Category Filter

How to lock MDM profile on Mac devices?

Automatic device enrollment through Apple DEP allows organizations to enroll Apple devices in an MDM solution automatically. The configuration profile associated with the macOS devices during DEP enrollment allows configurations to be deployed right out of the box. Thus, ongoing device management is possible only as long as the MDM profile remains locked on the device. If a user removes the MDM profile from the device manually, administrators will not be able to manage it. You can lock the MDM profile onto the device by making it non-removable, thereby prevent end-users from disabling the MDM profile on the Mac devices.

Note:


MDM profile removal can be prevented only on macOS devices enrolled via Apple DEP in Hexnode.

Prevent MDM profile removal on Mac devices

To prevent users from removing the MDM profile, enroll the devices via Apple DEP. On the DEP policy (Admin > Apple Business/School Manager > Apple DEP > DEP Configuration Profiles), uncheck the option “Allow MDM profile removal”. Disabling this option locks the MDM profile onto the device and the users will not be able to manually remove the MDM profile from the device. Associating this DEP policy with the enrolling devices installs a non-removable MDM profile on the device.
configuration to bypass MDM profile removal

  1. On your Hexnode MDM portal, navigate to Admin > Apple Business/School Manager > Apple DEP.
  2. Select DEP Configuration Profiles > Configure DEP Profile.
  3. Disable the option Allow MDM Profile Removal.
  4. Click Save.

lock hexnode management profile to block removing it on macOS devices

Selecting this profile as the Default Policy while configuring the DEP account associated with your devices will prevent MDM profile removal.