easy to disable and really should be dealt with by contacting the original owner.
Even if the machine is completely wiped and reinstalled the moment it hits the internet it will return.

emily
Valued Contributor III
Valued Contributor III

If you purchased that machine from the organization in the prompt, you should contact them to help un-enroll the device (ideally they would have done so already if they were selling it).

mtward
New Contributor III

Piggy backing on what Emily said: If you bought it from another party (not in the prompt) as a legit 3rd part sale, I would still contact the organization, ask for the IT department and explain the situation. Likely, they will cut their losses and help you out since you didn't remove it from their possession.

They may want it back, which if they do, I would recommend just sending back. It truly is a brick and pointless to keep/use until it is either enrolled or removed from their DEP enrollment. This is exactly why it's built this way.

amolsarva
New Contributor II

Thanks all. I bought it through a dealer on Amazon.com -- wholesale used machines something something.

But it isn't a brick - it works fine - it just has this silly prompt. I suspect there must be a way to silence those reminders! Otherwise anybody with access to a serial number could enroll a machine and remotely "take control" of it....

mm2270
Legendary Contributor III
Otherwise anybody with access to a serial number could enroll a machine and remotely "take control" of it....

That isn't exactly how DEP works. Apple wouldn't put something in place that would be so easy to exploit by nefarious people.

I hate to say it, but it almost sounds like you purchased a lost/stolen device. It may not be that, and could genuinely be that the people who sold it forgot to remove it from their DEP program, but I don't know - wholesale used machines etc? Sounds a little fishy to me.
Also, I'm familiar with the New England Center for Children. They have a location that's literally down the street from where I work. I know they have a location in, I think, Abu Dubai or some place like that. Any chance you can contact them about it? They would be the only ones who can get rid of this. The fact that you are just looking for a way to disable it without going through the correct channels also raises some suspicion with me. If this purchase was legit and you aren't up to anything fishy, you need to be contacting them to see if they can help, or at least the reseller and ask them for assistance in contacting the original owners. Resellers on Amazon do not like negative reviews, so you may want to just drop a hint that one such review may be forthcoming unless they can assist you.

Look
Valued Contributor III

Not af all. A machine can only be in DEP if sold by an Apple authorized dealer to an Apple authorized organisation, the original dealer registers it for your specific DEP upon delivery to your organization. At which point only your organization can add ir remove it from DEP, if properly disowned in DEP it can then never be re-enrolled, this is what is supposed to have occurred with any resold DEP device. EDIT: Beaten to it I see :)

amolsarva
New Contributor II

Thanks folks.

Let's see what the IT guy at Center for Children says.

amolsarva
New Contributor II

Yep the Center for Children says they overlooked removing the machine from their DEP and has now done it. Though it hasn't cleared the alert 4 days later. So now onto Apple.

Which means despite the very wise commentary of posters above there seems to be issues with both Apple and the DEP admins, and none with the wholesale used laptop company that sells Macs via the suspicious internet site Amazon.com

rangert
New Contributor

Did you ever get this solved? I am in the same situation, the MacBook is good other than this annoying popup.

mpermann
Valued Contributor II

@rangert you'll likely have to track down the organization that is listed to ask them to remove the device from their DEP instance. If the device wasn't lost or stolen they will likely be happy to remove it from their DEP portal. That's really the only way to get around this issue.

rangert
New Contributor

@mpermann, Thank you.

I made a phone call to their main number and got a name/email for someone who would actually do it, so we shall see how that goes. Also, I talked to Apple Tech support and after some consulting with Enterprise tech support they confirmed it is just the former owners that need to remove it, Apple has nothing to do with removing the system from DEP.

I feel lucky to stumble across this group using google image search as I had no idea what management backend was responsible for those pop-ups.

cainehorr
Contributor III

We have a system that we removed from our Apple DEP portal ("Disowned Device") and from the JSS (removed from Pre-Stage). The device no longer shows up in any of our systems, but the new owner of the device constantly received DEP notifications that the device needs to be enrolled.

So perhaps we're missing something?

Lucky for us, our device in question is still within the company, so it's easy for us to work with.

But the issue certainly is persistent and annoying!

Any thoughts?

Kind regards,

Caine Hörr

A reboot a day keeps the admin away!

mcooper
New Contributor III

@cainhorr Have you tried wiping the device after removing it from DEP? I would imagine the computer would think it was still associated with DEP until it was wiped and went through its setup again.

Maxuden1975
New Contributor

Well I had same issue but solved so quickly Just buy a repair service to someone to change the serial number on the machine and your pop up messages will go away It’s a hassle going to the vendor or the original owners since they won’t have the time to help you Also apple doesn’t care they simply say talk to the seller or return the item

jwolf9
New Contributor

I just bought a new macbook from someone off craigslist, the macbook was brand new and sealed. Opened and set up the mbp and it's constantly throwing dep notifications to me. Tried calling the company but i keep getting told there is no IT department. Has anyone had success removing their device from a company's dep / removing the daily notifications for dep enrollment?

patgmac
Contributor III

@jwolf9 No. Only the original owner can. You most definitely bought a stolen machine. It's not likely anyone would sell new Macs that were enrolled in DEP.

Dan1987
New Contributor III

Hey,
With my experience, once the device is disowned through apple business manager and then also refreshed in Jamf Pro a reinstall is needed to remove that prompt.
I think jamf explained that it saves a file on the machine somewhere from memory but that was years ago ha
Good luck

Kautz
New Contributor II

I refurbish e-waste and tech surplus , I get dep stuff often and sometimes it's not possible to achieve un-enrollment. What you do to disable the popup is delete the folder /var/db/configurationprofiles and delete mdm and Managed (stars and capital letters important) from /system/library/launchagents and launchdaemons.

alalphonso
New Contributor

@Kautz

I refurbish e-waste and tech surplus , I get dep stuff often and sometimes it's not possible to achieve un-enrollment. What you do to disable the popup is delete the folder /var/db/configurationprofiles and delete mdm and Managed (stars and capital letters important) from /system/library/launchagents and launchdaemons.

Does that process simply turn off the pop up and leave me vulnerable to the old company / owner. i bought a Logic board recently and this is happening to me and i'm going to try your method. But i just wanted to know will this fix it or will this just stop the pop up?

Thanks!

cpresnall
Contributor

Above steps will stop the pop-up but do not address the binary. Device will still be re-enrolled if you restore the OS and the process starts again.

jasoncw
New Contributor

Any way you can share how to do this removal to a basic user? I can't seem to find the folder to remove.

Thanks!

I refurbish e-waste and tech surplus , I get dep stuff often and sometimes it's not possible to achieve un-enrollment. What you do to disable the popup is delete the folder /var/db/configurationprofiles and delete mdm and Managed (stars and capital letters important) from /system/library/launchagents and launchdaemons.

jasoncw
New Contributor

Any way you can explain how to do this removal of folders and files to a basic user? I Cant seem to find them when I look in the system folder.

"delete the folder /var/db/configurationprofiles and delete mdm and Managed (stars and capital letters important) from /system/library/launchagents and launchdaemons."

jasoncw
New Contributor

Where do I find the folder /var/db/configurationprofiles. I am a basic user, no coding experience.

CasperAdminNet
New Contributor

Ok, not sure if you still require this but here goes...

The "check-in" to ABM (Aple Business Manager) ONLY happens at the setup stage, which means the following holds true
1) If you install a new OS from Apple and disable your internet at the setup stage, nothing will get installed.
2) You could also use a USB installer with the internet disabled and that will keep the MDM from installing.

Last but not the least, you can go the hacker way to ensure it never happens again.
1) Setup a Launch Agent or Daemon with a script which runs all the time in the background ( every 5 minutes - recommended ) and does the following:

I. Checks for any installed profiles (use "man profiles" to see your options in the terminal manual)
ii. Do a grep for "MDM Profile" or "MDM" it is the standard name for all management profiles
iii. Grab the UUID of the profiles with MDM in the name, I think the label is -u in terminal
iv. Then gut the life out of it with - sudo profiles -R {UUID}

You will need to be handy with command line to get it to work but it is possible, I did some profile coding a long time ago.

If you are still struggling, let me and I'll put up some code on this thread.

Cheers

K_Norus
New Contributor

@CasperAdminNet I would really appreciate some help in what you've outlined above with the DEP / MDM. I am not very technically inclined but, I can do basic things like launch terminal, paste in code etc...anything a monkey can do! Would it be at all possible for you to share step by step?

And more importantly, if I am ok with the pop ups, is my mac being enrolled in some organisations DEP DB an issue? issue meaning, can they wipe my HDD? Can they read/download/manipulate my files data etc? Will apple block the mac serial from app store etc?
Thanks in advance!

Tribruin
Valued Contributor II

@K.Norus If I might ask, where did this computer come from? If you computer is attempting to enroll in a corporation's MDM, then that company still thinks they own it. If they no longer have possession of it and have willingly discarded it, they should have taken the steps to remove it from their MDM and retire it from their DEP portal before giving up possession. I would reach out to the company you obtain this computer from and discuss with them.

aalamerican
New Contributor

My experience is very different than the above thread. Everyone discusses as if stolen or other nefarious activity. I ordered and paid for my MacBook at the Apple store. My wife's company has a 5% discount offered for all Apple products. Apple said great and they applied the 5% discount under her company name. And I am stuck with this stupid pop up that even Apple at the store cannot rid. My wife's company says they have no idea what it is and they are glad to help, but simply are not able. So...now what? It is super annoying. Is it worth 5%? No.

Tribruin
Valued Contributor II

@aalamerican It sounds like when the Apple Store sold you the computer, they actually sold it under your wife's companies account. So what happened is that the serial number that was sold was associated with the company's account, uploaded in to their Apple Business Manager account, and then associate with the company MDM. To get rid of this, the company needs to log in to their Apple Business Manager account and "Release" the serial number from their ABM. I would also recommend that you restore the MacBook to a factory O/S and set it up again. Somebody on the IT team should have access to the company ABM account. You might just need to find the right person (likely not a first level help desk person). They should also delete any record that may exist in their MDM.

Otherwise, I would recommend you return the computer the store you purchased it and purchase a new one under a personal account and not a business account.

Good luck.

MLBZ521
Contributor III

I'm going to try to address many historical and current questions on this topic below...

If a device is in a company's ABM/ASM (DEP) account that means it was purchased and assigned to an institutional (company) account at Apple. If you have a device that is popping up a message like this, then it was a registered as an institutional purchase.

Apple will not remove a device from a companies account as they do not know if it was stolen. This is the responsibility of the original owner of the device. This is just like Activation Lock or signing into iCloud on an iPhone (to prevent its use if it's been stolen).

So the first thought is a device was stolen if you are getting this pop up. If it's not, you should contact the company that sold it. (Maybe it was an oversight as one person mentioned.) Companies that have ABM/ASM accounts are Legally Obligated to release device from their ABM/ASM accounts that they no longer own, per the terms and conditions of the program. I do know my own organization fails to properly address devices like this and I strive to educate our techs on this, but unfortunately, most do not understand the impact or even the stress of using Automated Device Enrollment (DEP) in the first place. Also, just because a device is new in box, does not mean the device is not stolen.

For the suggestion to pay for a service to re-program the Serial Number, this is an illegal service not condoned or supported by Apple. (If the device was under warranty, it would likely be voided.) The suppliers of this type of service are supporting the theft of devices, whether directly or indirectly, as that is the only reason to re-program a serial number. When another serial number is programmed in, you now have the serial number of another device some where in the word, which could cause issues in and of itself. Going forward with new hardware release (as announced at WWDC 2020) this type of service (re-programming serial numbers) will be much harder as the serial number will be completely unique and no longer be able to identify the device. So you won't be able to simply change a single value and it be valid.

Yes, there are ways to "remove" the notification from a Mac itself, but those are likely temporary. The next time the Mac connects to Apple's activation servers, it will pop up again. You can never remove it from ABM/ASM, only the institution can do that.

Yes, you can not connect to the internet during the setup of the device, but again, this is likely only temporary. The device will eventually check-in with Apple's activation server, and the message will pop up.

If you cannot find enough suitable information after reviewing the MDM Profile that the notification wants to install, you can run the command, which should give information on the organization that the device is registered too:

sudo profiles show -type enrollment

For the comments that mention that the device was removed (released) from the ABM/ASM (DEP) account, but the device is popping up the notification, this is normal/expect at this time. When the device checks in to Apple's activation servers, it downloads its activation record and saves it to disk (see above command -- this is the same content save to disk). The device doesn't check-in again to see if the record is "gone" -- that's not an expected scenario that Apple would bother programming for. You have two options: wipe and reinstall (strong and dumb approach) or delete the files that store this information. The files are stored in a SIP protected directory in modern versions of macOS, but you can reboot into the Recovery Volume and delete the files. This command will work from recovery to delete the related files:

rm /Volumes/Macintosh HD/var/db/ConfigurationProfiles/Settings/.cloudConfig*

For those that have legit purchases... Seeing this message/notification does not mean the device is enrolled and no, the organization cannot access your files/device. But if it has been enrolled, then yes, they can take over, view, and lock your device as well as apply configurations, restrictions, requirements, etc.

For the instructions above about removing profiles, etc. That is not possible once the MDM Profile is installed if the organizations required the MDM Profile to be installed (in other words, configured the Profile to not allow un-enrollment), which is a requirement (no longer an option to configure) going forward with macOS Catalina 10.15 and newer.

Finally, @aalamerican, we've seen similar scenarios with our primary vendor or even phone carrier stores. Staff will say they're an employee with our organization to receive a discount and the vendor will incorrectly add the device to our company's ABM/ASM account. Then the device will attempt to enroll. You should be able to go back to that store, explain the situation, provide your paid receipt, and they should be able to remove it. (Besides the "purchasing institution" only the originally selling vendor can/will remove a device from ADE/DEP.) My recommendation, if what you're telling the normal Joe/Jane you speak with in the store is flying over their head, ask to speak with someone from the business team in the store. The business team should understand ADE/DEP to some degree and at least be able to discuss the topic (where a normal employee likely only ever deals with consumer sales which this will never touch).

Hope this information helps someone.

Bravo4
New Contributor

This didn't work for me. 

Kautz
New Contributor II
Assuming your hard drive is labeled "Macintosh HD", this is how you diable
the mdm popup:

Boot to Recovery Mode by holding command-R during restart and continue with
Main procedure

Main procedure
Open Utilities → Terminal and type
$ csrutil disable
$ reboot
Hold command-R during the reboot to enter Recovery Mode again

Enter Disk Utility, and mount the Macintosh HD volume (or whatever your
main volume is named). (It might already be mounted.)

Exit Disk Utility, open Utilities → Terminal, and type

$ cd "/Volumes/Macintosh HD/System/Library"
$ cd ../../etc
$ echo "0.0.0.0 iprofiles.apple.com" >> hosts
$ echo "0.0.0.0 mdmenrollment.apple.com" >> hosts
$ echo "0.0.0.0 deviceenrollment.apple.com" >> hosts
$ echo "0.0.0.0 gdmf.apple.com" >> hosts
$ csrutil enable
$ reboot

---------------------------------------------------------------

Then you also have to delete the existing MDM profile info from
/var/db/configurationprofiles/settings/
/var/db/configurationprofiles/store/

The files may be hidden so you won't see them unless you use "ls -a".
Remove the the files from /settings/ with: rm .* and remove the
files from /store/ with: rm *

csrutil enable
reboot

Bravo4
New Contributor

Tried this. So far so good. Thanks!

chcxuyang
New Contributor

@MLBZ521 Thank you for your thorough explaination. But, I tried using your command to delete the related files but it showed "No such file or directory".

I purchased this MacBook Pro from an authorised Apple reseller and found out later that it is enrolled in DEP of a local University. I emailed the seller, and they managed to remove the DEP enrolment according to their response. But, the annoying prompt still shows from time to time. I am not sure if it's the issue at Apple's end or the seller did not actually remove the enrolment.

MLBZ521
Contributor III

@chcxuyang Once a device gets its activation record, it doesn't go away on its own. Even if it was removed from Apple's side. You can try running: sudo profiles renew -type enrollment

If that clears the record, then you're good. You can verify with this command: sudo profiles show -type enrollment

If a dictionary of info is returned, it didn't work, however, if it returns empty {} then you're good. If not, you have to delete the files (or nuke and pave, aka wipe the drive, which is drastic).

Verify you have typed the path correctly. You can try using tab completion, that may help.

What OS version are you running? To be honest, I have only tested this on macOS 10.15 Catalina and maybe macOS 10.14 Mojave, but not sure on the latter.

chcxuyang
New Contributor

@MLBZ521 I am running macOS Mojave 10.14.6.

I tried sudo profiles renew -type enrollment, and it still returned the Device Enrollment notification. sudo profiles show -type enrollment does the same. Does it mean that this device is still under the organization's DEP account?

I did manage to delete the related files using your command this time. I hope that the notification won't show up periodically anymore. But, my understanding is that this method does not solve problem once for all, and I will have to type the command every time I re-install macOS? (I re-install system very often)

MLBZ521
Contributor III

@chcxuyang If the device was properly released/removed by the vendor, it shouldn't happen again. Only the selling vendor can add the device to an organization's Apple Business (or School) Manager account, not even Apple can do this (unless they sell the device).

Once you delete those files, you should be able to run sudo profiles renew -type enrollment again and if it returns empty {} then you're good. You shouldn't receive that notification again.

If you run cat /Volumes/Macintosh HD/var/db/ConfigurationProfiles/Settings/.cloudConfigRecordFound you should see very similar output as the sudo profiles show -type enrollment command, except that it is in a plist format.

The renew command grabs the information, and saves it to a file (.cloudConfigRecordFound ) on the disk. This is what causes your machine to prompt to enroll, even after it was removed from ABM/ASM, because the information is cached locally on the drive.

gnf
New Contributor

I attempted the: sudo profiles show -type enrollment

as suggested, though what I got as a prompt for a "password" and a key icon. Did this via terminal. Is this correct? or is there a different command prompt that I should be doing this from?

MLBZ521
Contributor III

@gnf Any statement that starts with sudo requires Super User (aka administrative) privileges. So, you'll need to be running with an account that has admin privileges and enter that users' password.

LAJAAMS2020
New Contributor

@CasperAdminNet-I would love to see the code to this if you can-
@https://www.jamf.com/jamf-nation/discussions/17517/remove-my-laptop-from-device-enrollment-program-prompt

Ive seen the code here:
(https://apple.stackexchange.com/questions/311052/why-do-i-get-a-remote-management-step-when-installing-high-sierra)

For me it doesnt work...maybe because Im trying to install a fresh OS from Recovery and not from a USB install..what are your thoughts?