Category filter
How to lock MDM profile on Mac devices?
Automatic device enrollment through Apple DEP allows organizations to enroll Apple devices in an MDM solution automatically. The configuration profile associated with the macOS devices during DEP enrollment allows configurations to be deployed right out of the box. Thus, ongoing device management is possible only as long as the MDM profile remains locked on the device. If a user removes the MDM profile from the device manually, administrators will not be able to manage it. You can lock the MDM profile onto the device by making it non-removable, thereby prevent end-users from disabling the MDM profile on the Mac devices.
MDM profile removal can be prevented only on macOS devices enrolled via Apple DEP in Hexnode.
Prevent MDM profile removal on Mac devices
To prevent users from removing the MDM profile, enroll the devices via Apple DEP. On the DEP policy (Admin > Apple Business/School Manager > Apple DEP > DEP Configuration Profiles), uncheck the option “Allow MDM profile removal”. Disabling this option locks the MDM profile onto the device and the users will not be able to manually remove the MDM profile from the device. Associating this DEP policy with the enrolling devices installs a non-removable MDM profile on the device.
- On your Hexnode MDM portal, navigate to Admin > Apple Business/School Manager > Apple DEP.
- Select DEP Configuration Profiles > Configure DEP Profile.
- Disable the option Allow MDM Profile Removal.
- Click Save.
Selecting this profile as the Default Policy while configuring the DEP account associated with your devices will prevent MDM profile removal.
What happens at the device end?
Users can find the option to remove MDM profiles under System Preferences > Profiles, where clicking on the ‘ – ‘ button will remove the selected profile. When this policy is deployed, this button will be disabled and the user will be blocked from removing the MDM profile.
