How to lock MDM profile on Mac devices?
Automatic device enrollment through Apple DEP allows organizations to automatically enroll Apple devices in an MDM solution. The configuration profile associated with the macOS devices during DEP enrollment allows configurations to be deployed right out of the box. The device management is possible only if the MDM profile remains locked on the device. If a user removes the MDM profile from the device manually, administrators will not be able to manage it. You can lock the MDM profile onto the device by making it non-removable, thereby preventing end-users from disabling the MDM profile on the macOS devices.
Prevent MDM profile removal on Mac devices
To prevent users from removing the MDM profile, enroll the devices via Apple DEP. On the DEP policy (Admin > Apple Business/School Manager > Apple DEP > DEP Configuration Profiles), uncheck the “Allow MDM profile removal” option. Disabling this option locks the MDM profile onto the device and the users will not be able to manually remove it from the device. Associating this DEP policy with the enrolling devices installs a non-removable MDM profile on them.
- On your Hexnode UEM portal, navigate to Admin > Apple Business/School Manager > Apple DEP.
- Select DEP Configuration Profiles > Configure DEP Profile.
- Disable the Allow MDM Profile Removal option.
- Click Save.
Selecting this profile as the Default Policy while configuring the DEP account associated with your devices will prevent the MDM profile removal.
What happens at the device end?
Users can find the option to remove MDM profiles under System Preferences > Profiles, where clicking on the ‘ – ‘ button will remove the selected profile. When this policy is deployed, this button will be disabled, and the user will be blocked from removing the MDM profile.