Devices leaves remote management despite disabling MDM profile removal

expand collapsive

Hi there, question: is there a reason why my DEP policy changes are not taking effect. For example: Allow MDM Profile Removal is unchecked, but my phone lets me ‘Leave Remote Management’

All Replies

  • Hexnode

    Grace Baker


    Hey, Thanks for posting the query.

    When the iOS devices are added to DEP via Apple Configurator, the user would be able to remove the device from device settings in the first 30 days irrespective of whether you have disabled the ‘Allow MDM Profile Removal’ or not. After the completions of the period of 30 days, the MDM profile will be non-removable.

    Please use the help link for more info on this.

    Grace Baker
    Hexnode MDM

  • Hello Fermin,

    Thank you for reaching out to us.

    Enable the option, “Enroll devices in MDM” when you are configuring your DEP Profile in Hexnode. This will prevent users from skipping the step of enrolling in Hexnode. However, this is not a foolproof method. If you have added the device to DEP using Apple Configurator, your employees can leave Remote Management after enrolling in Hexnode by going to General > Device Management on the device end. The option “Leave Remote Management” is provided by Apple to let users remove devices that were not intended to be added in DEP. There is a grace period of 30 days during which the user can make use of this option. Once the grace period is completed, the option disappears. Note that this grace period is only applicable to devices that are added to DEP using Apple Configurator. Start adding devices directly to DEP if you want to do away with the grace period. Refer to our help doc to know how to make MDM profile non-removable.

    Deborah Timothy
    Hexnode UEM