Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?

Disable Device Enrollment Program (DEP) notification on macOS Catalina.md

With full reinstall (recommended)

   a. Boot into recovery using command-R during reboot, wipe the harddrive using Disk Utility, and select reinstall macOS

   b. Initial installation will run for approximately 1 hour, and reboot once

   c. It will then show a remaining time of about 10-15 minutes

   d. When it reboots again, be sure to press command-R to boot into recovery and continue with Main procedure

Without full reinstall

Boot to Recovery Mode by holding command-R during restart and continue with Main procedure

Main procedure

  1. Open Utilities → Terminal and type
$ csrutil disable
$ reboot
  1. Hold command-R during the reboot to enter Recovery Mode again

  2. Enter Disk Utility, and mount the Macintosh HD volume (or whatever your main volume is named). (It might already be mounted.)

  3. Exit Disk Utility, open Utilities → Terminal, and type

$ cd "/Volumes/Macintosh HD/System/Library"
$ mkdir LaunchDaemons.disabled LaunchAgents.disabled
$ mv LaunchDaemons/com.apple.ManagedClient* LaunchDaemons.disabled/
$ mv LaunchAgents/com.apple.ManagedClient* LaunchAgents.disabled/
$ cd ../../etc
$ echo "0.0.0.0 iprofiles.apple.com" >> hosts
$ echo "0.0.0.0 mdmenrollment.apple.com" >> hosts
$ echo "0.0.0.0 deviceenrollment.apple.com" >> hosts
$ echo "0.0.0.0 gdmf.apple.com" >> hosts
$ csrutil enable
$ reboot
  1. If you come to the “Choose your country/location” dialogue, make sure to not select a wireless network, but “continue without an internet connection”

  2. After a normal boot, you can verify the DEP status in Terminal:

$ profiles status -type enrollment
Enrolled via DEP: No
MDM enrollment: No
@GilaSki

This comment has been minimized.

Copy link

@GilaSki GilaSki commented Dec 20, 2019

Than you for this update! My DEP issue did not recur when updating to Catalina 10.15.2, but it's good to know that your update is here to use should I need it in the future. Thanks again.

@infovlad

This comment has been minimized.

Copy link

@infovlad infovlad commented Dec 20, 2019

How to activate the Macintosh HD volume? I don't see any buttons.

@henrik242

This comment has been minimized.

Copy link
Owner Author

@henrik242 henrik242 commented Dec 20, 2019

How to activate the Macintosh HD volume? I don't see any buttons.

Either right-click the volume, or use the Mount button on the top row

Screenshot 2019-12-20 at 16 12 04

@weener123

This comment has been minimized.

Copy link

@weener123 weener123 commented Dec 20, 2019

Does this method no longer work? It seems to be holding up for me still.

Restart into recovery

csrutil disable

Restart into normal user mode

sudo mount -uw /
sudo mkdir /System/Library/LaunchAgentsDisabled
sudo mkdir /System/Library/LaunchDaemonsDisabled
sudo mv /System/Library/LaunchAgents/com.apple.ManagedClientAgent.agent.plist /System/Library/LaunchAgentsDisabled
sudo mv /System/Library/LaunchAgents/com.apple.ManagedClientAgent.enrollagent.plist /System/Library/LaunchAgentsDisabled
sudo mv /System/Library/LaunchDaemons/com.apple.ManagedClient.cloudconfigurationd.plist /System/Library/LaunchDaemonsDisabled
sudo mv /System/Library/LaunchDaemons/com.apple.ManagedClient.enroll.plist /System/Library/LaunchDaemonsDisabled
sudo mv /System/Library/LaunchDaemons/com.apple.ManagedClient.plist /System/Library/LaunchDaemonsDisabled
sudo mv /System/Library/LaunchDaemons/com.apple.ManagedClient.startup.plist /System/Library/LaunchDaemonsDisabled

Restart back into recovery

Terminal:

csrutil enable

Restart into normal mode and work like normal.

@henrik242

This comment has been minimized.

Copy link
Owner Author

@henrik242 henrik242 commented Dec 21, 2019

Does this method no longer work? It seems to be holding up for me still.

If it works for you, perfect!

@scr8tum

This comment has been minimized.

Copy link

@scr8tum scr8tum commented Dec 22, 2019

I'm confused as to how people are installing Catalina without a network. I'm under the impression that once you allow network access, the (MDM / DEP) sends out a 'prompt' back to apple to say device is active, and that checks against a database. So in essence, your telling apple ' Hey, here I am - come and get me! '

Check out this info:
https://duo.com/labs/research/mdm-me-maybe

-I'd love to get this to work, but some of the software I use, needs network verification to load. Was hoping that I could disable the ping to apple that says this MacBook is online, but according to this info above - its not possible, and even worse in Catalina.

Other opinions ?

@henrik242

This comment has been minimized.

Copy link
Owner Author

@henrik242 henrik242 commented Dec 22, 2019

I'm confused as to how people are installing Catalina without a network

@scr8tum Just execute the procedure above during the first (or second?) reboot during the networked Catalina install. Worked for me, at least.

@scr8tum

This comment has been minimized.

Copy link

@scr8tum scr8tum commented Dec 22, 2019

Right. Thanks for compiling this nicely!

if anyone is wondering :

address port what
albert.apple.com 443 OS X / iOS Activation Server
iprofiles.apple.com 443 DEP Enrollment Profile
mdmenrollment.apple.com 443 MDM / DEP
deviceenrollment.apple.com 443 DEP provisional enrollment
gdmf.apple.com   iOS Software Lookup Service

Theres more info here:
https://support.apple.com/en-us/HT210060

MDM reference doc from apple:
https://developer.apple.com/business/documentation/MDM-Protocol-Reference.pdf#//apple_ref/doc/uid/TP40017387-CH10-SW44

@chaim1221

This comment has been minimized.

Copy link

@chaim1221 chaim1221 commented Dec 24, 2019

Didn't see a whole lot of people saying thank you. So, thank you. Got a refurbished MBP that clearly came from Amazon at some point, and the notifications were constant.

@henrik242

This comment has been minimized.

Copy link
Owner Author

@henrik242 henrik242 commented Dec 27, 2019

@chaim1221 NP :)

@freemansoul

This comment has been minimized.

Copy link

@freemansoul freemansoul commented Dec 30, 2019

Hi.i am newbie so maybe i put a silly question....
I am wondering if i wipe the drive and proceed for a fresh install from usb without internet will take effect?
Thanks,

@henrik242

This comment has been minimized.

Copy link
Owner Author

@henrik242 henrik242 commented Dec 30, 2019

@freemansoul Wipe and reinstall will not help if your mac's serial is registered in DEP. You still have to disable it.

@freemansoul

This comment has been minimized.

Copy link

@freemansoul freemansoul commented Dec 30, 2019

Many thanks..one more thing..
Is sufficient to write this line:

profiles status -type enrollment

to see the status of my device .. or it is not reliable?

@henrik242

This comment has been minimized.

Copy link
Owner Author

@henrik242 henrik242 commented Dec 30, 2019

@freemansoul That looks sufficient. No guarantees that it won't change after a macOS update, though.

@freemansoul

This comment has been minimized.

Copy link

@freemansoul freemansoul commented Dec 31, 2019

I do not want to be a jerk but I still have a new question.
For now I am a beginner as mentioned above but I hope to learn how soon as possible.
$ mount -uw /
$ cd "/Volumes/Macintosh HD/System/Library"
$ mkdir LaunchDaemons.disabled LaunchAgents.disabled
$ mv LaunchDaemons/com.apple.ManagedClient* LaunchDaemons.disabled/
$ mv LaunchAgents/com.apple.ManagedClient* LaunchAgents.disabled/
$ cd ../../etc
$ echo "0.0.0.0 albert.apple.com" >> hosts
$ echo "0.0.0.0 iprofiles.apple.com" >> hosts
$ echo "0.0.0.0 mdmenrollment.apple.com" >> hosts
$ echo "0.0.0.0 deviceenrollment.apple.com" >> hosts
$ echo "0.0.0.0 gdmf.apple.com" >> hosts
$ csrutil enable
To launch this multiple command in the terminal i use one or two ampersand(& or&&)between them
or execute each command separately.
Thanks a lot for your help and i wish you..
A Happy New Year!

@henrik242

This comment has been minimized.

Copy link
Owner Author

@henrik242 henrik242 commented Dec 31, 2019

@freemansoul Just follow the recipe and execute each command separately

@JohnEx123456

This comment has been minimized.

Copy link

@JohnEx123456 JohnEx123456 commented Jan 16, 2020

Thanks for all the great info, MDM still popping up for me however. The Mac pops up MDM screen on OS (High Sierra) reinstall/setup after OS downloaded. Tried the steps above but for me no good. The MDM screen continues to be next screen after wifi setup in OS install. Although now this screen gets an error, likely because of the 'hosts' file change does not let it easily call home now. Dispute moving the Daemons and Agent files to another location, I continue to see the MDM screen continue to load during install. I don't think I missed anything, I have checked (while in terminal mode) and the listed files are not in old folders and only in the new, so they did move. Any suggestions welcome.

Btw, the timing to press command+r is tricky. I keep missing and have to turn off again with shift+control+option. Is there better way. The magic bar thingy does not seem to turn off the MAC to retry. ....yes newbie. Sorry.

@chaim1221

This comment has been minimized.

Copy link

@chaim1221 chaim1221 commented Jan 16, 2020

the timing to press command+r is tricky
All Mac startup shortcuts have to be pressed during POST (i.e., immediately, when the computer starts) and held until they are picked up. Make sure you get that down first. You should be at an OS install screen. Terminal is available through the menu options at the top.
image

MDM still popping up for me
The crux of this whole thing is disabling the daemon:

$ cd "/Volumes/Macintosh HD/System/Library"
$ mkdir LaunchDaemons.disabled LaunchAgents.disabled
$ mv LaunchDaemons/com.apple.ManagedClient* LaunchDaemons.disabled/
$ mv LaunchAgents/com.apple.ManagedClient* LaunchAgents.disabled/

...if that's not working (check to see if the files are moved/restored/not moved/whatever) then you're not in SIP-disabled territory. Reboot, ⌘R, csrutil disable, reboot, try again. Also csrutil enable has to be run from recovery (the ⌘R thing again).

Try that and report back.

@macfan82

This comment has been minimized.

Copy link

@macfan82 macfan82 commented Jan 17, 2020

all other commands work except
$ mv LaunchDaemons/com.apple.ManagedClient* LaunchDaemons.disabled/
$ mv LaunchAgents/com.apple.ManagedClient* LaunchAgents.disabled/
says no such file exists

@chaim1221

This comment has been minimized.

Copy link

@chaim1221 chaim1221 commented Jan 17, 2020

ls "/Volumes/Macintosh HD/System/Library/LaunchDaemons.disabled/"
ls "/Volumes/Macintosh HD/System/Library/LaunchAgents.disabled/"

to see if they've already been copied. (If so, you may just be missing a reboot.)

or

ls "/Volumes/Macintosh HD/System/Library/LaunchDaemons/com.apple.ManagedClient"*
ls "/Volumes/Macintosh HD/System/Library/LaunchAgents/com.apple.ManagedClient"*

to see if they're still where they originally were (if so, you're probably a victim of SIP, Apple doesn't allow you to modify these files with csrutil enabled). Reboot, immediately hold ⌘R, Terminal as per above, csrutil disable, reboot, and try again.

If both locations are empty then you're probably on a different version of Mac OS X. If that's true you may want to have a gander at the old instructions.

@macfan82

This comment has been minimized.

Copy link

@macfan82 macfan82 commented Jan 17, 2020

ls "/Volumes/Macintosh HD/System/Library/LaunchDaemons.disabled/"
ls "/Volumes/Macintosh HD/System/Library/LaunchAgents.disabled/"

to see if they've already been copied. (If so, you may just be missing a reboot.)

or

ls "/Volumes/Macintosh HD/System/Library/LaunchDaemons/com.apple.ManagedClient"*
ls "/Volumes/Macintosh HD/System/Library/LaunchAgents/com.apple.ManagedClient"*

to see if they're still where they originally were (if so, you're probably a victim of SIP, Apple doesn't allow you to modify these files with csrutil enabled). Reboot, immediately hold ⌘R, Terminal as per above, csrutil disable, reboot, and try again.

If both locations are empty then you're probably on a different version of Mac OS X. If that's true you may want to have a gander at the old instructions.

I am such a idiot I do not even know what the hell I am doing here. I checked both of those and both state no such file or directory Catalina 10.15.2

@JohnEx123456

This comment has been minimized.

Copy link

@JohnEx123456 JohnEx123456 commented Jan 17, 2020

@chaim1221, thanks for quick reply. Reviewed again and all correct. Checked via 'Terminal' using 'ls' command, and also using 'Shell->import' UI (seems to allows easier way to look around, even though not importing). Regardless all setup as doc'ed. I re-did from scratch (new OS download, then above edits), same result. Something is missing.

@mikeyrozay1

This comment has been minimized.

Copy link

@mikeyrozay1 mikeyrozay1 commented Jan 20, 2020

Hey if I remove the dep and mdm from the Mac will it remove the enterprise apple care ?

@chaim1221

This comment has been minimized.

Copy link

@chaim1221 chaim1221 commented Jan 20, 2020

AppleCare has nothing to do with corporate device settings management. If AppleCare was purchased for the device during the specified time range, it's still good for the device. That bit is still managed by Apple. That said, most of these refurb devices will have very little, if any, of their AppleCare time period remaining, which is of course how they end up on the corporate chopping block to begin with.

@mikeyrozay1

This comment has been minimized.

Copy link

@mikeyrozay1 mikeyrozay1 commented Jan 20, 2020

@chaim1221

This comment has been minimized.

Copy link

@chaim1221 chaim1221 commented Jan 20, 2020

@JohnEx123456 is this all on a completely new OS install that you're having this trouble? It's possible that there's still some kind of residual daemon that's re-enabling the DEP. That's all I can think of. As a best practice you should always wipe a new computer when you get it. Otherwise Mallory can make your life miserable.

@chaim1221

This comment has been minimized.

Copy link

@chaim1221 chaim1221 commented Jan 20, 2020

Re: AppleCare, when I say it's "managed by Apple" I do mean you'll have to look it up with Apple. It's possible they'll need permission from whatever company gave up the computer to transfer the plan. It used to be tied to the device, but I understand that's not always the case any longer.

@JohnEx123456

This comment has been minimized.

Copy link

@JohnEx123456 JohnEx123456 commented Jan 21, 2020

@chaim1221. By 'wipe a new computer' do you mean erase the 'Macintosh HD' from disk utility? This was what I did, then told it to install OS. Downloads for a while, reboots and waits at new install screen on next boot. I have then attemped the MDM removal process at this point. Is there more to erase first, like even the recovery partition?

@chaim1221

This comment has been minimized.

Copy link

@chaim1221 chaim1221 commented Jan 21, 2020

  1. Cold boot and hold ⌘R (Recovery)
  2. Disk Utility, APFS, not case-sensitive, Journaled. Single partition.
  3. Install the new OS on an MDM managed device; do so with wifi disabled (give no internet access), until after install is complete; else you will be blocked by the initial MDM setup screen asking for an unknown corporate ID/PW. Proceed to the next step.
  4. Login as the user you created during install.
  5. Reboot and hold ⌘R.
  6. Utilities -> Terminal.
  7. As root, csrutil disable.
  8. Reboot and login normally.
  9. As root, execute the above steps.
  10. Reboot and hold ⌘R.
  11. Utilities -> Terminal.
  12. As root, csrutil enable.
  13. Reboot and login normally.
  14. profiles status -type enrollment.

Let us know how it goes. :)

@JohnEx123456

This comment has been minimized.

Copy link

@JohnEx123456 JohnEx123456 commented Jan 22, 2020

@Chain1221, thanks again for quick reply & sorry for continuing questions.

For steps 4, 8, 13 there is no 'login' after the OS initial install or Mac reboot. Either I let the default boot flow continue, and that wants to finish new OS setup, or I interrupt it with ⌘R to get back in recovery mode.

So is the reference to 'Reboot and login normally' referring to using ⌘R to go back into recovery mode? Because doing anything else is just letting the Mac continue to the initial setup of new installed OS - and after 2 questions (country, WIFI) I get the MDM screen i can't by pass.

But I do know the 'Profiles' command does not exist in 'recovery' mode (command not found)...so maybe I am doing something wrong in where i should be booted into.

@chaim1221

This comment has been minimized.

Copy link

@chaim1221 chaim1221 commented Jan 22, 2020

Yes, finish you need to finish the entire OS setup, including accepting the MDM. There's no way to bypass that screen; the Mac shipped with it. You need to treat it like you're setting it up as a corporate device (which it is) and then disabling DEP as an admin (which you are, once you login as root). Don't boot into Recovery while the OS is installing; the only thing you can do from there is to start the process over.

Re: profiles:

celiyah@ce-mbp-dev Tue Jan 21 18:06:20 ~
~:$ which profiles
/usr/bin/profiles

...

man profiles

profiles(1)               BSD General Commands Manual              profiles(1)

NAME
     profiles -- Profiles Tool for macOS.

SYNOPSIS
     profiles verb [options]

DESCRIPTION
     profiles is used to install, remove, list, or otherwise handle various
     profile types on macOS.

You're right, it doesn't exist until you have an operating system.

@weener123

This comment has been minimized.

Copy link

@weener123 weener123 commented Jan 22, 2020

Not sure why it's not working for you. I just reinstalled macos Catalina via USB in my 2017 MacBook pro. With no wifi, everything went smoothly and I followed etpap's method to the T. No issues, no MDM pop ups.

I'm not sure if it's a new Mac thing, but why would you get the MDM popup during install if no internet is present? Wouldn't it skip that part especially if you click on the bottom left for setup without connecting to the internet?

@JohnEx123456

This comment has been minimized.

Copy link

@JohnEx123456 JohnEx123456 commented Jan 23, 2020

@weener123. You've solved it - the misunderstanding that is, thanks!

I Never said wifi was disabled, the OS install screen asks for such right before MDM. I assumed all these instructions were solving this initial install popup. As such I never got passed installing the OS and so didn't understand @charms1221 reference to needing to 'logon' (no account yet).

The steps assumed I had an installed and working OS, I did not. With wifi enabled on an MDM managed Mac, I could not install the OS - blocked. With Wifi disabled, I now can. And I will retry all the steps.

@chaim1221. A proposed 'Step 0' to your list above, for clarity & for all the lost newbies like me. Thanks again.

"Step 0. If first installing a new OS on an MDM managed device, do so with wifi disabled (give no internet access), until after install is complete - else you will be blocked by the initial MDM setup screen asking for an unknown corporate ID/PW. Then follow instructions below to fully disable MDMs ability to also call home later and try to install."

@chaim1221

This comment has been minimized.

Copy link

@chaim1221 chaim1221 commented Jan 23, 2020

So edited! I made it part of step 3.

@dseyit

This comment has been minimized.

Copy link

@dseyit dseyit commented Jan 24, 2020

Thanks a lot. I did it and every step worked including DEP - No and MDM - No step. My question is, does is remove device from DEP list or will it re-occur when I reinstall mac os again ?

Thanks a lot

@chaim1221

This comment has been minimized.

Copy link

@chaim1221 chaim1221 commented Jan 24, 2020

The device itself has an MDM|DEP "profile." Every time it is initialized you'll have to go through the steps.

@MSokol00

This comment has been minimized.

Copy link

@MSokol00 MSokol00 commented Jan 26, 2020

Many thanks for this solution! It helped me big time!

I have one question though - did any of You guys have any problems with signing to iMessage / FaceTime after this procedure? I'm fighting with login for two days now without any light in the tunnel. iCloud signed in without any problems, iMessage / FaceTime doesn't work as well as handoff and all Continuity. Just want to know if it's just in my case or more common...

@chaim1221

This comment has been minimized.

Copy link

@chaim1221 chaim1221 commented Jan 26, 2020

Entirely unrelated.

@MSokol00

This comment has been minimized.

Copy link

@MSokol00 MSokol00 commented Jan 26, 2020

@chaim1221 thanks, I though so but wanted some confirmation

@lynndixon

This comment has been minimized.

Copy link

@lynndixon lynndixon commented Jan 26, 2020

I’m having the same issues with FaceTime and iMessages after doing this. I think there is something related.

@MSokol00

This comment has been minimized.

Copy link

@MSokol00 MSokol00 commented Jan 26, 2020

@lynndixon oh that's interesting. I will let You know if I manage somehow to get it work.

@MSokol00

This comment has been minimized.

Copy link

@MSokol00 MSokol00 commented Jan 26, 2020

@chaim1221, @lynndixon so I did one thing and iMessage, FaceTime and Continuity started to work like a charm.

In 5th step we're blocking some addresses. There is this command: $ echo "0.0.0.0 albert.apple.com" >> hosts. In the discussion @scr8tum mentioned that albert.apple.com is for iOS, OS X Activation. Since this may (or may not) be related to iCloud services activation I commented out this from hosts file. After reboot everything started to work.

@lynndixon could You please confirm if that's the solution for You too? I can't believe this to be just a coincidence.

@dseyit

This comment has been minimized.

Copy link

@dseyit dseyit commented Jan 26, 2020

The device itself has an MDM|DEP "profile." Every time it is initialized you'll have to go through the steps.

Thanks a lot. What about updates ? Do I need to do every other update ?

Thanks again.

@chaim1221

This comment has been minimized.

Copy link

@chaim1221 chaim1221 commented Jan 27, 2020

Good find @MSokol00. Yeah I'd subtract anything needed for normal communication with Apple. I am not sure what I did to my hosts file, if anything. I will try to pull it up later.

Re OS X updates|activation|etc. ... they shouldn't be impacted, unless you reinstall the OS, or DEP changes (possibly with a major upgrade such as Mojave -> Catalina). It's basically just a service, like any other service. As root, you are disabling the service, and basically saying no thanks to any outside "help" with that feature. Once this is done it shouldn't be invasive. I've been running with @henrik242's instructions for roughly a month and a half now, without issues.

@onedrop

This comment has been minimized.

Copy link

@onedrop onedrop commented Jan 29, 2020

Would just adding those five entries to etc/hosts be enough to prevent the Device Enrollment popup? Not understanding why the other steps are necessary if you can block how this thing phones home. Trying to do the least invasive thing here.

@chaim1221

This comment has been minimized.

Copy link

@chaim1221 chaim1221 commented Jan 30, 2020

No, because the popup is related to the service. It does not care whether or not it can actually phone "home." Disabling the service is akin to re-homing the laptop (assuming, of course, that there isn't a desktop administrator missing a laptop somewhere 👅 ). In fact I'm reasonably certain that you don't even need the hosts lines if you do it right. But thanks for the reminder; I will check my hosts when I get home.

@saikiran91

This comment has been minimized.

Copy link

@saikiran91 saikiran91 commented Jan 30, 2020

Does this method no longer work? It seems to be holding up for me still.

Restart into recovery

csrutil disable

Restart into normal user mode

sudo mount -uw /
sudo mkdir /System/Library/LaunchAgentsDisabled
sudo mkdir /System/Library/LaunchDaemonsDisabled
sudo mv /System/Library/LaunchAgents/com.apple.ManagedClientAgent.agent.plist /System/Library/LaunchAgentsDisabled
sudo mv /System/Library/LaunchAgents/com.apple.ManagedClientAgent.enrollagent.plist /System/Library/LaunchAgentsDisabled
sudo mv /System/Library/LaunchDaemons/com.apple.ManagedClient.cloudconfigurationd.plist /System/Library/LaunchDaemonsDisabled
sudo mv /System/Library/LaunchDaemons/com.apple.ManagedClient.enroll.plist /System/Library/LaunchDaemonsDisabled
sudo mv /System/Library/LaunchDaemons/com.apple.ManagedClient.plist /System/Library/LaunchDaemonsDisabled
sudo mv /System/Library/LaunchDaemons/com.apple.ManagedClient.startup.plist /System/Library/LaunchDaemonsDisabled

Restart back into recovery

Terminal:

csrutil enable

Restart into normal mode and work like normal.

It is working thanks.

@alphaman9

This comment has been minimized.

Copy link

@alphaman9 alphaman9 commented Feb 2, 2020

Thanks so much @henrik242! This has worked a charm :) I have a 2019 MV902BA model for sale for £1100 if anyone is interested. DM me.

@olegv3

This comment has been minimized.

Copy link

@olegv3 olegv3 commented Feb 4, 2020

No one has mentioned this from what I can see but there's a way around getting DEP MDM profiles installed in the first place. During the installation of Catalina you must be connected to the internet but after it's done with the first part of installing and boots to the screen where you choose your location country on the next step it asks for wifi again. At this step choose "other" and choose I don't have internet. Click next it will prompt you a couple of times if you're sure. After you get past that screen DEP doesn't deploy it just skips it and goes to the next screen. I have tested this out multiple times and it seems to work. Only problem is that I get the pop up once in a while if I want to allow mdm to deploy to which I always press don't allow.

@chaim1221

This comment has been minimized.

Copy link

@chaim1221 chaim1221 commented Feb 4, 2020

This... whole thread is about turning off that popup. :)

@chaim1221

This comment has been minimized.

Copy link

@chaim1221 chaim1221 commented Feb 4, 2020

Also I'd like to note that it's not just a popup. It allows your device to be remotely erased, allows the "admins" (whoever they are, or whoever has gained their privileges) to regain control of the computer, etc.; yes all of that is unlikely if you, the root user, say "don't allow;" but as DEP is closed source, who can be sure? Best just to disable it.

@olegv3

This comment has been minimized.

Copy link

@olegv3 olegv3 commented Feb 4, 2020

This... whole thread is about turning off that popup. :)

Yes I understand that but my point is that if you from the beginning don't have it install onto your system there is no chance for anyone to remotely control your system in the first place. Then you just do this whole process pointed out here if you don't want to see the pop up every once in a while

@toddmilliken

This comment has been minimized.

Copy link

@toddmilliken toddmilliken commented Feb 13, 2020

🙏 Thanks! Works on Catalina 10.15.3.

I also got a refurbished Mac and kept getting the pesky Device Enrollment notifications frequently. These commands now suppress that annoying popup.

@victorbojica

This comment has been minimized.

Copy link

@victorbojica victorbojica commented Feb 16, 2020

Thanks. I think i've got it working. Running Catalina 10.15.3.
Do you know if the mdmclient process is supposed to be running after all the steps ?

@olegv3

This comment has been minimized.

Copy link

@olegv3 olegv3 commented Feb 16, 2020

Thanks. I think i've got it working. Running Catalina 10.15.3.
Do you know if the mdmclient process is supposed to be running after all the steps ?

It should not be running

@victorbojica

This comment has been minimized.

Copy link

@victorbojica victorbojica commented Feb 16, 2020

Hmm. It is running, but running the profiles command shows that it isn't registered with mdm.
I've tried reinstalling the os, but without wiping the drive and on the first boot, the process wasn't there. It showed up after going through the steps. Any idea why this would happen?

@olegv3

This comment has been minimized.

Copy link

@olegv3 olegv3 commented Feb 16, 2020

When it asks you to connect to your internet click on more options and select I don’t have internet. Mdm will skip.

@tabacitu

This comment has been minimized.

Copy link

@tabacitu tabacitu commented Feb 20, 2020

Quick question, about what comes before applying your solution for MDM. I've read this thread and the original, but it’s not clear to me.

How do you guys upgrade from Mojave to Catalina?

  • (A) normal download & update, with internet
  • (B) normal download & update, block internet
  • (C) update from USB stick, block internet
  • (D) reinstall from USB stick, block internet

Does (A) work without bricking the device?
No idea if (B) or (C) are even possible.

Thanks a lot for sharing this, and to @chaim1221 for helping everyone here - we all really appreciate it.

@chaim1221

This comment has been minimized.

Copy link

@chaim1221 chaim1221 commented Feb 20, 2020

You're welcome!

I'd try normal download & update, with internet if you've already done the steps. The worst that can happen is that you have to do the steps again, which don't take that long, and the benefit is that you can definitively answer how that goes, which I haven't been able to do because I did the upgrade at the same time. (Which is another option; make a doc for Catalina+Refurb at the same time.)

@gallo-negro

This comment has been minimized.

Copy link

@gallo-negro gallo-negro commented Feb 25, 2020

I was able to move the files to the disabled folder. Although still getting the pop to authenticate and does not let me skip the pop up even after selecting no WiFi. Any ideas on how to fix?

Was able to fix issues and now working properly. Thank you again for this!

@miladdavoodi9

This comment has been minimized.

Copy link

@miladdavoodi9 miladdavoodi9 commented Feb 28, 2020

@chaim1221, @lynndixon so I did one thing and iMessage, FaceTime and Continuity started to work like a charm.

In 5th step we're blocking some addresses. There is this command: $ echo "0.0.0.0 albert.apple.com" >> hosts. In the discussion @scr8tum mentioned that albert.apple.com is for iOS, OS X Activation. Since this may (or may not) be related to iCloud services activation I commented out this from hosts file. After reboot everything started to work.

@lynndixon could You please confirm if that's the solution for You too? I can't believe this to be just a coincidence.

I did all of this and everything worked, however, now I cannot access my imessage, icloud, facetime, appstore, apple wallet, etc. I tried rebooting but still nothing. How did you rectify this problem?

@Bout2GitIt

This comment has been minimized.

Copy link

@Bout2GitIt Bout2GitIt commented Mar 12, 2020

I have a related question:
When I do this, will the MDMD/DEP administrator receive any notification that this device has left their program?

@miladdavoodi9

This comment has been minimized.

Copy link

@miladdavoodi9 miladdavoodi9 commented Mar 12, 2020

I have a related question:
When I do this, will the MDMD/DEP administrator receive any notification that this device has left their program?

I wouldnt think so. I think the company who still has it on their Apple device management system would still need to remove the serial number on their end for it to be completely off.

@Bout2GitIt

This comment has been minimized.

Copy link

@Bout2GitIt Bout2GitIt commented Mar 12, 2020

I wouldnt think so. I think the company who still has it on their Apple device management system would still need to remove the serial number on their end for it to be completely off.

So then... they'll still have a record of this device existing, but they'll see that it's not connecting with their MDM/DEP. Couldn't that produce the conditions for a notification?

@chaim1221

This comment has been minimized.

Copy link

@chaim1221 chaim1221 commented Mar 13, 2020

If you're that worried about some random sysadmin getting a notification, perhaps you should take the computer back to them. 😅

These are refurbished corporate devices, which you most likely got at some kind of a discount. Enjoy your discount. Any device you have to perform these steps on was once tracked as inventory by a large corporation. There are absolutely no guarantees that they aren't still tracked; through enterprise AppleCare, for example, or when the computer updates.

For that matter, Google is watching you. GitHub is owned by Microsoft. Russian hacker cells frequent Tor. Hell, 1.4 billion Chinese people can't even access the internet without agreeing that their government has the right to spy on them. And I just found out my Victure camera was engaging itself when I wasn't using the app. Welcome to the digital age.

Now, enjoy your lack of notifications.

@chaim1221

This comment has been minimized.

Copy link

@chaim1221 chaim1221 commented Mar 13, 2020

@chaim1221, @lynndixon so I did one thing and iMessage, FaceTime and Continuity started to work like a charm.
In 5th step we're blocking some addresses. There is this command: $ echo "0.0.0.0 albert.apple.com" >> hosts. In the discussion @scr8tum mentioned that albert.apple.com is for iOS, OS X Activation. Since this may (or may not) be related to iCloud services activation I commented out this from hosts file. After reboot everything started to work.
@lynndixon could You please confirm if that's the solution for You too? I can't believe this to be just a coincidence.

I did all of this and everything worked, however, now I cannot access my imessage, icloud, facetime, appstore, apple wallet, etc. I tried rebooting but still nothing. How did you rectify this problem?

@miladdavoodi9, I didn't have that problem. However every time I've check this thread, for some reason, I'm never on the device in question to verify that. 😂 In any case I just verified; while I did have to do an extra verification step for the app store, it is working. iMessage is working. I don't use iTunes or FaceTime presently, so I have no idea if they're working. But invalidating the DNS for these servers didn't give me any problem:

0.0.0.0 albert.apple.com
0.0.0.0 iprofiles.apple.com
0.0.0.0 mdmenrollment.apple.com
0.0.0.0 deviceenrollment.apple.com
0.0.0.0 gdmf.apple.com
@Euroclie

This comment has been minimized.

Copy link

@Euroclie Euroclie commented Mar 24, 2020

Hello all,

I purchased a second-hand Macbook Air in 2016, and never noticed anything strange until I decided to upgrade to Catalina a few days ago. To be honest, I had some troubles in the past with an upgraded SSD (purchased from OWC) which caused me to (re)install MacOS multiple times before, but with older versions of MacOS I never had any problem installing.

Like everyone here in this thread, I encountered the dreaded screen early on during the Catalina installation, advising me that my computer was remote-administrated (by Airbnb in my case).

A chat with Airbnb tech support proved useless (I think the guy I exchanged with didn't even understand what it was about), and the shop I purchased the computer from is out of business (unregistered domain name when I reach out by mail...), so I felt left out alone in the cold.

By chance, digging (more than) a bit in google allowed me to find this precious thread!

It took a couple of tries, which involved turning off the wifi on the Macbook as soon as possible, multiple reboots in recovery mode as per instructions, and using the system monitor application after the first boot to quickly kill the DEPNotify task which had somehow managed to launch even after applying the instructions. All in all, I was able to stop the enrollment stuff before it was able to install too much stuff (only Chrome, as far as I can tell).

Now the enrollment status shows "Enrolled via DEP: No" and "MDM enrollment: No", which I appreciate (even though I know that my Macbook Air is still in the list on the Airbnb server side).

I had to dig further to prevent DEPNotify to display its splashscreen at boot (I don't think that it was able to do much, though, but I killed the task ASAP anyway). Here's what I did, in case it can help others:

I wanted to pinpoint the location of the DEPNotify executable or script, so in the terminal in ran a simple "locate DEPNotify" command.

Unsurprisingly, the locate database need to be initialized first before you're able to run a query, so I had to create the database first. By chance the locate command fails with an error message that gently urges you to run the appropriate command in the terminal. Not sure if I remember correctly, but it should be something like "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.locate.plist", and it takes a couple of minutes to complete (in the background, as you'll immediately get back to the command prompt after launching the command).

Once the locate database is available, it turned out that the only mentions of DEPNotify were files stored in the /opt/airbnb directory. Depending on the enrollment administrator choices, they may reside somewhere else on your computer.

So all I did to get definitely rid of the Airbnb stuff was to rename the /opt/airbnb directory into something else with "mv /opt/airbnb /opt/airbnb.disabled", and at last I was able to reboot without any trace of the Airbnb and remote admin stuff.

I'll update this post if something else pops up after a couple days of use...

Many, many thanks to henrik242, chaim1221 in particular, and the Github community in general for providing this kinf of assistance!!!

@henrik242

This comment has been minimized.

Copy link
Owner Author

@henrik242 henrik242 commented Mar 24, 2020

@Euroclie It sounds like you didn't do a complete reinstall after you purchased a second-hand computer. You should ALWAYS do this, there can be all kinds of spyware and other unwanted software running on that thing.

@Euroclie

This comment has been minimized.

Copy link

@Euroclie Euroclie commented Mar 24, 2020

@Euroclie It looks like you didn't do a complete reinstall after you purchased a second-hand computer. You should ALWAYS do this, there can be all kinds of spyware and other unwanted software running on that thing.

As a matter of fact, I did make a full reinstall, on a brand new, bigger, SSD. The funny thing is that I never saw the DEP stuff during the reinstalls, and believe me, I did more than a couple of them!

I was trying to setup Bootcamp on my 1Tb SSSD (original Apple one was only 128Gb, too small for Bootcamp to be useful), but somehow the OWC SSD never sucessfully managed to handle Bootcamp.

I ended up using the SSD with only MacOS, and upgraded from El Capitan to Sierra, and later to High Sierra if I remember correctly, without any DEP trace. The SSD was probably glitchy, though, as my Macbook Air experienced frequent lockups, so I ended up not using it very often, and skipped the Mojave upgrade.

To be acurate, I since purchased a new SSD for the Macbook Air (1Tb OWC Aura Pro instead of 1Tb Aura), hoping that it would solve my lockups issues, but I wasn't able to install MacOS on it, as it wasn't recognized by the EFI during boot.

Only when installing Catalina did I meet the DEP issue. Did Apple change the way they handle DEP in Mojave or Catalina?

Anyway, despite the DEP stuff, the Catalina install seems to come with an EFI firmware update, or something, as after installing Catalina on the original 128Gb SSD, I tried again with the 1Tb Aura Pro SSD, and it was recognized during boot, so I was able to follow your instructions and get a (more or less) clean install of Catalina on a working SSD... so far!

Kudos to you, @henrik242!

@chaim1221

This comment has been minimized.

Copy link

@chaim1221 chaim1221 commented Mar 24, 2020

Fantastic info @Euroclie, thanks!

@Duekvu

This comment has been minimized.

Copy link

@Duekvu Duekvu commented Mar 26, 2020

Once the locate database is available, it turned out that the only mentions of DEPNotify were files stored in the /opt/airbnb directory. Depending on the enrollment administrator choices, they may reside somewhere else on your computer.

Thank you for the great info. However, when I try to run the the commands locate DEPNotify after creating the database, it doesn't return the location of DEPNotify script ( seems like it doesn't return anything). Am i missing something here? Thank you

@Euroclie

This comment has been minimized.

Copy link

@Euroclie Euroclie commented Mar 26, 2020

Thank you for the great info. However, when I try to run the the commands locate DEPNotify after creating the database, it doesn't return the location of DEPNotify script ( seems like it doesn't return anything). Am i missing something here? Thank you

The locate command returned the path of the DEPNotify app (in my case it was /opt/airbnb/dep_enroll/DEPNotify.app).

If the administrator of the company which enrolled your computer chose a different setup, maybe the application isn't called DEPNotify? Or maybe you were luckier than me and prevented the enrollment stuff completely during the install? Despite following the initial instructions as closely as possible, I ended up having an Airbnb splashscreen at the first boot/login, so I immediately launched the System Monitor application, and a process called DEPNotify was running, which seemed like a good suspect.
Killing it got me rid of the Airbnb splashscreen, so it stopped installing new stuff, and all I needed was to make sure that it wouldn't launch again after the next reboot, hence the locate/mv combo, which worked.

If you still have some sort of enrollment stuff running after applying the initial tutorial, you'll need to find the name of the process involved, so you can locate and delete/move it (I prefer the "move" approach, as it is reversible if I do something stupîd by mistake!)

Hope this helps...

@skhashaev

This comment has been minimized.

Copy link

@skhashaev skhashaev commented Mar 30, 2020

I was able to move the files to the disabled folder. Although still getting the pop to authenticate and does not let me skip the pop up even after selecting no WiFi. Any ideas on how to fix?

Was able to fix issues and now working properly. Thank you again for this!

How did you fix it?
I have the same problem. Firstly, I didn't even know about DEP, untill I reinstall my second-hand Macbook Pro 2015. Then I faced the DEP screen when setting up my Mac. It was continuously showing the message about enrolling. Now I made whole steps, described in the original topic (https://gist.github.com/sghiassy/a3927405cf4ffe81242f4ecb01c382ac) and here. Now the error is another: "Enrolling with management server failed. Unexpected error (InternalError: 1)".
I reinstalled Catalina and made whole steps again, but it's continuing show me the message. I reinstall with Internet, but chose "I have no internet" after the location/country settings and keyboard settings.
Maybe I should erase again all data on Macintosh HD (I have also Macintosh HD - Data) and reinstall Catalina with repeating those steps?

@skhashaev

This comment has been minimized.

Copy link

@skhashaev skhashaev commented Mar 30, 2020

I erased Macintosh HD, reinstalled, but I have the same problem. I don't know what i do wrong. For now I erased Macintosh HD, deleted Macintosh HD - Data, reinstalled Catalina with Internet, it downloaded and installed, (maybe this?) then the choosing country windows popped up, I holded the power on/off button, turned off the Mac, then turned it on in recovery mode and did all steps described above. Is it strongly necessary go into recovery mode right after reinstall without allowing pop up choosing country window?

@skhashaev

This comment has been minimized.

Copy link

@skhashaev skhashaev commented Mar 31, 2020

I solved it.
What I did: I wiped the Macintosh HD, deleted Macintosh HD - Data (for sure). Reinstalled Catalina WITH Internet - just start "Reinstall macOS" in the list of Recovery Mode. Just do the steps. First, it downloads Catalina (i guess it downloads, cause it needs internet for that as it mentions), then Mac restarts and starts with Apple icon and shows the remaining time. It's the b) and c) steps of this title. And you must be ready to run Recovery Mode right after it restarts second time. Did you get it? So:

  1. you see Catalina's Icon with bar and remaining time,
  2. then Apple's icon with remaining time,
  3. and when it's restarting after Apple's icon with remaining time, you hold Command + R keys to run Recovery Mode.
    After above three steps you just do what is described above in the head of title.
    Big thanks to @henrik242 for this gist
@turboAC

This comment has been minimized.

Copy link

@turboAC turboAC commented Apr 14, 2020

Yes, a BIG thank you to henrik242 and others for working out a fix for DEP and MDM. I recently bought a 2017 MBP and was having a bit of a challenge installing a fresh version of the macOS - I had to wipe the HD and reinstall twice due to my own missteps. With a final macOS install in place, I followed the instructions above to the letter, with only one minor challenge: I failed to note the new freshly installed macOS was High Sierra until AFTER I competed the code in terminal. With High Sierra, the resulting test indicated success:

$ profiles status -type enrollment
Enrolled via DEP: No
MDM enrollment: No

From this point, I loaded the installer (from the App Store,) for Catalina and completed the installation with no DEP or MDM pop-ups. Once again, I ran the "profiles status" in Terminal and was pleased to note "No" on both enrollments (as listed above) after a successful move to Catalina.

I have since Migrated the data, apps, settings etc., to this MBP via a Time Machine back-up without a hitch.

Again, sincere thanks henrik242 the new (to me,) machine works GREAT!

@turboAC

This comment has been minimized.

Copy link

@turboAC turboAC commented May 3, 2020

Unfortunately, DEP returned just yesterday - DRAT!

Any suggestions?

@jester-frier

This comment has been minimized.

Copy link

@jester-frier jester-frier commented May 6, 2020

I ran into issues trying to install Catalina. The "Remote Management" screen comes up after selecting the country at the beginning of a fresh installation. After re-wiping, I was able to get Mojave installed with the above method.

After that, I installed Catalina from within Mojave (not Recovery). DEP/MDM remains a No :)

Only thing I noticed was that the files in the .disabled folders were moved to the Desktop as "Relocated Items" and that the originals were restored to the original locations. Is it safe to assume that once MDM has been disabled and the OS is installed, these files don't have an impact anymore and can remain in their original locations?

@lightvox

This comment has been minimized.

Copy link

@lightvox lightvox commented May 19, 2020

Thanks for this henrik242 (is this an homage to front242?). I was sold a MacBook Pro by Northbay Networks, a year ago, that used to belong to Uber, which was never properly unenrolled from DEP. I had found this and other sites with similar processes to get rid of the notifications.

This became an issue again recently because i upgraded to Mojave, and after the upgrade, I was receiving the enrollment notifications again. I went through the procedure again, but now I'm noticing additional entries in the LaunchAgents and LaunchDaemons folders that start with: com.apple.mdmclient* so I removed these as well. I'm hoping this prevents any more enrollment notifications.

@McflySavesTheWorld

This comment has been minimized.

Copy link

@McflySavesTheWorld McflySavesTheWorld commented May 29, 2020

Can anyone verify if this works with MacBooks that have T2 chips. Like a 2018 MacBook Pro. My understanding is the chip allows it to be remotely enrolled. Would this be disabled if following the methods above?

@weener123

This comment has been minimized.

Copy link

@weener123 weener123 commented May 29, 2020

@McflySavesTheWorld It does work, at least from my experience. So long as you are able to boot from USB, and have it not connected to internet, and follow the steps accordingly, it should work. The test sample I had I was able to boot from USB, and continued from there. No issues as of yet.

@weener123

This comment has been minimized.

Copy link

@weener123 weener123 commented May 29, 2020

Furthermore if the laptop in question is not allowing you to boot from USB, there are steps to force it to boot from USB.

@jog0ff

This comment has been minimized.

Copy link

@jog0ff jog0ff commented May 29, 2020

I ran into issues trying to install Catalina. The "Remote Management" screen comes up after selecting the country at the beginning of a fresh installation. After re-wiping, I was able to get Mojave installed with the above method.

After that, I installed Catalina from within Mojave (not Recovery). DEP/MDM remains a No :)

Only thing I noticed was that the files in the .disabled folders were moved to the Desktop as "Relocated Items" and that the originals were restored to the original locations. Is it safe to assume that once MDM has been disabled and the OS is installed, these files don't have an impact anymore and can remain in their original locations?

@jester-frier heya mate, just to confirm, did you upgrade from Mojave without any hassle mean right out off system update and no DEP at all?
cheers

@jester-frier

This comment has been minimized.

Copy link

@jester-frier jester-frier commented May 29, 2020

@jog0ff

This comment has been minimized.

Copy link

@jog0ff jog0ff commented May 29, 2020

Ok, did you boot from Catalina or just ran installer and did you have WiFi on, thanks

@jester-frier

This comment has been minimized.

Copy link

@jester-frier jester-frier commented May 29, 2020

@jog0ff

This comment has been minimized.

Copy link

@jog0ff jog0ff commented May 30, 2020

@jog0ff I just ran the installer after I was booted into Mojave. I had started to use Mojave for a couple of hours so had WiFi on at that point. I don't remember if I had turned it off when I started the Catalina installation. You can certainly keep it off throughout as it's not needed.

On Fri, May 29, 2020, 6:34 PM jog0ff @.> wrote: @.* commented on this gist. ------------------------------ Ok, did you boot from Catalina or just ran installer and did you have WiFi on, thanks — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://gist.github.com/65d26a7deca30bdb9828e183809690bd#gistcomment-3323229, or unsubscribe https://github.com/notifications/unsubscribe-auth/APPH3QVHFDL53ZOR3VBEOY3RUA2A7ANCNFSM4J55H5MA .

good stuff, created usb using createinstallmedia , turned wifi off, while on Mojave desktop started Catalina installer from usb. All went smooth without issues.
thanks guys for this topic!

@jog0ff

This comment has been minimized.

Copy link

@jog0ff jog0ff commented May 30, 2020

ok, just got device enrolment pop-up, is there any way to get it cancelled permanently?

@johnnyd65

This comment has been minimized.

Copy link

@johnnyd65 johnnyd65 commented Jun 1, 2020

Quick question, didn't see that it's been asked or answered yet: recently bought a new MacBook Pro and restored a backup of my current MacBook, which I never disabled DEP, and I'm getting a popup on the new laptop.

Wouldn't expect it to be the case since the serial# is different, but it's showing as being registered to the SAME organization as the existing laptop. Would a backup of an "old" laptop carry that registration over?

And if that's possible, guessing the recommended solution would be to take the steps above and disable on my existing MacBook, then backup with the changes and install that backup to the new laptop, correct? Thanks

@jog0ff

This comment has been minimized.

Copy link

@jog0ff jog0ff commented Jun 1, 2020

Quick question, didn't see that it's been asked or answered yet: recently bought a new MacBook Pro and restored a backup of my current MacBook, which I never disabled DEP, and I'm getting a popup on the new laptop.

Wouldn't expect it to be the case since the serial# is different, but it's showing as being registered to the SAME organization as the existing laptop. Would a backup of an "old" laptop carry that registration over?

And if that's possible, guessing the recommended solution would be to take the steps above and disable on my existing MacBook, then backup with the changes and install that backup to the new laptop, correct? Thanks

yup, it should work

@johnnyd65

This comment has been minimized.

Copy link

@johnnyd65 johnnyd65 commented Jun 2, 2020

Quick question, didn't see that it's been asked or answered yet: recently bought a new MacBook Pro and restored a backup of my current MacBook, which I never disabled DEP, and I'm getting a popup on the new laptop.
Wouldn't expect it to be the case since the serial# is different, but it's showing as being registered to the SAME organization as the existing laptop. Would a backup of an "old" laptop carry that registration over?
And if that's possible, guessing the recommended solution would be to take the steps above and disable on my existing MacBook, then backup with the changes and install that backup to the new laptop, correct? Thanks

yup, it should work

Thanks, Jog0ff, we'll give it a try and see what happens!

@turboAC

This comment has been minimized.

Copy link

@turboAC turboAC commented Jun 2, 2020

I followed the directions to the letter and loaded Catalina. The popups were non existent until and the "test" returned NO for both DEP & MDM. Once I updated Catalina, DEP and MDM returned, even though the test still returns NO.

@wizbruhlifa

This comment has been minimized.

Copy link

@wizbruhlifa wizbruhlifa commented Jun 3, 2020

@rshutt

This comment has been minimized.

Copy link

@rshutt rshutt commented Jun 4, 2020

Anyone tried this with the 10.15.5 update yet?

@jog0ff

This comment has been minimized.

Copy link

@jog0ff jog0ff commented Jun 4, 2020

Screenshot 2020-06-04 at 22 09 10

yup, works a charm
@jester-frier

This comment has been minimized.

Copy link

@jester-frier jester-frier commented Jun 4, 2020

@rshutt

This comment has been minimized.

Copy link

@rshutt rshutt commented Jun 5, 2020

Screenshot 2020-06-04 at 22 09 10

yup, works a charm

I confirm this statement :)

@ugultopu

This comment has been minimized.

Copy link

@ugultopu ugultopu commented Jun 5, 2020

Still works as of today. Make sure to follow the instructions on the original post (the very first post by the OP (henrik242) in this whole thread) exactly and step-by-step. I have followed the full reinstall instructions and they worked like a charm.

Also, take extra care of not making any typos when entering the commands on the terminal. I would suggest you to NOT use any auto-completion (TAB key) when typing out the commands. Just type out the commands letter-by-letter, and triple check every command BEFORE AND AFTER executing each command. As long as you follow the instructions to the letter, they work as of today.

@ssccs

This comment has been minimized.

Copy link

@ssccs ssccs commented Jun 12, 2020

still works- disabled DEP, on MacBook Pro, Mac Pro and iMacs. As ugultopu mentioned, follow the first post by OP.

@jaarons1

This comment has been minimized.

Copy link

@jaarons1 jaarons1 commented Jun 14, 2020

I’m going crazy. I’m trying to follow the instructions but get a line saying LauchDaemons.disabled: command not found.

Looks like my drive is mounted(named HDD) already so to start I see this:
[bash-3.2# $cd “/Volumes/HDD/System/Library”

I assume that’s right. I’m getting out of my wheelhouse of knowledge here. Thanks for any advice.

Running a 2015 MBP.
91213DAE-1850-4940-A154-4CAE51E422EC

@ugultopu

This comment has been minimized.

Copy link

@ugultopu ugultopu commented Jun 14, 2020

@jaarons1 You should not type $ before the commands. $ represents a command prompt, it is not a part of the command. You should only type the stuff after the $.

@jaarons1

This comment has been minimized.

Copy link

@jaarons1 jaarons1 commented Jun 14, 2020

@jaarons1 You should not type $ before the commands. $ represents a command prompt, it is not a part of the command. You should only type the stuff after the $.

Thanks.

I did that, attached image, and still get a pop up after asking about WiFi telling me the device is remotely managed. When I proceed it says “enrolling with the management server failed” and will not let me progress.

F4C32982-89BA-4D43-915F-F0943BF9B2AE

@ugultopu

This comment has been minimized.

Copy link

@ugultopu ugultopu commented Jun 14, 2020

@jaarons1 Restart the process. Wipe your disk again using disk utility, pull the OS over the network again. In short, follow the instructions of the OP again from scratch step-by-step. Let me know if it worked afterwards.

@ugultopu

This comment has been minimized.

Copy link

@ugultopu ugultopu commented Jun 14, 2020

@jaarons1 Also maybe you weren't able to wipe the disk properly in the first place. Read through a couple tutorials to understand the process.

@jaarons1

This comment has been minimized.

Copy link

@jaarons1 jaarons1 commented Jun 14, 2020

@ugultopu does it have to be an over the network OS install after the wipe? That’s been an entirely different issue and it never progresses once connected to a WiFi network. I appreciate your guidance!

@jaarons1

This comment has been minimized.

Copy link

@jaarons1 jaarons1 commented Jun 14, 2020

@ugultopu did another erase and followed the instructions. Got past that screen! Thanks for the help!

@zulus

This comment has been minimized.

Copy link

@zulus zulus commented Jun 14, 2020

During 10.15.5 installation process, I had to also move /var/db/ConfigurationProfiles

@jaarons1

This comment has been minimized.

Copy link

@jaarons1 jaarons1 commented Jun 14, 2020

@zulus mine seems to be working, but will I run into further issues with updates if I don’t move that? What command would I use to move it?

@zulus

This comment has been minimized.

Copy link

@zulus zulus commented Jun 14, 2020

@jaarons1 Yesterday I was trying to install Catalina on fresh disk. Unfortunately I can't do this without WIFI. After first reboot, before csrutil enable I've run:

mv "/Volumes/Macintosh HD/var/db/ConfigurationProfiles"  "/Volumes/Macintosh HD/var/db/ConfigurationProfilesDisabled"

And after reboot I was able to continue installation wizard without "enrolment" screen.

@jaarons1

This comment has been minimized.

Copy link

@jaarons1 jaarons1 commented Jun 14, 2020

Thanks! Now if I could get the black screen and shutting down to go away on 10.15.5 I’d be golden. Try to reinstall to fix that got me into this mess.

@turboAC

This comment has been minimized.

Copy link

@turboAC turboAC commented Jun 14, 2020

After reading the most recent posts, I may have to just try this again on both of my 2017 MBP's. It was peculiar as I followed the OP's post to the letter on both machines and loaded 10.15.4. Both ran fine with no MDM or DEP until I did the 10.15.5 update - at this point the update removed a few files/command lines that I had used before and put them on the desktop. I suppose I will do another clean and fresh install. Thanks again @henrik242 andto all who contribute to this!

@rustyshackleford2017

This comment has been minimized.

Copy link

@rustyshackleford2017 rustyshackleford2017 commented Jun 22, 2020

Anybody have trouble with ICloud or IMessages after bypassing DEP?

I was having inconsistent success in connecting to iCloud and activating iMessages. I unblocked the following servers from /etc/hosts that I had blocked when bypassing MDM:
albert.apple.com
gdmf.apple.com

I looked these up and they also seem to be used by Apple for other account verification purposes, including possibly iMessages/iCloud. I can't tell for sure if it helped to unblock them or if I am just imagining. Running 10.15.5 Catalina on a 2015 MBA. Thoughts?

@jog0ff

This comment has been minimized.

Copy link

@jog0ff jog0ff commented Jun 22, 2020

my iCloud and iMessages seem to work alright,
what exactly file do you mean by 'hosts'?
Cheers

@rustyshackleford2017

This comment has been minimized.

Copy link

@rustyshackleford2017 rustyshackleford2017 commented Jun 22, 2020

@jog0ff I meant the file located at /etc/hosts where you can make certain server requests resolve to 0.0.0.0 to block them from accessing the internet.

My iCloud and iMessage are working fine right now but when I was trying to activate them initially after install it was giving me an error about "failing to authenticate" even though I'm sure I was using the right password.

I was just wondering if maybe albert.apple.com/gdmf.apple.com might also be used to authenticate users before allowing activation of iMessage.

@StawR0s

This comment has been minimized.

Copy link

@StawR0s StawR0s commented Jun 24, 2020

Guys, this method don't work on MacOS Big Sur. I text (mkdir LaunchDaemons.disabled LaunchAgents.disabled) and have message only-read. Any options?

@rustyshackleford2017

This comment has been minimized.

Copy link

@rustyshackleford2017 rustyshackleford2017 commented Jun 24, 2020

Guys, this method don't work on MacOS Big Sur. I text (mkdir LaunchDaemons.disabled LaunchAgents.disabled) and have message only-read. Any options?

Did you disable csrutil first?

@StawR0s

This comment has been minimized.

Copy link

@StawR0s StawR0s commented Jun 24, 2020

Guys, this method don't work on MacOS Big Sur. I text (mkdir LaunchDaemons.disabled LaunchAgents.disabled) and have message only-read. Any options?

Did you disable csrutil first?

Yes, of couse.

@rustyshackleford2017

This comment has been minimized.

Copy link

@rustyshackleford2017 rustyshackleford2017 commented Jun 24, 2020

Guys, this method don't work on MacOS Big Sur. I text (mkdir LaunchDaemons.disabled LaunchAgents.disabled) and have message only-read. Any options?

Did you disable csrutil first?

Yes, of couse.

Sorry didn't mean to insult your intelligence, just wanted to confirm. May I ask were you running that command from the recovery terminal or after logging into the main OS? I have heard people can get both to work but I wonder if the former might work in your case but not the latter.

@StawR0s

This comment has been minimized.

Copy link

@StawR0s StawR0s commented Jun 25, 2020

Guys, this method don't work on MacOS Big Sur. I text (mkdir LaunchDaemons.disabled LaunchAgents.disabled) and have message only-read. Any options?

Did you disable csrutil first?

Yes, of couse.

Sorry didn't mean to insult your intelligence, just wanted to confirm. May I ask were you running that command from the recovery terminal or after logging into the main OS? I have heard people can get both to work but I wonder if the former might work in your case but not the latter.

It was just an upgrade from Catalina to Big Sur. I disabled csrutil first, reboot to enter Recovery Mode and type a few commands in terminal.

IMG_8569

@SkynetVirus

This comment has been minimized.

Copy link

@SkynetVirus SkynetVirus commented Jun 25, 2020

Guys, this method don't work on MacOS Big Sur. I text (mkdir LaunchDaemons.disabled LaunchAgents.disabled) and have message only-read. Any options?

Did you disable csrutil first?

Yes, of couse.

Sorry didn't mean to insult your intelligence, just wanted to confirm. May I ask were you running that command from the recovery terminal or after logging into the main OS? I have heard people can get both to work but I wonder if the former might work in your case but not the latter.

Same to me. after upgrade new Big Sur. Those command doesn't work anymore. Even crsutil disable.
Any one have any new method please

@zulus

This comment has been minimized.

Copy link

@zulus zulus commented Jun 25, 2020

@SkynetVirus did you try remount filesystem in write mode?

mount -uw "/Volumes/Mac SSD"
@zulus

This comment has been minimized.

Copy link

@zulus zulus commented Jun 26, 2020

@moslimbios what you mean?

@rustyshackleford2017

This comment has been minimized.

Copy link

@rustyshackleford2017 rustyshackleford2017 commented Jun 26, 2020

Okay I think you need to do an edited version of the crsutil command:

csrutil authenticate-root disable
to turn cryptographic verification off, then mount the System volume and perform its modifications. To make that bootable again, you have to bless a new snapshot of the volume using a command such as
sudo bless --folder /[mountpath]/System/Library/CoreServices --bootefi --create-snapshot

See the following: https://eclecticlight.co/2020/06/25/big-surs-signed-system-volume-added-security-protection/

@d1monn2004

This comment has been minimized.

Copy link

@d1monn2004 d1monn2004 commented Jul 23, 2020

Hello. Has anyone tried updating to 10.15.6?

@jog0ff

This comment has been minimized.

Copy link

@jog0ff jog0ff commented Jul 23, 2020

ok guys,
theres a permanent solution for it, I've got it for my 2014 15'' MBP Retina but its available for other models as well
https://www.macunlocks.com/product/efi-card-instant-for-macbook-macbook-pro-and-macbook-air-solderless-efi-chip/?attribute_pa_modelnumber=mbp-15-a1398-2014-emc2876-820-3662
worth every penny, even internet restore works without any hassle :)

@d1monn2004

This comment has been minimized.

Copy link

@d1monn2004 d1monn2004 commented Jul 23, 2020

@jog0ff Unfortunately this solution doesn't support 2019 13" MBP with T2 Chip.

@jog0ff

This comment has been minimized.

Copy link

@jog0ff jog0ff commented Jul 23, 2020

@jog0ff Unfortunately this solution doesn't support 2019 13" MBP with T2 Chip.

oh, yeah its up to 2017

@ssccs

This comment has been minimized.

Copy link

@ssccs ssccs commented Jul 23, 2020

Hello. Has anyone tried updating to 10.15.6?

yes, no issues using the original instructions

@turboAC

This comment has been minimized.

Copy link

@turboAC turboAC commented Aug 14, 2020

@howardkhl

This comment has been minimized.

Copy link

@howardkhl howardkhl commented Aug 14, 2020

Just want to say THANKS! After hours of searching and countless claims of it can't be bypassed, this method worked like a charm!

@zipmegabyte

This comment has been minimized.

Copy link

@zipmegabyte zipmegabyte commented Aug 14, 2020

@evennotodd

This comment has been minimized.

Copy link

@evennotodd evennotodd commented Aug 17, 2020

Do the T2 security chips in 2018 and later MacBooks change anything about this process?

@prepsin

This comment has been minimized.

Copy link

@prepsin prepsin commented Aug 18, 2020

Hi people

I'm really struggling with this on my side.

I applied the above (or similar) technique sometime last year when using Mojave but having recently updated to Catalina (which i'm now regretting) the issue has come back.

I've followed the above guide but like @StawR0s I am getting the same issue saying its a read-only file system.

I've also tried 'csrutil authenticate-root disable' and thats not working either.

Is there any more updates or fixes on this?

Is my Mac ok to use in the meantime? I keep pressing 'later' when the pop-up appears trying to phone home but is my mac/data and username/email/login etc viewable whenever I am online in the meantime to the previous organisation?

Any help would be appreciated as it appears there is no 100% fix for this yet?

Thank you

@henrik242

This comment has been minimized.

Copy link
Owner Author

@henrik242 henrik242 commented Aug 18, 2020

@prepsin If you follow the guide on top to the letter then it should work. You cannot just try things blindly like you seemingly did, since you tried to apply commands that are explicitly only available for Big Sur (ref. csrutil authenticate-root disable)

@prepsin

This comment has been minimized.

Copy link

@prepsin prepsin commented Aug 18, 2020

@henrik242 I have followed the guide to the letter and I am still getting this error:

"LaunchAgents.disabled: Read-only file system"

Ok granted I am not using 'big-sur' I am using Catalina after recently upgrading a few days ago but either way I am still getting this error.

I've read the full github thread and from what I can see there doesn't seem to be a confirmed working solution for this?

Please advise otherwise.

Thank you

@henrik242

This comment has been minimized.

Copy link
Owner Author

@henrik242 henrik242 commented Aug 18, 2020

@prepsin You don't have to read the whole thread. Did you do Main Procedure, pt.3? Are you actually in the Recovery Mode at that point?

@peterwild

This comment has been minimized.

Copy link

@peterwild peterwild commented Aug 20, 2020

I completed the steps here successfully a few months ago (thanks, btw!!). I'm now trying to update to 10.15.6, but the update times out about 70% through. Seems like it could be related. Anyone else experiencing this?

@henrik242

This comment has been minimized.

Copy link
Owner Author

@henrik242 henrik242 commented Aug 20, 2020

@peterwild Everyone else has upgraded to 10.15.6 without problems. What indications do you have that this change is the culprit?

@peterwild

This comment has been minimized.

Copy link

@peterwild peterwild commented Aug 20, 2020

@henrik242 Thanks for the reply. That’s encouraging. I’m only speculating because it’s odd that I can’t upgrade and this is the only “modification” I’ve done to my machine. The connection “times out” which made me feel that I wasn’t passing some test on Apple’s side, as all internet is working properly.

@etoricky

This comment has been minimized.

Copy link

@etoricky etoricky commented Aug 26, 2020

Thank you. It is working on 2020 August.

Works on my fresh installed networked Catalina 10.15.6 on MacBook Air 2019. The instructions/commands are exactly the same on top of this MD file.

Background: Just got my MBA 2019. Originally can be used. I went to recovery mode to reinstall OS, and DEP ask me to enter a login name and password that I don't have. Found this MD file on GitHub. I read most of the comments. Followed instruction and it works. Now at least I can login to OSX and surf the web.

Supplement to the instructions/commands:

Second Reboot
Initial installation takes a long time. Remaining installation refers to a complete dark screen without any window but a white apple logo and a status text. The status text time estimation is not so accurate so:
"About 3 minutes remaining..." at ease
"About a minute remaining..." at ease
"Estimating time remaining..." at ease
"Less than a minute remaining..." pay attention! Reboot soon. Fingers ready to press command-R

Then just follow the instructions to use "csrutil mkdir mv echo csrutil" commands.

@tofalan

This comment has been minimized.

Copy link

@tofalan tofalan commented Aug 28, 2020

Thank you for this info. It is working as well on 10.15.6. My question now is, if I were to reimage my MBP, I would have to redo all these steps to avoid DEP notification correct?

@JohnBarger

This comment has been minimized.

Copy link

@JohnBarger JohnBarger commented Sep 2, 2020

Thanks for this. I was struggling with this until I saw your instructions on redirecting the FQDNs to 0.0.0.0.

@2pravin7

This comment has been minimized.

Copy link

@2pravin7 2pravin7 commented Sep 3, 2020

Works for me on 10.15.6. Thanks for these instructions!

@benergize

This comment has been minimized.

Copy link

@benergize benergize commented Sep 5, 2020

Brilliant work, you saved my girlfriend's laptop from being a hostage of a university.

@genesy

This comment has been minimized.

Copy link

@genesy genesy commented Sep 8, 2020

@jaarons1 Yesterday I was trying to install Catalina on fresh disk. Unfortunately I can't do this without WIFI. After first reboot, before csrutil enable I've run:

mv "/Volumes/Macintosh HD/var/db/ConfigurationProfiles"  "/Volumes/Macintosh HD/var/db/ConfigurationProfilesDisabled"

And after reboot I was able to continue installation wizard without "enrolment" screen.

This worked for me too thank you

@raducme

This comment has been minimized.

Copy link

@raducme raducme commented Sep 16, 2020

@prepsin If you follow the guide on top to the letter then it should work. You cannot just try things blindly like you seemingly did, since you tried to apply commands that are explicitly only available for Big Sur (ref. csrutil authenticate-root disable)

Hey @henrik242 ! I want to install the new released Big Sur today. Do you know if there are issues with disabling DEP with previous method ? Thank you.

@subaiku

This comment has been minimized.

Copy link

@subaiku subaiku commented Sep 17, 2020

Hi, may I ask if this solution just suppresses the notification but does it actually get rid of the DEP?

Also is the DEP tied into the OSX Installer, Hard Drive or Machine? Am asking because in my situation I actually bought a used Macbook of eBay, took out the SSD and put it into another older Macbook (which previously did not have the notification), clean reinstalled High Sierra and then the notifications started popping up. In my noobie mind that means the DEP came with either the SSD or the Installer?

@henrik242

This comment has been minimized.

Copy link
Owner Author

@henrik242 henrik242 commented Sep 17, 2020

@raducme This guide is for Catalina only. For Big Sur, you need some of the changes @rustyshackleford2017 outlined Jun 26. I haven't tested them.

@subaiku DEP is tied to the hardware. The machine ID is stored at Apple, where it's tied to whoever enabled DEP you your mac.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.