Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?

Disable Device Enrollment Program (DEP) notification on macOS Monterey.md

NB! command-R is replaced with holding the power button on M1 macs.

With full reinstall (recommended)

   a. Boot into recovery using command-R during reboot, wipe the harddrive using Disk Utility, and select reinstall macOS

   b. Initial installation will run for approximately 1 hour, and reboot once

   c. It will then show a remaining time of about 10-15 minutes

   d. When it reboots again, be sure to press command-R to boot into recovery and continue with Main procedure

Without full reinstall

Boot to Recovery Mode by holding command-R during restart and continue with Main procedure

Main procedure

  1. Open Utilities → Terminal and type
$ csrutil disable
$ reboot
  1. Hold command-R during the reboot to enter Recovery Mode again

  2. Enter Disk Utility, and mount the Macintosh HD volume (or whatever your main volume is named). (It might already be mounted.)

  3. Exit Disk Utility, open Utilities → Terminal, and type

$ cd "/Volumes/Macintosh HD/System/Library"
$ cd ../../etc
$ echo "0.0.0.0 iprofiles.apple.com" >> hosts
$ echo "0.0.0.0 mdmenrollment.apple.com" >> hosts
$ echo "0.0.0.0 deviceenrollment.apple.com" >> hosts
$ echo "0.0.0.0 gdmf.apple.com" >> hosts
$ csrutil enable
$ reboot
  1. If you come to the “Choose your country/location” dialogue, make sure to not select a wireless network, but “continue without an internet connection”

  2. After a normal boot, you can verify the DEP status in Terminal:

$ profiles status -type enrollment
Enrolled via DEP: No
MDM enrollment: No
@racks211
Copy link

racks211 commented Mar 30, 2022

I bought a MacBook Pro off Facebook market place 4 years ago and I recently erased the whole device now when I boot it up and set it up it says I have remote management on for a school and I called and they just hang up on me how do I get rid of this remote management please ill pay for someone to help me

@XxSanteaxX

Yes I could help get you back into the computer. what is your email? i will send you my whatsapp

@racks211
Copy link

racks211 commented Mar 30, 2022

@time2chil Yes I could help get you back into the computer. what is your email? i will send you my whatsapp

@timothegg
Copy link

timothegg commented Mar 30, 2022

I also got scammed on a new m1 macbook 14" I paid £1500 for.
It was working completely fine, I tested just about everything. My final step was to wipe the SSD clean so i could do a fresh install and migration from my old mac.
Right after the OS install it tells me the device is managed by some company and I needed their login and password to continue installation.
I contacted the seller, who had actually legitimately purchased the laptop from the very same company in the installation (and had emails to prove it!). I tried contacting that company and I cannot get a response. I was devastated. Nearly a month's income gone for a useless brick. My wife would kill me.

Thankfully I found this page on github. I managed to get past the initial installation screen.

I was unable to install macos by loading from external USB because halfway through the installation, the installer would stop and tell me that internet is required for installation.

I was able to do it in the end. Here are the combination of steps from different posts I took. I hope it is helpful to future readers:

  1. Wiped the New mac's drive clean
  2. Set the New mac into DFU mode
  3. Installed new IPSW via Apple Configurator
  4. While waiting for the IPSW to load I blocked the following domains on my router:

image

  1. During the macos monterey setup I did not activate the wifi (this step probably not necessary!)

  2. restored from my time machine backup, signed into icloud, activated firevault, etc

  3. Blocked the following in my hosts file:

albert.apple.com    
deviceenrollment.apple.com    
gdmf.apple.com    <---- not necessary and other posts say it will block future updates, now removed on my machine
iprofiles.apple.com    
mdmenrollment.apple.com
acmdm.apple.com
  1. Did the "sudo profiles remove -all"

  2. Rebooted

The above should work for 2021 Macs with Monterey, but you will still apparently get some notifications saying that the computer is remotely managed by [company].

Does anyone have any advice for keeping my mac from getting locked out again? What are things to avoid? I would appreciate the advice. (I will continue trying to contact that company)

Thank you,
Tim

@secured2k
Copy link

secured2k commented Mar 30, 2022

Please see the parent thread or earlier posts for details.
If you block gdmf.apple.com, you will likely not get public updates.

You can prevent this by not accepting profile installations going forward and leaving the three sites blocked at the PC or network level:

deviceenrollment.apple.com
iprofiles.apple.com
mdmenrollment.apple.com

If you do wipe and re-install your Mac again in the future, you can expect to need to do similar steps. Do include the extra servers for MacOS Setup.

@timothegg
Copy link

timothegg commented Mar 31, 2022

Thank you to everyone in this thread providing help.
I'm now getting notifications that the computer is remotely managed by [company].
my enrollment status is still:

Enrolled via DEP: No
MDM enrollment: No

Has anyone figured out a way to disable those notifications besides just turning off all notifications?

Edit:
I looked upthread and read secured2k's recommendation.
I did the "sudo profiles remove -all" command about 5 times and rebooted after each one
It's been about 45 minutes and no new notifications yet

Edit 2:
After about 4 hours, the notifications have returned. Anything I'm doing wrong? @secured2k

Thanks,
Tim

@tandia12
Copy link

tandia12 commented Apr 6, 2022

@lfctsve
What year and model is it? For older MacBooks there are permanent fix adding a chip which changes serial number

@jog0ff Hey I have a MacBook Air 2019 do you think the chip would work on it? It is also running on MacOS Catalina

@solis98
Copy link

solis98 commented Apr 19, 2022

Do you know if after applying these steps to disappear the notifications, the laptop can be used without the risk that the laptop may be affected?

@agent4tea7
Copy link

agent4tea7 commented Apr 21, 2022

Do you know if after applying these steps to disappear the notifications, the laptop can be used without the risk that the laptop may be affected?

Yes, there's no risk as such. You are just opting out of a system-enabled DEP program. There's no risk, the machine is all yours to use and abuse.

@siborg666
Copy link

siborg666 commented May 4, 2022

Every line after tells me the file is read only. I can’t change permissions on the HD or add myself as a user profile. Just says I don’t have permission, even though I am an administrator?
81D9C886-91E2-4235-B54D-BE6F69B840A3

any way to let me have access to change this stuff? Thanks.

@secured2k
Copy link

secured2k commented May 4, 2022

You can try checking the parent thread/github fork for details. The issue reported means the more recent instructions were not followed or a step was skipped.

@brunerd
Copy link

brunerd commented May 12, 2022

I've been wondering if I should blog about this, but here's another way that doesn't involve blocking network ports, so to squirrel this knowledge away in a corner of the web:

## these commands MUST be from Terminal in Recovery mode only (as root of course)
## this assumes the boot drive is named "Macintosh HD" and is a newer OS that has a Data volume

#clear the nvram if there is any saved WiFi info there
nvram -c

#remove the known networks plist which auto-joins your WiFi - older version of macOS may not have this
rm /Volumes/Macintosh\ HD\ -\ Data/Library/Preferences/com.apple.wifi.known-networks.plist 

#the WiFi password IS still stored here but it is not necessary to remove this
rm /Library/Keychains/System.keychain

#SUPPRESS FOR SETUP ASSISTANT ONLY
#remove all the dot files .* in Settings the main file is .cloudConfigHasActivationRecord
rm /Volumes/Macintosh\ HD\ -\ Data/private/var/db/ConfigurationProfiles/Settings/.*
#When you reboot with this method you must choose Other for network options then "This Mac does not connect to the Internet" to skip Remote Management
#this method of skipping via Other/No Internet is usually sufficient for macOS 10.14 and under

#SUPPRESS PERMANENTLY
#remove the entire folder and it NEVER asks for DEP again, without this folder it won't work
rm -r /Volumes/Macintosh\ HD\ -\ Data/private/var/db/ConfigurationProfiles/Settings

reboot

@vzeazy
Copy link

vzeazy commented May 20, 2022

@brunerd Just wondering if you've tested this on the newer M1 Macs? Thanks

@vzeazy
Copy link

vzeazy commented May 20, 2022

@timothegg Did you ever find a way to get the notifications removed?

@hugocruz
Copy link

hugocruz commented May 23, 2022

@brunerd Just wondering if you've tested this on the newer M1 Macs? Thanks

Here you can find one for the M1 pro: https://gist.github.com/henrik242/65d26a7deca30bdb9828e183809690bd?permalink_comment_id=4042787#gistcomment-4042787

@dDev-OwO
Copy link

dDev-OwO commented Jun 1, 2022

I'm guessing that if I can't disable SIP then I'm out of luck?

Is there anyway around that? Cloning another drive?

Any help would be appreciated.

@brunerd
Copy link

brunerd commented Jun 1, 2022

@brunerd Just wondering if you've tested this on the newer M1 Macs? Thanks

@vzeazy yes, most definitely, it’s architecture independent it’s all about what macOS caches on disk really, we’ll see if they change anything for the next OS

@secured2k
Copy link

secured2k commented Jun 1, 2022

I'm guessing that if I can't disable SIP then I'm out of luck?

Is there anyway around that? Cloning another drive?

Any help would be appreciated.

Check the recent comments or the parent thread for instructions for current version OS’s. Answers have been posted multiple times.

@depmac
Copy link

depmac commented Jun 9, 2022

Method confirmed dead on Ventura. Now MDM lock works in a similar way to FMM lock. For all of you legally owning DEP enabled Macs, disabling Full Security is highly recommended so that when you accidentally wipe the mac, you will be able to always downgrade to a full installation of macOS <=12.x. For Macs shipped with Ventura from now on, be extra careful unless new ways of MDM bypass come out.

@depmac
Copy link

depmac commented Jun 9, 2022

Method confirmed dead on Ventura. Now MDM lock works in a similar way to FMM lock. For all of you legally owning DEP enabled Macs, disabling Full Security is highly recommended so that when you accidentally wipe the mac, you will be able to always downgrade to a full installation of macOS <=12.x. For Macs shipped with Ventura from now on, be extra careful unless new ways of MDM bypass come out.

Non Apple Silicon and T2 Macs are not impacted though. Also in the worst case we still have checkm8 for T2.

@secured2k
Copy link

secured2k commented Jun 9, 2022

This does not seem like anything new. The case was the same since T2 and M1. The case if MDM actually got installed/enrolled during setup or profile install, the management system could enable FMM type locks (but doesn't have to).

@mitatskni
Copy link

mitatskni commented Jun 10, 2022

On catalina, I solved the problem in a similar way. I found an xml file where it is written how often to display a notification and commented out the necessary section. I bought a used laptop with mdm profile.

@mitatskni
Copy link

mitatskni commented Jun 10, 2022

On catalina, I solved the problem in a similar way. I found an xml file where it is written how often to display a notification and commented out the necessary section. I bought a used laptop with mdm profile.

Just in case, I will give an example that I edited on Catalina to get rid of notifications every 3 hours

@mitatskni
Copy link

mitatskni commented Jun 10, 2022

On catalina, I solved the problem in a similar way. I found an xml file where it is written how often to display a notification and commented out the necessary section. I bought a used laptop with mdm profile.

Just in case, I will give an example that I edited on Catalina to get rid of notifications every 3 hours

% cat /System/Library/LaunchAgents/com.apple.ManagedClientAgent.enrollagent.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Label</key>
	<string>com.apple.ManagedClientAgent.enrollagent</string>
    <key>ProcessType</key>
    <string>Background</string>
	<key>ProgramArguments</key>
	<array>
		<string>/System/Library/CoreServices/ManagedClient.app/Contents/Resources/ManagedClientAgent</string>
		<string>-j</string>
	</array>
<!--
	<key>StartInterval</key>
	<integer>7200</integer>
-->
</dict>
</plist>

@mitatskni
Copy link

mitatskni commented Jun 10, 2022

As you can see, I commented out the StartInterval key. In my case, this solved the issue with notifications.

@secured2k
Copy link

secured2k commented Jun 10, 2022

You cannot do this on newer systems with snapshots and signed system volumes.

@JShub683
Copy link

JShub683 commented Jun 21, 2022

Just a general question. I was able to get into my M1 that i purchased from a liquidator who got the laptop from a company that was purchased prior to going out of business. I have an M1 and 2019 i5 on the i5 I get zero notifications about being remote managed, where as the M1 I'll get a pop-up about every 3-4hrs. The M1 took me a few days to realize that I could enter the echo commands without csrutil disabled to get around the MDM and create an account on Monterey. Anyway I've read through multiple threads on DEP and it seems like the intel models wont get notifications and the M1 theres nothing that can be done to stop on block em right? When checking for MDM profiles in terminal I get the NO status so I'm fine on that front just the stupid popup.

@secured2k
Copy link

secured2k commented Jun 21, 2022

There is no difference in the ability to block MDM pop up notifications on intel and m-series Macs. The difference in management security for those systems is t-2 and newer systems can be securely activation locked. I have looked at 2 random people’s computer that claimed the same problem and I have no idea what I did differently but with no relevant changes, those users say the messages go away; so I assume the issue is with the users actions or steps to block the network communication that causes the alerts. The parent thread has more detail and I have answered many questions since Nov 2020 about this.

@Aleks4o
Copy link

Aleks4o commented Jun 23, 2022

Hi I wanted to ask because I am new to the mac scene and I bought a macbook second hand with dep (that i did not know of). Can anyone tell me is it safe to use the laptop and is there a chance that the laptop is unusable?

@JShub683
Copy link

JShub683 commented Jun 23, 2022

@Aleks4o
Copy link

Aleks4o commented Jun 23, 2022

I did take the steps above but what did you mean by change the security settings in the recovery portion”?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment