I have a couple of supervised MacBooks enrolled through Apple Business Manager and managed in Hexnode. The enrollment profile has “Is MDM Removable” disabled.
Can MDM-managed Activation Lock be enabled on these Macs if they are using Managed Apple IDs and Find My Mac is not available/enabled? Also, does disabling “Is MDM Removable” stop a user from wiping the Mac and setting it up later as their own unmanaged computer?
9 Views
Hexnode cannot enable MDM-managed Activation Lock on a Mac if Find My Mac is turned off or unavailable.
On macOS, Activation Lock depends on Apple’s Find My framework and supported hardware, such as Apple silicon or an Intel Mac with the Apple T2 Security Chip. If Find My is not available for the Apple ID being used, MDM-managed Activation Lock cannot be enforced.
For Managed Apple IDs created through Apple Business Manager, Find My capabilities are typically disabled by default. The organization must explicitly enable Find My access for Managed Apple IDs in Apple Business Manager for this to be available.
Regarding the “Is MDM Removable” setting:
– Disabling “Is MDM Removable” prevents users from manually removing the Hexnode MDM profile from System Settings > Privacy & Security > Profiles.
– It does not prevent the Mac from being wiped or factory reset.
– If the Mac remains assigned to Hexnode through Apple Business / Automated Device Enrollment, it will be enrolled back into Hexnode during Setup Assistant after the wipe.
So, while users may still be able to erase the Mac, they should not be able to set it up as an unmanaged personal device as long as the device remains assigned to your MDM server in Apple Business.
Regards,
Mary Romero
Don't have an account? Sign up
What's new 
