Skip to content

Instantly share code, notes, and snippets.

@chenzhuoyu

chenzhuoyu/Disable Device Enrollment Program (DEP) notification on macOS Catalina.md

Forked from henrik242/Disable Device Enrollment Program (DEP) notification on macOS Ventura.md
Last active October 19, 2022 21:05
Show Gist options
  • Save chenzhuoyu/5484a8199ced2efcb7e1a3cbb085e07b to your computer and use it in GitHub Desktop.
Save chenzhuoyu/5484a8199ced2efcb7e1a3cbb085e07b to your computer and use it in GitHub Desktop.
Download ZIP
Disable DEP on macOS Big Sur & Monterey
Raw
Disable Device Enrollment Program (DEP) notification on macOS Catalina.md

With full reinstall (recommended)

  1. Boot into recovery using ⌘R during reboot, wipe the harddrive using Disk Utility, and select reinstall macOS

  2. Initial installation will run for approximately 1 hour, and reboot once

  3. It will then show a remaining time of about 10-15 minutes

  4. When it reboots again, be sure to press ⌘R to boot into recovery and continue with Main procedure

Without full reinstall

Boot to Recovery Mode by holding ⌘R during restart and continue with Main procedure

Main procedure

  1. Disable SIP (System Integrity Protection), then reboot

Open UtilitiesTerminal and type:

$ csrutil disable
$ reboot

  1. Hold ⌘R during the reboot to enter Recovery Mode again

  2. Enter Disk Utility, unmount and remount the Macintosh HD volume (or whatever your main volume is named) to make it writable (it was mounted as read-only in Recovery Mode by default).

  3. Disable Signed System Volume, otherwise all the changes will lost after a reboot

Exit Disk Utility, open UtilitiesTerminal, and type:

$ csrutil authenticated-root disable
  1. Backup & remove MDM related launch daemons & agents
$ cd "/Volume/Macintosh HD/System/Library"
$ mkdir LaunchDaemons.disabled LaunchAgents.disabled
$ mv LaunchDaemons/com.apple.ManagedClient* LaunchDaemons.disabled/
$ mv LaunchDaemons/com.apple.mdm* LaunchDaemons.disabled/
$ mv LaunchAgents/com.apple.ManagedClient* LaunchAgents.disabled/
$ mv LaunchAgents/com.apple.mdm* LaunchAgents.disabled/
  1. Blacklist MDM & DEP related domains
$ cd ../../etc
$ echo "0.0.0.0 iprofiles.apple.com" >> hosts
$ echo "0.0.0.0 mdmenrollment.apple.com" >> hosts
$ echo "0.0.0.0 deviceenrollment.apple.com" >> hosts
$ echo "0.0.0.0 gdmf.apple.com" >> hosts

The etc folder might be missing in a fresh installation, just create a new one with mkdir etc if this is your case.

  1. Take a new snapshot of the modified /System volume, otherwise you won't be able to boot.
$ bless --folder "/Volume/Macintosh HD/System/Library/CoreServices" --bootefi --create-snapshot
  1. Re-enable SIP (optional), then reboot normally
$ csrutil enable
$ reboot

  1. If you come to the “Choose your country/location” dialogue, make sure to not select a wireless network, but “continue without an internet connection”

  2. After a normal boot, you can verify the DEP status in Terminal:

$ profiles status -type enrollment
Enrolled via DEP: No
MDM enrollment: No
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment