Reply To: Block removal of Hexnode profile from Mac devices

#11208 Score: 0
AvatarRobert Smith
Keymaster
1 pt

Hi Basel,

Hope you are doing well,

The “Hexnode MDM” profile which can be seen in the screenshot shared in your comment, would be the main configuration profile with which Hexnode is able to control the device. Removing this from the device would be equivalent to disenrolling the device and hence all configurations that were set on the device would be removed as well. After this has been removed, there would be no longer any communication between the device and the portal. Therefore, features like lock device, wipe, scan device location, etc would not work if the device was stolen and the MDM profile removed.

Please note that the option to set a password from macOS–>Restrictions is applicable only to the various policy configurations that you have set on the device and not to the “Hexnode MDM” profile. This option would help prevent users from removing only the policy profiles, however, the removal of the Hexnode MDM profile will not be prevented by making use of this restriction.
In order to make this unremovable, you would have to enroll the devices via Apple Device Enrollment Program. Please note that this would require you to have an ABM account and your Mac devices should be purchased directly from Apple or from authorized resellers. Doing this, your device would enable you to ensure that you are able to identify the device as a corporate-owned device.
Devices not enrolled via DEP are considered personal devices and hence the profile would be removable. This flow has been set by Apple’s MDM protocol.

If you are unable to get your devices enrolled via DEP, you could use a workaround by blacklisting your System preferences app on your Mac devices from Policy > macOS > Blacklist/Whitelist. However, this would prevent your users from accessing the settings on the device as a whole.
On an added note, In the later macOS versions (10.15 and later) only the “Hexnode MDM” profile can be removed from the device while the others would be greyed out by default. This was a step taken by Apple to secure the profile installation on the devices.

Please do let us know if you need any further assistance.

 

Cheers,

Bob Smith

Hexnode MDM