Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save henrik242/65d26a7deca30bdb9828e183809690bd to your computer and use it in GitHub Desktop.
Save henrik242/65d26a7deca30bdb9828e183809690bd to your computer and use it in GitHub Desktop.
@Aleks4o
Copy link

Aleks4o commented Jun 23, 2022

Hi I wanted to ask because I am new to the mac scene and I bought a macbook second hand with dep (that i did not know of). Can anyone tell me is it safe to use the laptop and is there a chance that the laptop is unusable?

@Aleks4o
Copy link

Aleks4o commented Jun 23, 2022

I did take the steps above but what did you mean by change the security settings in the recovery portion”?

@FaunoFloyd
Copy link

FaunoFloyd commented Jun 28, 2022

Hi Guys,

i tried and got this reply

sudo profiles show -type enrollment
2022-06-28 12:31:49.952 profiles[10194:708792] Bad response from apsd: Connection interrupted
Error fetching Device Enrollment configuration: We can't determine if this machine is DEP enabled. Try again later.

It should be all right? DEP and MDM cant do a thing on the macbook right ?
Screen Shot 2022-06-28 at 12 37 17

@secured2k
Copy link

No, the error talks about an error with apsd's connection being interrupted. This is for Apple Push Services Daemon which means you might not get push notifications on that system, but that doesn't mean a profile could not be installed. The response you should get if DEP servers are blocked is similar to below:

Error fetching Device Enrollment configuration: (34006) Error Domain=MCCloudConfigurationErrorDomain Code=34006 "The Device Enrollment server is unavailable. Please try again later." UserInfo={USEnglishDescription=CLOUD_CONFIG_MAX_RETRIES_EXCEEDED, NSLocalizedDescription=The Device Enrollment server is unavailable. Please try again later., MCErrorType=MCFatalError}

@FaunoFloyd
Copy link

@secured2k tried again and got same results, im using macbook pro 16 m1 pro 2021, could be any diff?

do i need to reinstall macos from scratch to try again?

@secured2k
Copy link

It is your call. I do not have the information about what was done that caused you to get a bad response from apsd.
However, the first command in the screenshot says enrolled via DEP/MDM: NO so generally there is no automatic profile install unless an Admin agrees to install a profile. This usually comes up in a push notification alert and if something has broken those push notifications, it will be difficult to accidentally enroll.

@brishtiteveja
Copy link

I've been wondering if I should blog about this, but here's another way that doesn't involve blocking network ports, so to squirrel this knowledge away in a corner of the web:

## these commands MUST be from Terminal in Recovery mode only (as root of course)
## this assumes the boot drive is named "Macintosh HD" and is a newer OS that has a Data volume

#clear the nvram if there is any saved WiFi info there
nvram -c

#remove the known networks plist which auto-joins your WiFi - older version of macOS may not have this
rm /Volumes/Macintosh\ HD\ -\ Data/Library/Preferences/com.apple.wifi.known-networks.plist 

#the WiFi password IS still stored here but it is not necessary to remove this
rm /Library/Keychains/System.keychain

#SUPPRESS FOR SETUP ASSISTANT ONLY
#remove all the dot files .* in Settings the main file is .cloudConfigHasActivationRecord
rm /Volumes/Macintosh\ HD\ -\ Data/private/var/db/ConfigurationProfiles/Settings/.*
#When you reboot with this method you must choose Other for network options then "This Mac does not connect to the Internet" to skip Remote Management
#this method of skipping via Other/No Internet is usually sufficient for macOS 10.14 and under

#SUPPRESS PERMANENTLY
#remove the entire folder and it NEVER asks for DEP again, without this folder it won't work
rm -r /Volumes/Macintosh\ HD\ -\ Data/private/var/db/ConfigurationProfiles/Settings

reboot

I have faced this issue. After fresh install of mac OS Catalina, it was showing remote management from a company that is different from my own workplace.
Removing LaunchDaemons and LaunchAgents and re-routing IP addresses didn't work for me.
The only thing that worked for me was by removing /Volumes/Macintosh\ HD\ -\ Data/private/var/db/ConfigurationProfiles/Settings
Thank you very much.

@Hr46ph
Copy link

Hr46ph commented Jul 2, 2022

Simple question from a macOS noob. When you speak of "wipe the harddrive using Disk Utility" in the instructions, what exactly do I select? There are multiple partitions. Tx.

@secured2k
Copy link

You would select the disk rather than a partition. Apple support pages have instructions and can be found with a google search. However you may want to review the parent thread for recent fixes before following older instructions.

@Hr46ph
Copy link

Hr46ph commented Jul 2, 2022

This being comments and not a real forum, what exactly do you mean with parent thread? Do you mean where you forked it from?
https://gist.github.com/sghiassy/a3927405cf4ffe81242f4ecb01c382ac

@secured2k
Copy link

Yes

@Hr46ph
Copy link

Hr46ph commented Jul 2, 2022

Thanks. I was there too. When I boot in recovery mode and open a terminal, it will ask me for credentials. sudo or su commands don't work. Ive been searching my ass off through the comments here and there, Google directs me to official support. It looks like I need to wipe the disk so it wont read the current configurion on disk and connects to wifi, can you please confirm or point me in the right direction if thats wrong?

@secured2k
Copy link

I don’t recall recovery mode asking for a password unless it was an encrypted disk.
su/sudo is not needed in recovery mode because you run as root (Adminstrator) by default.

It depends on what the issues is and what your goal is (what are you trying to accomplish?). If you are trying to erase everything, then apple’s official instructions are good to follow. Assuming you are here because of MDM, then you follow the instructions with no internet setup or blocking hosts via dns.

@brishtiteveja
Copy link

brishtiteveja commented Jul 4, 2022

comments

If the device does not have any OS, after fresh installation, you don't have an administrator account created yet. And you may not even be able to go to the account creation phase because remote management screen. This is a scenario where the previous owning organization has forgot to remove MDM requirement for the device.. may not be the same for regular device.

@rafaelsaxo
Copy link

I just got scammed with a macbook pro m1 14inch, so I found here.
A little hard for a newbie so I wonder if a software like https://checkm8.info/bypass-mac-mdm-lock are trustable
and the scammer gave em this solution https://www.youtube.com/watch?v=PZy5Xayv5PY
I would really appreciate some help here.
By the way read the whole thread and couldn't execute everything. I need to learn better how to use terminal like do I have to use the $ sign or this is just a bullet?
Thanks in advance.

@secured2k
Copy link

The last I recall from 2-3 years ago is checkm8 is for iPhone 4S (A5) through iPhone 8/X series (A11). This includes T2 which is related to A10. There was some news of Checkra1n being able to have some support for M1 (A14) chips but I never heard much about it.

As for the video, it starts with is the same instructions in these comments and then goes to do things not needed, but potentially can work. In theory the instructions have you disable some security and run a program that could do some of the steps listed in the comments (or some hidden unknown method). However, I don't have any proof of what it is doing, so I can't say it really is "safe" or will work.

@iactivate-host
Copy link

iactivate-host commented Jul 6, 2022

Disable Device Management and remove MDM enrollment profile on MacBook Pro & Air can be done via iRemove tool. You can download software from https://iremove.tools/remove-device-management-on-macbook
. The tool can bypass MDM on Mac computers powered by M1 & T2 chip.

@rajpootathar
Copy link

Disable Device Management and remove MDM enrollment profile on MacBook Pro & Air can be done via iRemove tool. You can download software from https://iremove.tools/remove-device-management-on-macbook . The tool can bypass MDM on Mac computers powered by M1 & T2 chip.

does this work can someone confirm?

@rafaelsaxo
Copy link

rafaelsaxo commented Jul 6, 2022

How do I enter this in terminal?
$ cd "/Volumes/Macintosh HD/System/Library"
$ cd ../../etc
$ echo "0.0.0.0 iprofiles.apple.com" >> hosts
$ echo "0.0.0.0 mdmenrollment.apple.com" >> hosts
$ echo "0.0.0.0 deviceenrollment.apple.com" >> hosts
$ echo "0.0.0.0 gdmf.apple.com" >> hosts
$ csrutil enable
$ reboot
I am on Monterey and I did something wrong or it doesn't work.
thanks

I know that the $ is like a bullet point not to be typed, are there more things like this? Like if you see this you do press enter or something

@esvillar
Copy link

esvillar commented Jul 7, 2022

Hey team,

I have been struggling for the past 3 days trying to install Mac OS again on a MDM device. I bought it second hand and I was able to bypass it during installation with Big Sur, and Monterrey but I updated to Ventura and got stuck. I don’t know how to downgrade and everything I tried from this thread does not work. Can anybody provide me with a more in person assistance please. My WhatsApp is 506 87185747. And my name is Esteban. Thanks in advance to all of you.

@chuanhhoang
Copy link

chuanhhoang commented Jul 7, 2022

Hey team,

I have been struggling for the past 3 days trying to install Mac OS again on a MDM device. I bought it second hand and I was able to bypass it during installation with Big Sur, and Monterrey but I updated to Ventura and got stuck. I don’t know how to downgrade and everything I tried from this thread does not work. Can anybody provide me with a more in person assistance please. My WhatsApp is 506 87185747. And my name is Esteban. Thanks in advance to all of you.

What problem do you have with Ventura? Could you please upload a screenshot?

@chuanhhoang
Copy link

Method confirmed dead on Ventura. Now MDM lock works in a similar way to FMM lock. For all of you legally owning DEP enabled Macs, disabling Full Security is highly recommended so that when you accidentally wipe the mac, you will be able to always downgrade to a full installation of macOS <=12.x. For Macs shipped with Ventura from now on, be extra careful unless new ways of MDM bypass come out.

So just disabling network connection when installing Ventura will not help any more?

@chuanhhoang
Copy link

Just to update on how to bypass MDM on Ventura:

  • Install Monterey and bypass MDM
  • Download Ventura and install it
  • When the computer restarts, disconnect your router and let the computer finishes the installation.

@aabdyli
Copy link

aabdyli commented Jul 8, 2022

Hello everyone,

I have installed the Monterey 12.3.1 but the 12.4 is not showing on the Software Update.
Has anyone of you had this problem?

@solis98
Copy link

solis98 commented Jul 10, 2022

Hola a todos,

Instalé el Monterey 12.3.1 pero el 12.4 no aparece en la Actualización de software. ¿Alguno de vosotros ha tenido este problema?

I didn't even know there was an update. I'm downloading it from the App Store because it doesn't appear from "Software Update".
Did one of you have a problem with the update? Does the notification reappear?

@daeta
Copy link

daeta commented Jul 10, 2022 via email

@solis98
Copy link

solis98 commented Jul 10, 2022

Once a month, I comment out the below line in /etc/hosts file then check for MacOS X Updates. Once the update starts to download, I remove the "#". sudo vim /etc/hosts # Comment out below for software update 0.0.0.0 gdmf.apple.com Change to: # 0.0.0.0 gdmf.apple.com Save ":w" Run software update and start process. Change to: 0.0.0.0 gdmf.apple.com Save and Quit ":wq" This has been my "fix" for many months.

On Sun, 10 Jul 2022 at 10:53, solis98 @.> wrote: @.* commented on this gist. ------------------------------ Hola a todos, Instalé el Monterey 12.3.1 pero el 12.4 no aparece en la Actualización de software. ¿Alguno de vosotros ha tenido este problema? I didn't even know there was an update. I'm downloading it from the App Store because it doesn't appear from "Software Update". Did one of you have a problem with the update? Does the notification reappear? — Reply to this email directly, view it on GitHub https://gist.github.com/65d26a7deca30bdb9828e183809690bd#gistcomment-4226554, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABTQXPZHE62H7HZ35CXK7ZTVTINIJANCNFSM4J55H5MA . You are receiving this because you were mentioned.Message ID: <henrik242/Disable Device Enrollment Program (DEP) notification on macOS Monterey. @.>
-- David Robinson - 0412 458 477 - @.

I don't know much about this. Could you tell me how to make that change? Where is that done from?

@aabdyli
Copy link

aabdyli commented Jul 12, 2022

Once a month, I comment out the below line in /etc/hosts file then check for MacOS X Updates. Once the update starts to download, I remove the "#". Need to learn "vim" to use this. sudo vim /etc/hosts # Comment out below for software update 0.0.0.0 gdmf.apple.com Change to: # 0.0.0.0 gdmf.apple.com Save ":w" Run software update and start process. Change to: 0.0.0.0 gdmf.apple.com Save and Quit ":wq" This has been my "fix" for many months.

On Sun, 10 Jul 2022 at 10:53, solis98 @.> wrote: @.* commented on this gist. ------------------------------ Hola a todos, Instalé el Monterey 12.3.1 pero el 12.4 no aparece en la Actualización de software. ¿Alguno de vosotros ha tenido este problema? I didn't even know there was an update. I'm downloading it from the App Store because it doesn't appear from "Software Update". Did one of you have a problem with the update? Does the notification reappear? — Reply to this email directly, view it on GitHub https://gist.github.com/65d26a7deca30bdb9828e183809690bd#gistcomment-4226554, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABTQXPZHE62H7HZ35CXK7ZTVTINIJANCNFSM4J55H5MA . You are receiving this because you were mentioned.Message ID: <henrik242/Disable Device Enrollment Program (DEP) notification on macOS Monterey. @.>
-- David Robinson - 0412 458 477 - @.

Tried it and works! Thank you 💯

@Samiakaraeen
Copy link

This works fine with me, the trick is to install a clean Catalina
after it installs and when it restarts - YOU MUST NOT LET IT GO TO THE SCREEN WHERE IT ASKS YOU TO CHOOSE COUNTRY- YOU MUST GO TO RECOVERY MODE
after you go to recovery mode in the terminal the first command must be "mount -uw /" so as to be able to write to the host's file
after that and doing all the steps above can restart and go the choose country screen and choose my computer is not connected to the internet and it goes smoothly ,i installed Catalina and updated to the latest macOS

@ClickClocks
Copy link

ClickClocks commented Jul 20, 2022

I bought a brand new Mac Studio from a Pawshop. when I tried to setup and created a user I got the Remote Managment message asking me for user name and password.

them I found and followed the steps of this guide but by the time I did: "csrutil disable" i get a message about not admin privileges or something.

What I did was to do again a clean install of Monterrey after the second rebot unplug internet create a new user etc and now I was able to disble csrutil, add the hosts and them enable csrutil.

my question is: what will happen when Ventura is launch? Do I need to do similar steps or procedure to get this working?

When I tried to check the warranty information of this mac it told me they didn't have information available and asked me to provided a purchase date. Now when I check again Warranty Coverage it shows the date I added there.

It seems this Mac Studio was a company mac but never was activated (Maybe I'm Wrong) I'm on the line to return it and get my money back. it was a great deal though. Please Advice

@vladsolokha
Copy link

I presume that you won’t need to do the steps for Ventura. But we won’t know until it comes out.

I would like to thank the original post. I did all the steps and it worked for my M1 MacBook Air 10,1. I bought from a guy who was selling it on Marketplace and it had remote management on it from a company that doesn’t exist anymore. Thanks for the help.

@JediRhymeTrix
Copy link

2021 MacBook Pro 14 on Monterey 12.4 here. Blocking those domains in hosts did not seem to get rid of the notification. However, I tried one of the suggestions from the parent thread and I haven't seen the notification in the past 24 hours or so.

Here's the command I ran:

rm -r /Volumes/Macintosh\ HD\ -\ Data/private/var/db/ConfigurationProfiles/Settings

Now I'm not sure if this will allow me to install Ventura without any hiccups or if I'd still need to block internet access to the machine when it reboots.

@JediRhymeTrix
Copy link

Is there a risk in installing minor updates like 12.4->12.5 if the device is not enrolled and only had the notification pop-up issue, which has been remedied by doing what I have mentioned above?

@Hr46ph
Copy link

Hr46ph commented Aug 11, 2022

Is there a risk in installing minor updates like 12.4->12.5 if the device is not enrolled and only had the notification pop-up issue, which has been remedied by doing what I have mentioned above?

I have installed updates like that without a problem.

@shahbaazkyz
Copy link

Hello I just bought a Used laptop from Market, after few days

I've been wondering if I should blog about this, but here's another way that doesn't involve blocking network ports, so to squirrel this knowledge away in a corner of the web:

## these commands MUST be from Terminal in Recovery mode only (as root of course)
## this assumes the boot drive is named "Macintosh HD" and is a newer OS that has a Data volume

#clear the nvram if there is any saved WiFi info there
nvram -c

#remove the known networks plist which auto-joins your WiFi - older version of macOS may not have this
rm /Volumes/Macintosh\ HD\ -\ Data/Library/Preferences/com.apple.wifi.known-networks.plist 

#the WiFi password IS still stored here but it is not necessary to remove this
rm /Library/Keychains/System.keychain

#SUPPRESS FOR SETUP ASSISTANT ONLY
#remove all the dot files .* in Settings the main file is .cloudConfigHasActivationRecord
rm /Volumes/Macintosh\ HD\ -\ Data/private/var/db/ConfigurationProfiles/Settings/.*
#When you reboot with this method you must choose Other for network options then "This Mac does not connect to the Internet" to skip Remote Management
#this method of skipping via Other/No Internet is usually sufficient for macOS 10.14 and under

#SUPPRESS PERMANENTLY
#remove the entire folder and it NEVER asks for DEP again, without this folder it won't work
rm -r /Volumes/Macintosh\ HD\ -\ Data/private/var/db/ConfigurationProfiles/Settings

reboot

I have faced this issue. After fresh install of mac OS Catalina, it was showing remote management from a company that is different from my own workplace. Removing LaunchDaemons and LaunchAgents and re-routing IP addresses didn't work for me. The only thing that worked for me was by removing /Volumes/Macintosh\ HD\ -\ Data/private/var/db/ConfigurationProfiles/Settings Thank you very much.

Thanks alot. You're a life Saver.
This solution works on My macbook pro 2013(late). MacOS Catalina .

I tried to clean install macOS Catalina and stuck on Remote management screen. Come up with using above solution.

@JediRhymeTrix
Copy link

Hello I just bought a Used laptop from Market, after few days

I've been wondering if I should blog about this, but here's another way that doesn't involve blocking network ports, so to squirrel this knowledge away in a corner of the web:

## these commands MUST be from Terminal in Recovery mode only (as root of course)
## this assumes the boot drive is named "Macintosh HD" and is a newer OS that has a Data volume

#clear the nvram if there is any saved WiFi info there
nvram -c

#remove the known networks plist which auto-joins your WiFi - older version of macOS may not have this
rm /Volumes/Macintosh\ HD\ -\ Data/Library/Preferences/com.apple.wifi.known-networks.plist 

#the WiFi password IS still stored here but it is not necessary to remove this
rm /Library/Keychains/System.keychain

#SUPPRESS FOR SETUP ASSISTANT ONLY
#remove all the dot files .* in Settings the main file is .cloudConfigHasActivationRecord
rm /Volumes/Macintosh\ HD\ -\ Data/private/var/db/ConfigurationProfiles/Settings/.*
#When you reboot with this method you must choose Other for network options then "This Mac does not connect to the Internet" to skip Remote Management
#this method of skipping via Other/No Internet is usually sufficient for macOS 10.14 and under

#SUPPRESS PERMANENTLY
#remove the entire folder and it NEVER asks for DEP again, without this folder it won't work
rm -r /Volumes/Macintosh\ HD\ -\ Data/private/var/db/ConfigurationProfiles/Settings

reboot

I have faced this issue. After fresh install of mac OS Catalina, it was showing remote management from a company that is different from my own workplace. Removing LaunchDaemons and LaunchAgents and re-routing IP addresses didn't work for me. The only thing that worked for me was by removing /Volumes/Macintosh\ HD\ -\ Data/private/var/db/ConfigurationProfiles/Settings Thank you very much.

Thanks alot. You're a life Saver. This solution works on My macbook pro 2013(late). MacOS Catalina .

I tried to clean install macOS Catalina and stuck on Remote management screen. Come up with using above solution.

Can confirm. This is the only solution that has worked on my 2021 MBP. If this also helps bypass the remote management screen during a fresh install, then i think there is a pretty good chance that this may allow major OS updates to be installed without any issues.

Would anyone be willing to test this with a Monterey -> Ventura upgrade?

@ethansawicki
Copy link

ethansawicki commented Aug 15, 2022

Hello I just bought a Used laptop from Market, after few days

I've been wondering if I should blog about this, but here's another way that doesn't involve blocking network ports, so to squirrel this knowledge away in a corner of the web:

## these commands MUST be from Terminal in Recovery mode only (as root of course)
## this assumes the boot drive is named "Macintosh HD" and is a newer OS that has a Data volume

#clear the nvram if there is any saved WiFi info there
nvram -c

#remove the known networks plist which auto-joins your WiFi - older version of macOS may not have this
rm /Volumes/Macintosh\ HD\ -\ Data/Library/Preferences/com.apple.wifi.known-networks.plist 

#the WiFi password IS still stored here but it is not necessary to remove this
rm /Library/Keychains/System.keychain

#SUPPRESS FOR SETUP ASSISTANT ONLY
#remove all the dot files .* in Settings the main file is .cloudConfigHasActivationRecord
rm /Volumes/Macintosh\ HD\ -\ Data/private/var/db/ConfigurationProfiles/Settings/.*
#When you reboot with this method you must choose Other for network options then "This Mac does not connect to the Internet" to skip Remote Management
#this method of skipping via Other/No Internet is usually sufficient for macOS 10.14 and under

#SUPPRESS PERMANENTLY
#remove the entire folder and it NEVER asks for DEP again, without this folder it won't work
rm -r /Volumes/Macintosh\ HD\ -\ Data/private/var/db/ConfigurationProfiles/Settings

reboot

I have faced this issue. After fresh install of mac OS Catalina, it was showing remote management from a company that is different from my own workplace. Removing LaunchDaemons and LaunchAgents and re-routing IP addresses didn't work for me. The only thing that worked for me was by removing /Volumes/Macintosh\ HD\ -\ Data/private/var/db/ConfigurationProfiles/Settings Thank you very much.

Thanks alot. You're a life Saver. This solution works on My macbook pro 2013(late). MacOS Catalina .
I tried to clean install macOS Catalina and stuck on Remote management screen. Come up with using above solution.

Can confirm. This is the only solution that has worked on my 2021 MBP. If this also helps bypass the remote management screen during a fresh install, then i think there is a pretty good chance that this may allow major OS updates to be installed without any issues.

Would anyone be willing to test this with a Monterey -> Ventura upgrade?

I updated my 2019 MBP no issue dunno if its different on M series.

Edit: Don't bother updating. The notification came back even with /ConfigurationProfiles/Settings deleted.

@monktemplar
Copy link

Hello I just bought a Used laptop from Market, after few days

I've been wondering if I should blog about this, but here's another way that doesn't involve blocking network ports, so to squirrel this knowledge away in a corner of the web:

## these commands MUST be from Terminal in Recovery mode only (as root of course)
## this assumes the boot drive is named "Macintosh HD" and is a newer OS that has a Data volume

#clear the nvram if there is any saved WiFi info there
nvram -c

#remove the known networks plist which auto-joins your WiFi - older version of macOS may not have this
rm /Volumes/Macintosh\ HD\ -\ Data/Library/Preferences/com.apple.wifi.known-networks.plist 

#the WiFi password IS still stored here but it is not necessary to remove this
rm /Library/Keychains/System.keychain

#SUPPRESS FOR SETUP ASSISTANT ONLY
#remove all the dot files .* in Settings the main file is .cloudConfigHasActivationRecord
rm /Volumes/Macintosh\ HD\ -\ Data/private/var/db/ConfigurationProfiles/Settings/.*
#When you reboot with this method you must choose Other for network options then "This Mac does not connect to the Internet" to skip Remote Management
#this method of skipping via Other/No Internet is usually sufficient for macOS 10.14 and under

#SUPPRESS PERMANENTLY
#remove the entire folder and it NEVER asks for DEP again, without this folder it won't work
rm -r /Volumes/Macintosh\ HD\ -\ Data/private/var/db/ConfigurationProfiles/Settings

reboot

I have faced this issue. After fresh install of mac OS Catalina, it was showing remote management from a company that is different from my own workplace. Removing LaunchDaemons and LaunchAgents and re-routing IP addresses didn't work for me. The only thing that worked for me was by removing /Volumes/Macintosh\ HD\ -\ Data/private/var/db/ConfigurationProfiles/Settings Thank you very much.

Thanks alot. You're a life Saver. This solution works on My macbook pro 2013(late). MacOS Catalina .
I tried to clean install macOS Catalina and stuck on Remote management screen. Come up with using above solution.

Can confirm. This is the only solution that has worked on my 2021 MBP. If this also helps bypass the remote management screen during a fresh install, then i think there is a pretty good chance that this may allow major OS updates to be installed without any issues.
Would anyone be willing to test this with a Monterey -> Ventura upgrade?

I updated my 2019 MBP no issue dunno if its different on M series.

Edit: Don't bother updating. The notification came back even with /ConfigurationProfiles/Settings deleted.

This procedure worked, but I just updated MacOS 12.5.1 on my MBP M1 and the address came back.
So, I deleted it again and now the message did not appear so far...

@ethansawicki
Copy link

Hello I just bought a Used laptop from Market, after few days

I've been wondering if I should blog about this, but here's another way that doesn't involve blocking network ports, so to squirrel this knowledge away in a corner of the web:

## these commands MUST be from Terminal in Recovery mode only (as root of course)
## this assumes the boot drive is named "Macintosh HD" and is a newer OS that has a Data volume

#clear the nvram if there is any saved WiFi info there
nvram -c

#remove the known networks plist which auto-joins your WiFi - older version of macOS may not have this
rm /Volumes/Macintosh\ HD\ -\ Data/Library/Preferences/com.apple.wifi.known-networks.plist 

#the WiFi password IS still stored here but it is not necessary to remove this
rm /Library/Keychains/System.keychain

#SUPPRESS FOR SETUP ASSISTANT ONLY
#remove all the dot files .* in Settings the main file is .cloudConfigHasActivationRecord
rm /Volumes/Macintosh\ HD\ -\ Data/private/var/db/ConfigurationProfiles/Settings/.*
#When you reboot with this method you must choose Other for network options then "This Mac does not connect to the Internet" to skip Remote Management
#this method of skipping via Other/No Internet is usually sufficient for macOS 10.14 and under

#SUPPRESS PERMANENTLY
#remove the entire folder and it NEVER asks for DEP again, without this folder it won't work
rm -r /Volumes/Macintosh\ HD\ -\ Data/private/var/db/ConfigurationProfiles/Settings

reboot

I have faced this issue. After fresh install of mac OS Catalina, it was showing remote management from a company that is different from my own workplace. Removing LaunchDaemons and LaunchAgents and re-routing IP addresses didn't work for me. The only thing that worked for me was by removing /Volumes/Macintosh\ HD\ -\ Data/private/var/db/ConfigurationProfiles/Settings Thank you very much.

Thanks alot. You're a life Saver. This solution works on My macbook pro 2013(late). MacOS Catalina .
I tried to clean install macOS Catalina and stuck on Remote management screen. Come up with using above solution.

Can confirm. This is the only solution that has worked on my 2021 MBP. If this also helps bypass the remote management screen during a fresh install, then i think there is a pretty good chance that this may allow major OS updates to be installed without any issues.
Would anyone be willing to test this with a Monterey -> Ventura upgrade?

I updated my 2019 MBP no issue dunno if its different on M series.
Edit: Don't bother updating. The notification came back even with /ConfigurationProfiles/Settings deleted.

This procedure worked, but I just updated MacOS 12.5.1 on my MBP M1 and the address came back. So, I deleted it again and now the message did not appear so far...

I’m wondering if it has to do with installing the beta profile? I tried to delete it again but got the file or directory not found. Unless I had a typo…

@monktemplar
Copy link

monktemplar commented Aug 20, 2022

Well @ethansawicki , the same thing happened to me, when I tried the "rm" command, it didn't find it, but then I went directory by directory and deleted Settings, and it worked, I'm far from being a mac expert btw, so keep trying.

Btw, you should put the: "Macintosh\ HD\ -\ Data/" directory, in quotation marks.

@bryanwongxin
Copy link

I follow the instructions and bypass MDM on Catalina and upgrade to Monterey successfully.
Right now I am upgrading to Ventura.
Hope it will work.

@JediRhymeTrix
Copy link

I follow the instructions and bypass MDM on Catalina and upgrade to Monterey successfully. Right now I am upgrading to Ventura. Hope it will work.

Did you have to prevent the laptop from connecting to the internet at any point while upgrading?

@bryanwongxin
Copy link

I follow the instructions and bypass MDM on Catalina and upgrade to Monterey successfully. Right now I am upgrading to Ventura. Hope it will work.

Did you have to prevent the laptop from connecting to the internet at any point while upgrading?

nope

@bryanwongxin
Copy link

I follow the instructions and bypass MDM on Catalina and upgrade to Monterey successfully. Right now I am upgrading to Ventura. Hope it will work.

Upgrade to Ventura successfully!

@spiralz23
Copy link

My MDM is disabled

I follow the instructions and bypass MDM on Catalina and upgrade to Monterey successfully. Right now I am upgrading to Ventura. Hope it will work.

Upgrade to Ventura successfully!

My MDM is disabled vis the hosts file method was able to update to 12.5.1 no issues using nano to edit out the apple update block temporarily, how do you install ventura ? just a straight install of the beta version as an upgrade or complete wipe?

thanks

@dengchao520
Copy link

可以通过iRemove 工具在 MacBook Pro 和 Air 上禁用设备管理并删除 MDM 注册配置文件。您可以从https://iremove.tools/remove-device-management-on-macbook 下载软件。该工具可以绕过由 M1 和 T2 芯片驱动的 Mac 计算机上的 MDM。

Hello, will this be affected by the system upgrade

@bryanwongxin
Copy link

My MDM is disabled

I follow the instructions and bypass MDM on Catalina and upgrade to Monterey successfully. Right now I am upgrading to Ventura. Hope it will work.

Upgrade to Ventura successfully!

My MDM is disabled vis the hosts file method was able to update to 12.5.1 no issues using nano to edit out the apple update block temporarily, how do you install ventura ? just a straight install of the beta version as an upgrade or complete wipe?

thanks

just upgrade from montery without internet connection

@spiralz23
Copy link

My MDM is disabled

I follow the instructions and bypass MDM on Catalina and upgrade to Monterey successfully. Right now I am upgrading to Ventura. Hope it will work.

Upgrade to Ventura successfully!

My MDM is disabled vis the hosts file method was able to update to 12.5.1 no issues using nano to edit out the apple update block temporarily, how do you install ventura ? just a straight install of the beta version as an upgrade or complete wipe?
thanks

just upgrade from montery without internet connection

Ok , do i just upgrade and thats it ? or will i need to disable csrutil and reset the hosts file ?

Thank u

@hammadilyes
Copy link

Hi, quick question.

My terminal is showing Enrolled via: no and MDM: no but I keep receiving notifications saying that the previous company wants to enroll the computer on remote management.

Any idea how to this notification?

@Al-Tuna
Copy link

Al-Tuna commented Aug 28, 2022

In the spirit of helping others get through all of the great information provided here, I have consolidated the information that I can confirm will allow you to upgrade from Big Sur to Monterey from a machine that already went through the process of disabling DEP and MDM. That is this was an install over Big Sur to Monterey. I did this on a MacBook Pro 16 (2019) with T2 and so I used the steps outlined by mikecanvas (Nov 20, 2020) to change the setting in the Startup Security Utility settings.

Ok, you've successfully removed DEP and MDM from your Big Sur machine using the information in these threads and now want to install a MacOS update to Monterey. No one has posted a one-stop shop on how to do this, so here it is:

  1. Re-edit your hosts file to remove the block on gdmf.apple.com (usually just need to put a # sign at the beginning of the line)

  2. Go to Software update and begin the installation of Monterey. When the countdown begins for the first restart, turn off all wifi access. I just powered down my router.

  3. When the machine reboots for the second time, boot into recovery mode.

  4. Follow the steps 5-21 outlined by mikecanvas on Nov 20, 2020:

a. Click on Utilities (top menu bar) then select Terminal

b. type in: mount then click enter/return

A list of things will show up once you enter in (mount) in Terminal
Write down the disk associated with /Volumes/Macintosh HD
(mine was /dev/disk2s5)
Note: it's not "/", and it's not /Volumes/Macintosh HD - Data

c. Next, in Terminal, write: umount /Volumes/Macintosh\ HD

d. then: mkdir /Volumes/Macintosh\ HD

e. then: mount -t apfs -rw /dev/disk2s5 /Volumes/Macintosh\ HD

f. then: cd /Volumes/Macintosh\ HD/System/Library/LaunchAgents

g. then: rm com.apple.ManagedClientAgent.*

h. then: rm com.apple.mdmclient.*

i. then: cd ../LaunchDaemons

j. then: rm com.apple.ManagedClient.*

k. then: rm com.apple.mdmclient.*

l. then: csrutil authenticated-root disable (this will Turn off Signed System Volume SSV)

m. then edit the hosts file:

cd "/Volumes/Macintosh HD"
cd etc
echo "0.0.0.0 iprofiles.apple.com" >> hosts
echo "0.0.0.0 mdmenrollment.apple.com" >> hosts
echo "0.0.0.0 deviceenrollment.apple.com" >> hosts
echo "0.0.0.0 gdmf.apple.com" >> hosts

m. then lastly: bless --folder /Volumes/Macintosh\ HD/System/Library/CoreServices/ --bootefi --create-snapshot

(this will Save the current disk status in the boot snapshot. This is an important step otherwise on reboot your machine will discard these changes and load the original blessed snapshot which will reenable DEP and MDM)

n. Now you can restart your Mac: type reboot

DEP/MDM notification is now disabled. You can check with the command in terminal:

profiles status -type enrollment

which should return something like:

Enrolled via DEP: No
MDM enrollment: No

One last step, which may not be necessary from a recent post by brunerd on May 12, 2022:

Boot into recovery mode one last time and use terminal to execute the command

rm -r /Volumes/Macintosh\ HD\ -\ Data/private/var/db/ConfigurationProfiles/Settings

reboot

I believe you'll need to do this anytime there is a MacOS update you want to install, even a minor one like 12.5 -> 12.5.1, etc.

@Kayull
Copy link

Kayull commented Sep 1, 2022

Does anyone know if there is a way to remove remote management from a 2019 iMac but keep all the data as is.

We were upgrading to Monterey at work since our software is compatible now but forgot a few were 2019 ex-remote managed.

Cheers

@vicovictor
Copy link

vicovictor commented Sep 7, 2022

Just wanted to give some feedback for my MBA M1 which I installed Monterey. Here are the modified steps I followed.

With full reinstall (recommended)

a. Boot into recovery. During reboot, wipe the hard drive using Disk Utility, and select reinstall macOS.

b. Initial installation will run for approximately 1 hour, and reboot. As it is rebooting, turn off Wifi router.

c. It will then show Mac setup screen to choose country. Go through the setup and boot into Mac OS, because you need to setup a user to run the commands in Main Procedure.

d. Boot into recovery mode. Follow Main Procedure. After that, turn on your WiFi router and reboot normally.

While running the commands on Main Procedure, you would need to enter the password of the user you created earlier.

When running the command $ csrutil enable, you will be asked to connect to the internet. At this point, turn on your Wifi router and connect to the internet and run the command again to enable csrutil.

Reboot normally. Done.

@2ndMessiah
Copy link

Made a fresh setup yesterday on my MBP 14, mainly based the the OP's main thread.

There's one point which shall be noticed, which is unmentioned here at all.. When doing 'csrutil enable', it might be asking for internet access. No worry, just turn on your wifi then, mdm lock won't be around under the recovery stage, so you're totally fine.

Another little tip. There's actually no suggestion of "system will be rebooting in x sec" during the reinstalling stage. So when it suggests that "the remaining time: 1min", the installer actually has completed downloading the macOS contents. So you can safely turn off your router in order to evade any risks in the "first-setup" screen and make a completely offline environment until you make it into the desktop.

@Sailas2k6
Copy link

Dose anyone know if Ventura beta 7 is safe to use on M1 MBP ?
I'v had the beta 4 installed and spooked with the new remote management on Ventura and gone back to Monterey.
My fingers are tempted to instal the beta 7 but I want to know if there is a way to bypass the setup screen if anything goes wrong.
I still have a good USB stick with Monterey on it just in case.

@chuanhhoang
Copy link

Dose anyone know if Ventura beta 7 is safe to use on M1 MBP ? I'v had the beta 4 installed and spooked with the new remote management on Ventura and gone back to Monterey. My fingers are tempted to instal the beta 7 but I want to know if there is a way to bypass the setup screen if anything goes wrong. I still have a good USB stick with Monterey on it just in case.

What happened when you installed Ventura beta 4?

@Sailas2k6
Copy link

Nothing. All went smooth.

I was afraid for the new Remote Screen that doesn’t allow you to bypass it as in Montereay by just disabling WiFi.

@jmbenedetto
Copy link

Hi. I have macOS Monterey 12.5.1.

I could not access etc file from the Recovery Mode terminal, so I made some adjustments to the original algorithm. The major difference is that I do the changes in the hosts file in normal mode.

  1. Reboot to Recovery Mode by holding command-R during restart

  2. Open Utilities → Terminal and type

$ csrutil disable
$ reboot
  1. After rebooting in normal mode, open Terminal, and type
$ cd "/etc"
$ echo "0.0.0.0 iprofiles.apple.com" >> hosts
$ echo "0.0.0.0 mdmenrollment.apple.com" >> hosts
$ echo "0.0.0.0 deviceenrollment.apple.com" >> hosts
$ echo "0.0.0.0 gdmf.apple.com" >> hosts
  1. Reboot to Recovery Mode by holding command-R during restart and type
$ csrutil enable
$ reboot
  1. After rebooting in normal mode, open Terminal and type the code below to verify verify the DEP status
$ profiles status -type enrollment
Enrolled via DEP: No
MDM enrollment: No

@spiralz23
Copy link

12.6 update is out , anyone updated yet ?

@Sailas2k6
Copy link

Not 12.6 but I'm on Ventura beta 7. All good for now, no popups.
Keeping a fresh copy of Monterey close, just in case.

For now all is fine, I'm still afraid if I have to erase the ssd for some unholy reason.

@Locke-bot
Copy link

Thank you all for this wealth of information, I bought a supposedly brand new sealed mbp M1.

Can someone please tell me if my computer can be taken over through DEP

I have been able to stop the notifications by editing the hosts file.

@Sailas2k6
Copy link

Thank you all for this wealth of information, I bought a supposedly brand new sealed mbp M1.

Can someone please tell me if my computer can be taken over through DEP

I have been able to stop the notifications by editing the hosts file.

If you don't install the profile there is nothing that the company can do. So you are safe as long as you don't have any profiles installed.
But if you know that the Mac is stolen send it back and get you money back from the seller.

@monktemplar
Copy link

In addition to the whole process, try deleting or renaming the Profiles directory. It worked perfectly for me.

@greyxox
Copy link

greyxox commented Sep 21, 2022

Hi, from what I’ve read here it seems it’s okay to upgrade to Ventura from an mdm bypassed m1 air on Monterrey but I’m anxious about doing it. Can anyone pls outline the steps so I don’t end up with an expensive paperweight? I’m currently running 12.2 or so and don’t want to mess it up

@3xC1ibR
Copy link

3xC1ibR commented Oct 5, 2022

Hi, thanks to all for the post and comments. This solution allowed me to bypass enrollment during the setup. However, I did receive a notifaction saying "XXXX wants you to enroll in management". I was able to hit Cancel.

So far, I haven't had any other issues but I want to understand the implications of that notification? Does anyone know if this means the device can still be tracked/enrolled automatically?

Here's the output of this command.
❯ profiles status -type enrollment
Enrolled via DEP: No
MDM enrollment: No

@stavell
Copy link

stavell commented Oct 6, 2022

Yup, I'm in the same situation with same enrolment output in the terminal.

Bought a brand new sealed 14" MBP from the Market and I'm having this notification.
Only if there was a way to validate the serial number before buying it...

Someone up in the thread said they (the company) can't do anything if the profile isn't installed but this is Apple after all...
Afraid to turn on "Find my Mac" too.

Kind of looking for assurance that we can use our devices in full with the aforementioned bypass procedures.

Anyone knowing what this tool do? https://iremove.tools/remove-device-management-on-macbook ?
Is it doing something different or it is just automating the knowledge collected in this thread?

Hi, thanks to all for the post and comments. This solution allowed me to bypass enrolment during the setup. However, I did receive a notifaction saying "XXXX wants you to enroll in management". I was able to hit Cancel.

So far, I haven't had any other issues but I want to understand the implications of that notification? Does anyone know if this means the device can still be tracked/enrolled automatically?

Here's the output of this command. ❯ profiles status -type enrollment Enrolled via DEP: No MDM enrollment: No

@Locke-bot
Copy link

Yup, I'm in the same situation with same enrolment output in the terminal.

Bought a brand new sealed 14" MBP from the Market and I'm having this notification. Only if there was a way to validate the serial number before buying it...

Someone up in the thread said they (the company) can't do anything if the profile isn't installed but this is Apple after all... Afraid to turn on "Find my Mac" too.

Kind of looking for assurance that we can use our devices in full with the aforementioned bypass procedures.

Anyone knowing what this tool do? https://iremove.tools/remove-device-management-on-macbook ? Is it doing something different or it is just automating the knowledge collected in this thread?

Hi, thanks to all for the post and comments. This solution allowed me to bypass enrolment during the setup. However, I did receive a notifaction saying "XXXX wants you to enroll in management". I was able to hit Cancel.
So far, I haven't had any other issues but I want to understand the implications of that notification? Does anyone know if this means the device can still be tracked/enrolled automatically?
Here's the output of this command. ❯ profiles status -type enrollment Enrolled via DEP: No MDM enrollment: No

Me too! Brand new and sealed.

@Locke-bot
Copy link

Yup, I'm in the same situation with same enrolment output in the terminal.

Bought a brand new sealed 14" MBP from the Market and I'm having this notification. Only if there was a way to validate the serial number before buying it...

Someone up in the thread said they (the company) can't do anything if the profile isn't installed but this is Apple after all... Afraid to turn on "Find my Mac" too.

Kind of looking for assurance that we can use our devices in full with the aforementioned bypass procedures.

Anyone knowing what this tool do? https://iremove.tools/remove-device-management-on-macbook ? Is it doing something different or it is just automating the knowledge collected in this thread?

Hi, thanks to all for the post and comments. This solution allowed me to bypass enrolment during the setup. However, I did receive a notifaction saying "XXXX wants you to enroll in management". I was able to hit Cancel.
So far, I haven't had any other issues but I want to understand the implications of that notification? Does anyone know if this means the device can still be tracked/enrolled automatically?
Here's the output of this command. ❯ profiles status -type enrollment Enrolled via DEP: No MDM enrollment: No

Me too! Brand new and sealed.

@kuzeko
Copy link

kuzeko commented Oct 7, 2022

M1 14' here, erasing the device (recommended in the original instructions) was a mistake on my side!

@ncortines
Copy link

In the spirit of helping others get through all of the great information provided here, I have consolidated the information that I can confirm will allow you to upgrade from Big Sur to Monterey from a machine that already went through the process of disabling DEP and MDM. That is this was an install over Big Sur to Monterey. I did this on a MacBook Pro 16 (2019) with T2 and so I used the steps outlined by mikecanvas (Nov 20, 2020) to change the setting in the Startup Security Utility settings.

Ok, you've successfully removed DEP and MDM from your Big Sur machine using the information in these threads and now want to install a MacOS update to Monterey. No one has posted a one-stop shop on how to do this, so here it is:

  1. Re-edit your hosts file to remove the block on gdmf.apple.com (usually just need to put a # sign at the beginning of the line)
  2. Go to Software update and begin the installation of Monterey. When the countdown begins for the first restart, turn off all wifi access. I just powered down my router.
  3. When the machine reboots for the second time, boot into recovery mode.
  4. Follow the steps 5-21 outlined by mikecanvas on Nov 20, 2020:

a. Click on Utilities (top menu bar) then select Terminal

b. type in: mount then click enter/return

A list of things will show up once you enter in (mount) in Terminal Write down the disk associated with /Volumes/Macintosh HD (mine was /dev/disk2s5) Note: it's not "/", and it's not /Volumes/Macintosh HD - Data

c. Next, in Terminal, write: umount /Volumes/Macintosh\ HD

d. then: mkdir /Volumes/Macintosh\ HD

e. then: mount -t apfs -rw /dev/disk2s5 /Volumes/Macintosh\ HD

f. then: cd /Volumes/Macintosh\ HD/System/Library/LaunchAgents

g. then: rm com.apple.ManagedClientAgent.*

h. then: rm com.apple.mdmclient.*

i. then: cd ../LaunchDaemons

j. then: rm com.apple.ManagedClient.*

k. then: rm com.apple.mdmclient.*

l. then: csrutil authenticated-root disable (this will Turn off Signed System Volume SSV)

m. then edit the hosts file:

cd "/Volumes/Macintosh HD" cd etc echo "0.0.0.0 iprofiles.apple.com" >> hosts echo "0.0.0.0 mdmenrollment.apple.com" >> hosts echo "0.0.0.0 deviceenrollment.apple.com" >> hosts echo "0.0.0.0 gdmf.apple.com" >> hosts

m. then lastly: bless --folder /Volumes/Macintosh\ HD/System/Library/CoreServices/ --bootefi --create-snapshot 
(this will Save the current disk status in the boot snapshot. This is an important step otherwise on reboot your machine will discard these changes and load the original blessed snapshot which will reenable DEP and MDM)

n. Now you can restart your Mac: type reboot

DEP/MDM notification is now disabled. You can check with the command in terminal:

profiles status -type enrollment

which should return something like:

Enrolled via DEP: No MDM enrollment: No

One last step, which may not be necessary from a recent post by brunerd on May 12, 2022:

Boot into recovery mode one last time and use terminal to execute the command

rm -r /Volumes/Macintosh\ HD\ -\ Data/private/var/db/ConfigurationProfiles/Settings

reboot

I believe you'll need to do this anytime there is a MacOS update you want to install, even a minor one like 12.5 -> 12.5.1, etc.

Why do you need to unblock gdmf.apple.com during the system upgrade? Is it really required?

Also, I would suggest anyone upgrading to create a new system volume, clone the current to it using carbon copy cloner (or similar), rebooting to the cloned system and upgrading from it. In case it fails, you can go back to the original one, destroy and create a new test system, and then try again.

@rigozalli
Copy link

Hey all, i just have a simple question, as i have done mac os updates before and i remember updating from 11 to 12 without applying any changes whatsoever, just a normal update through settings, so are these steps required for the update to mac os 13 or would be safe to just apply the update as normal!?
Thanks in advance 😊😊

@crazyberry7
Copy link

crazyberry7 commented Oct 22, 2022

According to this link, MacOS Ventura will require internet connection to complete Setup Assistant on fresh wipes. Does this mean all M1 MDM devices essentially should not be upgraded past Monterrey or else they can't be wiped?

cc: @ncortines @jmbenedetto @Sailas2k6 @Al-Tuna @bryanwongxin @secured2k @depmac

@secured2k
Copy link

This behavior is activation lock and has not changed since T2 and newer chips. The change in Ventura is now MDM enrollment may also persist through wipes (probably via a firmware/Secure Enclave level parameter) and present a similar behavior. I do not have a newer Mac device to test but this seems easy enough to reproduce for anyone that has a newer M-based Mac and wants to use their own MDM solution to test the behavior.
For now a work around would be to use an earlier MacOS for initial install and then upgrade after any network level changes are completed. Once Apple starts releasing Ventura as the base supported OS (such as devices with M2 Pro and beyond) this option will not be available.

@spiralz23
Copy link

This behavior is activation lock and has not changed since T2 and newer chips. The change in Ventura is now MDM enrollment may also persist through wipes (probably via a firmware/Secure Enclave level parameter) and present a similar behavior. I do not have a newer Mac device to test but this seems easy enough to reproduce for anyone that has a newer M-based Mac and wants to use their own MDM solution to test the behavior. For now a work around would be to use an earlier MacOS for initial install and then upgrade after any network level changes are completed. Once Apple starts releasing Ventura as the base supported OS (such as devices with M2 Pro and beyond) this option will not be available.

thanks for this, for those that dont have the knowledge / understanding of yourself does this mean that those of use who are on M1 macs with monterey and have bypassed enrollment using the guide / hosts file method, that we can install ventura as upgrade but if we wipe we will need a copy of monterey to do this and then upgrade from that. in other words monterey to ventura should be ok via upgrade but not as a fresh install ? thanks in advance.

@secured2k
Copy link

From past experience, yes. However I do not have an M1 or newer system to test for sure. The logic behind this reasoning is setup assistant only runs the MDM processes on fresh installs. I have a pre-T chip max that has been upgraded to Ventura with no issues because the MDM was never able to be applied to the system and the upgrade process just returns you to user login instead of setup assistant.

@spiralz23
Copy link

makes sense , thanks

@crazyberry7
Copy link

crazyberry7 commented Oct 22, 2022

Thanks @secured2k, just a few follow-ups:

This behavior is activation lock and has not changed since T2 and newer chips.

The reasoning I've read for why Apple continues to allow users to bypass connecting to the internet during Setup Assistant is for security reasons - to allow air-gapping one's MBP.

On this topic:

  1. Do you expect Setup Assistant to not be retroactively patched (on Monterrey and earlier versions) to force users to connect to the internet?

The change in Ventura is now MDM enrollment may also persist through wipes (probably via a firmware/Secure Enclave level parameter) and present a similar behavior

For devices that ship with Ventura, would it be possible to:

  1. Perform an earlier MacOS install on them (e.g. Monterrey)
  2. Then, wipe the device, thereby bypassing MDM

@secured2k
Copy link

It is unlikely for the security reason of air gap. The security is to prevent lost/stolen assets.

If a fresh system is installed, you do not need an internet connection. However, once someone (with internet) signs into Apple iCloud services and enables Find My or the device is registered under an MDM policy, then the option to lock down the use of the machine is lost/stolen is enabled. Legitimate owners can easily disable this remotely or perform the unlock initially during setup if the device really had to be wiped.

In earlier firmware/OS’s, activation lock/Find My (T2 and newer) happened at firmware level and would prevent installing a fresh OS. While I haven’t witnessed it, the Ventura change is reported to also move MDM enablement to that firmware level check. The computers act more like the iOS devices now and if internet is not available, you need to “activate” the new/wiped Mac via USB or other network connection. This check would probably just compare the serial number to find my or MDM enrollment.

Retroactive changes - while Apple could, they have not made these kinds of changes in the past and I would not expect them to start doing that now. Instead they make a change with new hardware and do not allow downgrades beyond a certain supported model. I would expect the M2 Pro/Ultra and beyond devices to require Ventura or newer.

However T2/M1/M2 containing a “BridgeOS” could mean Apple could continue to prevent downgrades, meaning once a newer M1/M2 Mac is upgraded they could prevent downgrades to Monterey, even if that OS is originally supported. I am not sure if a newer firmware restore will allow for an older supported OS; I would assume it should but again it is up to Apple.

I do not have a system to test - most of my knowledge comes from testing and observing the results as well as knowing the theoretical possibilities in technology. Since Apple is the manufacturer, they really could write code to enable or force whatever features/options they want. In older technology, we bypass this by going lower and lower in the system (changing files/data on storage/network), but now Apple is using their chips to cryptographically verify their core code/storage/network communication is secure, so it is increasingly difficult (beyond most normal users) to bypass the system.

@crazyberry7
Copy link

crazyberry7 commented Oct 22, 2022

Basically T2/M1/M2 MBPs with MDM could be bricked in the future, albeit unlikely, at Apple's discretion? Bricked meaning no fresh wipes allowed. Or in the more traditional sense also.

@chozhall1
Copy link

chozhall1 commented Oct 23, 2022 via email

@JediRhymeTrix
Copy link

What about devices which were part of MDM but were never enrolled (DEP notification case)?

@secured2k
Copy link

You can always wipe a Mac of user storage but Apples firmware can be set to block downgrades (when they stop signing the code, just like iOS). This means they could make it so a wipe means the current version OS is loaded.

Chozhall1 - usually non-internet recovery is dependent on the recovery partition on the local storage device. If this is not working, missing, corrupted, etc., you would experience the issue described. Either complete the internet recovery or on another machine, create a MacOS installer USB to use.

JediRhymeTrix - it depends. It is said Ventura checks for MDM on fresh installs. If this is the case, then MDM enrollment will happen if the system has a working internet connection. If it was never locked, then I assume an offline install would continue to work.

@stavell
Copy link

stavell commented Oct 23, 2022

Is it safe to enable "Find my mac" on M1 device with MDM which was not enrolled and has the DEP check bypassed with the instructions in this thread?

@chozhall1
Copy link

chozhall1 commented Oct 23, 2022 via email

@secured2k
Copy link

Stavell- Yes. Most of the discussion is about bypassing security when you don’t have access. If you maintain access to your Apple ID, find my Mac is not a barrier because you could just sign in or remove the device from your account from another device.

Chozhall1 - your issue probably needs standard IT help. If the data is backed up or not important, I would recommend completing the full diagnostics and repairing whatever fails, then install firmware via DFU and reinstalling via internet recovery or USB key. Google to apples official help pages explains how to do each of these tasks.

@crazyberry7
Copy link

crazyberry7 commented Oct 23, 2022

@secured2k

You can always wipe a Mac of user storage but Apples firmware can be set to block downgrades (when they stop signing the code, just like iOS). This means they could make it so a wipe means the current version OS is loaded.

Yes, but if Apple blocks downgrades to Monterrey, thus forcing users to go through MDM setup on Ventura, then that would be bricking many MBPs.

@secured2k
Copy link

The only systems bricked are the ones that are lost/stolen - likely from a business since that is the common target MDM audience. Overall this is a super small fraction of systems that would be affected - usually from someone buying from an auction/shady source instead of an authorized dealer. I advise those who got taken advantage of to ensure they have a tech guy check it out and use payment protection methods (buyer protection, credit card benefits) to file claims or get funds back if the device is not legitimate.

I have locked devices that are wiped and unlocked easily because we have proper access or proof of ownership. This is nothing new when compared to activation lock on iPhones for many years now. Hopefully this will deter illegal activity, but what people have switched to doing is scalping parts for $ to launder the stolen device.

@spiralz23
Copy link

Hello dears! I also have an MBP 16Gb ram M1 MDM and Monterey 12.5 I would like to update to Ventura or at least 12.6.1. Do you think it won't start again?

If it is MDM bypassed by the host file method then you should be ok to update, edit the hosts file to allow gdmf.apple.com access to the internet, click check updates and let it update, go back into the hosts file block gdmf.apple.com again and your done

as for ventura (non beta) no one really knows yet

@Sailas2k6
Copy link

You can upgrade to Ventura with no problem, but ... you might have issues if you need to wipe the device.

The only solution when you have to completely wipe the device is to downgrade to Monterey , bypass MDM screen and update again to Ventura.

How can you tell if the device is reported as stolen or lost ? In that case macOS will ask you for user and pass at activation screen.
I think you are OK , if you never installed any profiles form the company.

I managed to downgrade from Ventura beta 3 to Monterey with no issues and I want to wipe the SSD to do a fresh install only to see how the Mac reacts ate the new MDM screen , if I can not bypass it I will have to downgrade again to Monterey.

@Locke-bot
Copy link

I upgraded to Ventura today with no issues, I prior received profile enrollment notifications, bypassed that on Monterey by updating hosts file.
I will like to know please, say there is any issue, how can I downgrade back to Monterey, is it a straightforward process?

@spiralz23
Copy link

It seems Ventura is out for normal release anyone tried the update to it?

I'm guessing the update route is safe but the Wipe scenario is possibly not?

@Locke-bot
Copy link

Also, this seems to be the official release of Ventura, not beta.

@spiralz23
Copy link

I upgraded to Ventura today with no issues, I prior received profile enrollment notifications, bypassed that on Monterey by updating hosts file. I will like to know please, say there is any issue, how can I downgrade back to Monterey, is it a straightforward process?

Thanks for letting us know , Brave move :-) as for downgrade wouldn't know guess we'll only find out if someone has to do a full wipe

@Sailas2k6
Copy link

How to check it activation lock is Enabled: system Information - Hardware - Activation Lock Status: Disabled

If Activation Lock Status in Enabled ... you are in a pickle.

@Aleks4o
Copy link

Aleks4o commented Oct 25, 2022

I upgraded to Ventura today with no issues, I prior received profile enrollment notifications, bypassed that on Monterey by updating hosts file. I will like to know please, say there is any issue, how can I downgrade back to Monterey, is it a straightforward process?

Thanks for letting us know , Brave move :-) as for downgrade wouldn't know guess we'll only find out if someone has to do a full wipe

I think you have to create a bootable USB with Monterey and install it trough recovery menu after that you can bypass and update to Ventura

@Aleks4o
Copy link

Aleks4o commented Oct 25, 2022

I tried creating a new volume on my mac and I can confirm that Ventura REQUIRES you to have internet connection to finish the setup. Which means that you cannot bypass MDM in Ventura and you need to downgrade to Monterey to bypass and than update

@Sailas2k6
Copy link

It is hard to know now what it is about. Is it possible to ever remove the MDM from the computer? May he be eliminated forever.

Without changing the Serial number of the device it is not possible. I haven't find someone that can do that. And it's hardware based it can not be done by software.

@spiralz23
Copy link

I tried creating a new volume on my mac and I can confirm that Ventura REQUIRES you to have internet connection to finish the setup. Which means that you cannot bypass MDM in Ventura and you need to downgrade to Monterey

Thanks ordered USB C Drive just to set this up first to be safe

@Aleks4o
Copy link

Aleks4o commented Oct 25, 2022

I tried creating a new volume on my mac and I can confirm that Ventura REQUIRES you to have internet connection to finish the setup. Which means that you cannot bypass MDM in Ventura and you need to downgrade to Monterey

Thanks ordered USB C Drive just to set this up first to be safe

Btw I am yet to update my main volume to Ventura but if everyone says it works I will do it when I am back home

@spiralz23
Copy link

So as a user says above. Ventura doesn't work. Forever Monterey. That's cool with that. 2-3 years

Ventura does work it just means you cant do a full wipe setup with ventura, upgrade to ventura is ok apparently. I'm doing it as soon as make monterey back up usb

@spiralz23
Copy link

I upgraded to Ventura today with no issues, I prior received profile enrollment notifications, bypassed that on Monterey by updating hosts file. I will like to know please, say there is any issue, how can I downgrade back to Monterey, is it a straightforward process?

It's already been done see above post ? He's just upgraded from monterey to ventura as stated earlier.

@chuanhhoang
Copy link

It works buddy. No issue. You just need to upgrade from Monterey. Fresh installation would not work.

@henrik242
Copy link
Author

Whoever succeeds first can tell us here if it works

It looks like @bryanwongxin upgraded to Ventura in august without issues.

@secured2k
Copy link

Summary: For now the concern is only for M-based Macs that need to be wiped with a fresh install of Ventura. It is not known/confirmed if the Ventura policy anpplies to new systems or systems already MDM enrolled/flagged. Upgrades and older Chip systems are not an issue. Currently, downgrades to Monterey, applying “fixes”, and upgrading to Ventura works, but could change in the future.

I have provided many answers and technical details already and am no longer following this thread and posts/replies. If there are any updates or changes that are relevant, I follow the original post where I provided many answers and update steps that have been copied and reposted many times. https://gist.github.com/sghiassy/a3927405cf4ffe81242f4ecb01c382ac

More details:
The official documentation says internet access is mandatory for organization enrolled (MDM) Macs in Ventura. This is not clear if this applies to non-managed devices that were not previously enrolled.

https://support.apple.com/en-us/HT213327

Also for those planning on potentially downgrading newer M-based Macs - Apple does firmware updates with their OS which they CAN stop signing/authorizing old versions after time has passed. If Apple stops signing older firmware, the system cannot be downgraded (like iOS) and this can POTENTIALLY block downgrades to older OS’s. So those trying to use DFU, the wiping device must have internet access to send the DFU device’s ID so Apples servers can sign the update so it only works with that device. This process allows Apple to POTENTIALLY keep MDM enrollment through DFU restores. Now I have heard Apple has not stopped signing old firmwares for Macs, but it COULD happen.
In the Apple Setup -security policy - full security only allows the latest OS/firmware install while reduced will allow older signed OS’s to install. As stated earlier, you cannot downgrade beyond the shipping version. So any Macs that ship with Ventura cannot be downgraded to Monterey. This will likely be newer M2 devices.

@rigozalli
Copy link

i was rechecking my laptop for mdm and it shows up like this, does this mean it has mdm enrollment or not
image

@JediRhymeTrix
Copy link

Does upgrading to Ventura require disconnecting from the internet while the system reboots?

@chozhall1
Copy link

chozhall1 commented Oct 25, 2022 via email

@msarmadahsan
Copy link

Just made a Mac Ventura VM (Mac Guest on Windows Host) to test out Serial Numbers enrolled in MDM.
As per my testing, Ventura setup can be continued on a VM with Mac Serial number enrolled in DEP, provided internet is either filtered or disconnected.
If internet isn't disconnected then Remote Management Screen does come.
image
This was setup bypassed, and now after hosts file edit it can be bypassed again

@msarmadahsan
Copy link

Just made a Mac Ventura VM (Mac Guest on Windows Host) to test out Serial Numbers enrolled in MDM.
As per my testing, Ventura setup can be continued on a VM with Mac Serial number enrolled in DEP, provided internet is either filtered or disconnected.
If internet isn't disconnected then Remote Management Screen does come.
image
This was setup bypassed, and now after hosts file edit it can be bypassed again

PS: got sample numbers from eBay listing of MDM MacBooks being sold for parts.

@inkstatim
Copy link

Hi, half a year ago I installed Monterey 12.4 (MBA m1 MDM)

My terminal is showing Enrolled via: no and MDM: no , but I keep receiving notifications saying that the previous company wants to enroll the computer on remote management.

  1. Will there be any problems if I upgrade to Ventura?
  2. Is it true that you can't install pirated software on Venturа?

@msarmadahsan
Copy link

Hi, half a year ago I installed Monterey 12.4 (MBA m1 MDM)

My terminal is showing Enrolled via: no and MDM: no , but I keep receiving notifications saying that the previous company wants to enroll the computer on remote management.

  1. Will there be any problems if I upgrade to Ventura?
  2. Is it true that you can't install pirated software on Venturа?
  1. Upgrading to Ventura has 0 problems for DEP Notification machine.
  2. No it isn't true

@Sailas2k6
Copy link

So … this morning i had the courage to erase my MBP M1.

I erased the ssd and proceed to reinstall Ventura but … i got this instead.

6716759D-B4B6-48F2-883C-CB8E40C6E9FB

@marbaquero
Copy link

this would seem logical, re-install Monterrey, then update to Ventura, have you tried this?

@liniaunu
Copy link

MBP 13 2018 MDM

Installed MacOS Ventura from Monterey. The laptop had been MDM bypassed by the host file method on Monterey with no profiles installed.

what I did : downloaded the update and just before(seconds) it reboots for the first time (after the MacOS had downloaded) I turned off the wi-fi. Update finished just like normal without any log on to Apple servers.

@marbaquero
Copy link

good to hear!

@spiralz23
Copy link

Just to confirm I'm using MBP 14 2021 M1 (MDM Bypassed in Hosts File), Just accepted the update to ventura updated / rebooted 3/4 times then i'm on ventura.

No Issues at all no DEP no MDM no pop ups all good so far.......

I did make a MacOs monterey bootable usb first just incase :-)

@Sailas2k6
Copy link

this would seem logical, re-install Monterrey, then update to Ventura, have you tried this?

I tried to display the new mdm screen in Ventura and to bypass it via the old method with no internet but i got the Monterey recovery after i delete the ssd partition. Curiously the first time i booted in recovery mode it said Reinstall Mac Os Ventura and after i wiped the sad it changed to Monterey.

@Sailas2k6
Copy link

Just updated from fresh Monterey install to Ventura with no issues , no mdm screen. followed the procedure in the first post before update to turn off the mdm notifications.

@2ndMessiah
Copy link

2ndMessiah commented Oct 28, 2022 via email

@Sailas2k6
Copy link

Yeah, I know. My guess is that after the ssd erase the Monterey recovery come up because I updated to Ventura form beta and it didn't install the recovery partition correctly. I just finished up all my apps and settings in the "new" os and I don't have time to try this again today. My guess is that all Macs that have been shipped with Monterey and lower OS can always downgrade to that os version. If this is the case there will always be an option to bypass the mdm screen if you can downgrade. The new Macs that will come with Ventura will never get that option unless a new bypass method appears.

@msarmadahsan
Copy link

So is it now confirmed that Update is possible but Fresh Ventura Install isn't possible?
But I have managed to test it on Virtual machine, mdm bypass is the same as on Monterey.
Anyone else has success on that?

@odysseus90210
Copy link

M1 macs work like iPhones in that you can literally do a DFU install via Configurator and another Mac. I think that allows downgrading to any OS for which you have the ips file.

@Sailas2k6
Copy link

So … again i erased my mac because my thoughts were that because of beta profile my recovery partition was stuck at Monterey. On Friday i erased my m1 mac pro, reinstalled Monterey os and updated to Ventura, but now after i erased my ssd again so i can install Ventura from recovery my mac has once again reinstalled Monterey. I don't know if is an error on the recovery partition or the mac simply installs the first os that he came with.

@JoseDev25
Copy link

JoseDev25 commented Oct 31, 2022

So … again i erased my mac because my thoughts were that because of beta profile my recovery partition was stuck at Monterey. On Friday i erased my m1 mac pro, reinstalled Monterey os and updated to Ventura, but now after i erased my ssd again so i can install Ventura from recovery my mac has once again reinstalled Monterey. I don't know if is an error on the recovery partition or the mac simply installs the first os that he came with.

Im thinking that this is happening since this is the first official release of Ventura, in the case people upgrading from Monterey to Ventura encounter any issues, they could just rollback to Monterey.

So I'm guessing that in the future when Ventura has a much more stable build, then Apple would make it the default option when reinstalling the OS

@vykut
Copy link

vykut commented Oct 31, 2022

When I tried to reinstall macOS Monterey, I got an error saying that I cannot reinstall it without internet access.
I ended up connecting to my wifi and did all the steps as in the gist.

Now when I run profiles status -type enrollment, I'm getting this output:
Screenshot 2022-10-31 at 16 57 00
which seems correct, but I'm still seeing the DEP notification every couple of hours or so.

What can I do at this point to get rid of this annoying notification?

Note: I have an M1 Pro Macbook Pro

@91qdr
Copy link

91qdr commented Oct 31, 2022

When I tried to reinstall macOS Monterey, I got an error saying that I cannot reinstall it without internet access. I ended up connecting to my wifi and did all the steps as in the gist.

Now when I run profiles status -type enrollment, I'm getting this output: Screenshot 2022-10-31 at 16 57 00 which seems correct, but I'm still seeing the DEP notification every couple of hours or so.

What can I do at this point to get rid of this annoying notification?

Note: I have an M1 Pro Macbook Pro

Try this:
https://gist.github.com/henrik242/65d26a7deca30bdb9828e183809690bd?permalink_comment_id=3975678#gistcomment-3975678

@mahmednav
Copy link

Is it possible to permanently wipe MDM from a Macbook M1 pro? If i wipe it and create id without connecting to internet, it works. But I want to sell my macbook and when it is wiped again and connected with internet while creating a profile, it again show the remote management screen. Can it be wiped forever?

@ink-splatters
Copy link

M1 macs work like iPhones in that you can literally do a DFU install via Configurator and another Mac. I think that allows downgrading to any OS for which you have the ips file.

That's correct for M1 Air 2020 series, but AFAIK starting from M1 MBPs there is signing window enforced (much longer than for iOS of course)

@ink-splatters
Copy link

ink-splatters commented Nov 2, 2022

Is it possible to permanently wipe MDM from a Macbook M1 pro? If i wipe it and create id without connecting to internet, it works. But I want to sell my macbook and when it is wiped again and connected with internet while creating a profile, it again show the remote management screen. Can it be wiped forever?

The MDM data is permanently wiped each time. It's just the enrollment being enforced also each time the system is installed :) Thus, the practical answer is "NO" unless you are able to request Mac Serial removal from MDM admin of concern. You might also want to hack Apple :) Btw, that's not something impossible per-se (and been shown e.g. a guy one day posted the very trivial way of wiping CloudKit data of other users), but I guess they hire the best of the best to secure their mission critical services.

There is a way of spoofing Mac Serial with OpenCore + some Lilu plugin. And that's crucial for some Hackintoshes to work on older Intel platforms. Would work with minimal effort, on Intel Mac, but that's not the state for sale, I would say :) Unless you would want doing custom installation media with appropriate patches; practically it provides very limited advantages over /etc/hosts method. But if a buyer would be comfortable with performing the steps you would have documented, why not :)

If really interested, look into what Dortania guys do in their OCLP.

It might also work on M1/M2 in theory, but due to different device trees, it's likely Lilu and related plugin won't work OOB and would need patching. Then you'd need to ensure it's buildable for Apple Silicon, and finally rebuild kernelcache / setting it as custom boot object, in permissive security mode).

That's solely for fun. Anti-sale variant :)

@psolom
Copy link

psolom commented Nov 2, 2022

When I tried to reinstall macOS Monterey, I got an error saying that I cannot reinstall it without internet access. I ended up connecting to my wifi and did all the steps as in the gist.

Now when I run profiles status -type enrollment, I'm getting this output: Screenshot 2022-10-31 at 16 57 00 which seems correct, but I'm still seeing the DEP notification every couple of hours or so.

What can I do at this point to get rid of this annoying notification?

Note: I have an M1 Pro Macbook Pro

I followed the exact same steps and now I have the same issue.
Could it really be because wifi was ON ?

Is this the only solution to completely wipe the disk and redo the steps?
I'd like to avoid this in any possible way because it'll steal another day for system setup

@Sailas2k6
Copy link

When I tried to reinstall macOS Monterey, I got an error saying that I cannot reinstall it without internet access. I ended up connecting to my wifi and did all the steps as in the gist.
Now when I run profiles status -type enrollment, I'm getting this output: Screenshot 2022-10-31 at 16 57 00 which seems correct, but I'm still seeing the DEP notification every couple of hours or so.
What can I do at this point to get rid of this annoying notification?
Note: I have an M1 Pro Macbook Pro

I followed the exact same steps and now I have the same issue. Could it really be because wifi was ON ?

Is this the only solution to completely wipe the disk and redo the steps? I'd like to avoid this in any possible way because it'll steal another day for system setup

Try adding albert.apple.com and acmdm.apple.com to your hosts file.

@psolom
Copy link

psolom commented Nov 3, 2022

Try adding albert.apple.com and acmdm.apple.com to your hosts file.

Thanks for the tip
I added those yesterday, but the notification appears today again, unfortunately

@Sailas2k6
Copy link

How I erase my Mac and get rid of the notifications:

Clean erase
Reinstall OS from recovery partition.
Aster first boot I turn off the router in my house so I can bypass the mdm screen an continue with the setup process.
I create a user so I can disable csrutil.

After all is done I restart and boot into recovery.
Open terminal and follow this procedure:

$ csrutil disable
$ reboot

Back in recovery and terminal

$ cd "/Volumes/Macintosh HD/System/Library"
$ cd ../../etc
$ echo "0.0.0.0 iprofiles.apple.com" >> hosts
$ echo "0.0.0.0 mdmenrollment.apple.com" >> hosts
$ echo "0.0.0.0 deviceenrollment.apple.com" >> hosts
$ echo "0.0.0.0 albert.apple.com" >> hosts
$ echo "0.0.0.0 acmdm.apple.com" >> hosts

$ csrutil enable
$ reboot

Never had any issues with the method.

@2ndMessiah
Copy link

How I erase my Mac and get rid of the notifications:

Clean erase Reinstall OS from recovery partition. Aster first boot I turn off the router in my house so I can bypass the mdm screen an continue with the setup process. I create a user so I can disable csrutil.

After all is done I restart and boot into recovery. Open terminal and follow this procedure:

$ csrutil disable $ reboot

Back in recovery and terminal

$ cd "/Volumes/Macintosh HD/System/Library" $ cd ../../etc $ echo "0.0.0.0 iprofiles.apple.com" >> hosts $ echo "0.0.0.0 mdmenrollment.apple.com" >> hosts $ echo "0.0.0.0 deviceenrollment.apple.com" >> hosts $ echo "0.0.0.0 albert.apple.com" >> hosts $ echo "0.0.0.0 acmdm.apple.com" >> hosts

$ csrutil enable $ reboot

Never had any issues with the method.

Thx for sharing. Albert.apple.com / acmdm.apple.com are the ones missing in my list. I got gdmf.apple.com instead according to the OP thread. But I haven't encounter any problems so far too :)

@ink-splatters
Copy link

ink-splatters commented Nov 3, 2022

How I erase my Mac and get rid of the notifications:

Clean erase Reinstall OS from recovery partition. Aster first boot I turn off the router in my house so I can bypass the mdm screen an continue with the setup process. I create a user so I can disable csrutil.

After all is done I restart and boot into recovery. Open terminal and follow this procedure:

$ csrutil disable $ reboot

Back in recovery and terminal

$ cd "/Volumes/Macintosh HD/System/Library" $ cd ../../etc $ echo "0.0.0.0 iprofiles.apple.com" >> hosts $ echo "0.0.0.0 mdmenrollment.apple.com" >> hosts $ echo "0.0.0.0 deviceenrollment.apple.com" >> hosts $ echo "0.0.0.0 albert.apple.com" >> hosts $ echo "0.0.0.0 acmdm.apple.com" >> hosts

$ csrutil enable $ reboot

Never had any issues with the method.

I don't recall the reasons to actually disable SIP for MDM bypass discussed here. And though I might be wrong, it's not obvious.

Is't true that with the SIP on, macOS stops giving up on timeouts, in the middle of operations crucial to Apple's opinionated look on the system consistency thus improving the security, effectively considering multi-step operations transactional. Thus, some things can block indefinitely, causing deadlocks in some services. E.g just OS log-in can cause deadlock if some files are inaccessible for write (e.g. "chflagged"). In theory it might be the case when trying to access MDM-related resources, in the middle of something critical.
It can also be the other way around and SIP is definitely capable of ultimately dark evil things as, e.g. reverting literally everything seen "non-revertible", to its vanilla state, without even the OS reboot. Sometimes even reverting such ultimately "permanent" things which do require user interaction normally (e.g.chflags uchg,schg being wipable in a blink of an eye, without OS reboot by SIP / rootless interventions. That's been for a long while, obviously before 'Cryptexes' recently appeared in Ventura*

But it's important to know that SIP is there for a reason and significantly improves the quality of security response in case of real security threat, no matter if one likes it or not.**

@ink-splatters
Copy link

ink-splatters commented Nov 3, 2022

TL;DR The below is off topic which I still find relevant in connection with the previous post, but you might want to skip it if came here for MDM bypass


* SIP interventions have been there for a long time, obviously before 'Cryptexes' recently appeared in Ventura, which are in fact privileged DMG mounts 'stitched' using firm-links, without the restrictions of castrated "synthetic" mounts available to a mere mortal

man synthetic

And it's been always possible, or, at least for a long while, for the whole Safari thing to be upgradable without OS reboot. That covers obviously the app itself, as well as up to a dozen of its daemons / public and private frameworks / supporting files / name it.
It all resides in /Library/Apple/System/ on Data volume.

Looks the same is now applicable for the potentially error prone components previously seen part of System volume, by just plugging another DMG, stitching it with the system, with (allegedly) less buggy stuff.


** Unfortunately, there are now more justified reasons to disable SIP; one of disappointments comes e.g. with one's trying to disable system daemons seeing the most of them risen up from the hell again (agents as well, by the way).

Good to mention, that's only in Full Security mode and is not forced in reduced security. But Reduced Security kills Apple Pay. Still not enough for a full scale drama as it's not an iPhone in fact, for it to honour Apple Pay that seriously. Anyway, I find this frustrating enough, but pretty logical from the security perspective to control the environment which is crucial for achieving "proper" security level (as per Apple treatment of what the proper security level should be).

Along with the security related daemons, the dozens of services which are absolutely not crucial for security (from the first glance), are up as well. Funny that it's also additional attack surface, with impacts ranging from relatively innocent to pretty severe.

But, IMO, having all this up and running, in the combination along with the trusted boot chain, plus what's now called Sealed System Volume, allows Apple to fully take over the security of macOS, without the interference coming from false-positive security reporting and other noise caused by hacky users (apparently suffered being hacked by ones who occurred to be slightly hackier, thanks to the first cohort's lifting the security measures).

@Sailas2k6
Copy link

gdmf.apple.com - Used by an MDM server to identify which software updates are available to devices that use managed software updates

iprofiles.apple.com - Hosts enrollment profiles used when devices enroll in Apple School Manager or Apple Business Manager through Device Enrollment

mdmenrollment.apple.com - MDM servers to upload enrollment profiles used by clients enrolling through Device Enrollment in Apple School Manager or Apple Business Manager, and to look up devices and accounts

deviceenrollment.apple.com - DEP provisional enrollment

albert.apple.com - Device activation

acmdm.apple.com - can't find any info ... or the server name has changed

axm-adm-mdm.apple.com - MDM server

@iambulmaro
Copy link

If you write all the aforementioned profiles in the hosts /private/etc/hosts after disabling csrutil it seems to work fine.

@Sailas2k6
Copy link

@stop-d-fomo
Copy link

How I erase my Mac and get rid of the notifications:

Clean erase Reinstall OS from recovery partition. Aster first boot I turn off the router in my house so I can bypass the mdm screen an continue with the setup process. I create a user so I can disable csrutil.

After all is done I restart and boot into recovery. Open terminal and follow this procedure:

$ csrutil disable $ reboot

Back in recovery and terminal

$ cd "/Volumes/Macintosh HD/System/Library" $ cd ../../etc $ echo "0.0.0.0 iprofiles.apple.com" >> hosts $ echo "0.0.0.0 mdmenrollment.apple.com" >> hosts $ echo "0.0.0.0 deviceenrollment.apple.com" >> hosts $ echo "0.0.0.0 albert.apple.com" >> hosts $ echo "0.0.0.0 acmdm.apple.com" >> hosts

$ csrutil enable $ reboot

Never had any issues with the method.

Once this is implemented, can mdm be enforced remotely by which I mean can the machine be wiped etc. ?

@Sailas2k6
Copy link

As long as the profiles are not installed, and profiles status -show enrollment are both on No the mac can not be erased.

@stop-d-fomo
Copy link

stop-d-fomo commented Nov 11, 2022

As long as the profiles are not installed, and profiles status -show enrollment are both on No the mac can not be erased.

So no control can be assumed remotely if both dep and mdm have a no status? Thanks for help.

@fitzroymckay
Copy link

fitzroymckay commented Nov 14, 2022

How I erase my Mac and get rid of the notifications:

Clean erase Reinstall OS from recovery partition. Aster first boot I turn off the router in my house so I can bypass the mdm screen an continue with the setup process. I create a user so I can disable csrutil.

After all is done I restart and boot into recovery. Open terminal and follow this procedure:

$ csrutil disable $ reboot

Back in recovery and terminal

$ cd "/Volumes/Macintosh HD/System/Library" $ cd ../../etc $ echo "0.0.0.0 iprofiles.apple.com" >> hosts $ echo "0.0.0.0 mdmenrollment.apple.com" >> hosts $ echo "0.0.0.0 deviceenrollment.apple.com" >> hosts $ echo "0.0.0.0 albert.apple.com" >> hosts $ echo "0.0.0.0 acmdm.apple.com" >> hosts

$ csrutil enable $ reboot

Never had any issues with the method.

Thank you!! Worked perfectly for me

edit: hmm, no it's back now - I'll update in a couple days

@djtjl
Copy link

djtjl commented Nov 16, 2022

I get following error when I try to edit hosts file....
Running MBP M1 with 12.6.1

xxxxx@xxxxxx-MBP etc % echo "0.0.0.0 iprofiles.apple.com" >> hosts
zsh: permission denied: hosts
xxxxx@xxxxxx-MBP etc % ls -l hosts
-rw-r--r-- 1 root wheel 213 Oct 12 23:06 hosts

Enrollment status is,
xxxxx@xxxxxx-MBP etc % profiles status -type enrollment
Enrolled via DEP: No
MDM enrollment: No
xxxxx@xxxxxx-MBP etc %

Integrity Status is
xxxxx@xxxxxx-MBP etc % csrutil status
System Integrity Protection status: enabled.
xxxxx@xxxxxx-MBP etc %

I am keep getting Remote management notification.
How can I get rid of that so It will not impact now or future with macOS updsates.

@stop-d-fomo
Copy link

I get following error when I try to edit hosts file.... Running MBP M1 with 12.6.1

xxxxx@xxxxxx-MBP etc % echo "0.0.0.0 iprofiles.apple.com" >> hosts zsh: permission denied: hosts xxxxx@xxxxxx-MBP etc % ls -l hosts -rw-r--r-- 1 root wheel 213 Oct 12 23:06 hosts

Enrollment status is, xxxxx@xxxxxx-MBP etc % profiles status -type enrollment Enrolled via DEP: No MDM enrollment: No xxxxx@xxxxxx-MBP etc %

Integrity Status is xxxxx@xxxxxx-MBP etc % csrutil status System Integrity Protection status: enabled. xxxxx@xxxxxx-MBP etc %

I am keep getting Remote management notification. How can I get rid of that so It will not impact now or future with macOS updsates.

did you start with csrutil disable and reboot before the echo commands?

@djtjl
Copy link

djtjl commented Nov 16, 2022

I get following error when I try to edit hosts file.... Running MBP M1 with 12.6.1
xxxxx@xxxxxx-MBP etc % echo "0.0.0.0 iprofiles.apple.com" >> hosts zsh: permission denied: hosts xxxxx@xxxxxx-MBP etc % ls -l hosts -rw-r--r-- 1 root wheel 213 Oct 12 23:06 hosts
Enrollment status is, xxxxx@xxxxxx-MBP etc % profiles status -type enrollment Enrolled via DEP: No MDM enrollment: No xxxxx@xxxxxx-MBP etc %
Integrity Status is xxxxx@xxxxxx-MBP etc % csrutil status System Integrity Protection status: enabled. xxxxx@xxxxxx-MBP etc %
I am keep getting Remote management notification. How can I get rid of that so It will not impact now or future with macOS updsates.

did you start with csrutil disable and reboot before the echo commands?

No. I have not.
I will try that again and update the thread.

@djtjl
Copy link

djtjl commented Nov 16, 2022

I get following error when I try to edit hosts file.... Running MBP M1 with 12.6.1
xxxxx@xxxxxx-MBP etc % echo "0.0.0.0 iprofiles.apple.com" >> hosts zsh: permission denied: hosts xxxxx@xxxxxx-MBP etc % ls -l hosts -rw-r--r-- 1 root wheel 213 Oct 12 23:06 hosts
Enrollment status is, xxxxx@xxxxxx-MBP etc % profiles status -type enrollment Enrolled via DEP: No MDM enrollment: No xxxxx@xxxxxx-MBP etc %
Integrity Status is xxxxx@xxxxxx-MBP etc % csrutil status System Integrity Protection status: enabled. xxxxx@xxxxxx-MBP etc %
I am keep getting Remote management notification. How can I get rid of that so It will not impact now or future with macOS updsates.

did you start with csrutil disable and reboot before the echo commands?

No. I have not. I will try that again and update the thread.

Update:
I tried this..https://blog.uchennaegbo.com/how-to-disable-remote-management-and-device-enrollment-notifications-on-mac-os
It worked for me. I was able to update the hosts file.
Hope I will not get the Remote Management notification again.

@Nicolas1203
Copy link

How I erase my Mac and get rid of the notifications:

Clean erase Reinstall OS from recovery partition. Aster first boot I turn off the router in my house so I can bypass the mdm screen an continue with the setup process. I create a user so I can disable csrutil.

After all is done I restart and boot into recovery. Open terminal and follow this procedure:

$ csrutil disable $ reboot

Back in recovery and terminal

$ cd "/Volumes/Macintosh HD/System/Library" $ cd ../../etc $ echo "0.0.0.0 iprofiles.apple.com" >> hosts $ echo "0.0.0.0 mdmenrollment.apple.com" >> hosts $ echo "0.0.0.0 deviceenrollment.apple.com" >> hosts $ echo "0.0.0.0 albert.apple.com" >> hosts $ echo "0.0.0.0 acmdm.apple.com" >> hosts

$ csrutil enable $ reboot

Never had any issues with the method.

Just did it a few days ago on a M2 13". Works like a charm.

I have a question though. If I understand correctly I have to do the same procedure again after any update, right ?

@Sailas2k6
Copy link

How I erase my Mac and get rid of the notifications:
Clean erase Reinstall OS from recovery partition. Aster first boot I turn off the router in my house so I can bypass the mdm screen an continue with the setup process. I create a user so I can disable csrutil.
After all is done I restart and boot into recovery. Open terminal and follow this procedure:
$ csrutil disable $ reboot
Back in recovery and terminal
$ cd "/Volumes/Macintosh HD/System/Library" $ cd ../../etc $ echo "0.0.0.0 iprofiles.apple.com" >> hosts $ echo "0.0.0.0 mdmenrollment.apple.com" >> hosts $ echo "0.0.0.0 deviceenrollment.apple.com" >> hosts $ echo "0.0.0.0 albert.apple.com" >> hosts $ echo "0.0.0.0 acmdm.apple.com" >> hosts
$ csrutil enable $ reboot
Never had any issues with the method.

Just did it a few days ago on a M2 13". Works like a charm.

I have a question though. If I understand correctly I have to do the same procedure again after any update, right ?

Nop, if you update it's OK. Only if you wipe the device !

@Nicolas1203
Copy link

Nicolas1203 commented Nov 21, 2022

How I erase my Mac and get rid of the notifications:
Clean erase Reinstall OS from recovery partition. Aster first boot I turn off the router in my house so I can bypass the mdm screen an continue with the setup process. I create a user so I can disable csrutil.
After all is done I restart and boot into recovery. Open terminal and follow this procedure:
$ csrutil disable $ reboot
Back in recovery and terminal
$ cd "/Volumes/Macintosh HD/System/Library" $ cd ../../etc $ echo "0.0.0.0 iprofiles.apple.com" >> hosts $ echo "0.0.0.0 mdmenrollment.apple.com" >> hosts $ echo "0.0.0.0 deviceenrollment.apple.com" >> hosts $ echo "0.0.0.0 albert.apple.com" >> hosts $ echo "0.0.0.0 acmdm.apple.com" >> hosts
$ csrutil enable $ reboot
Never had any issues with the method.

Just did it a few days ago on a M2 13". Works like a charm.
I have a question though. If I understand correctly I have to do the same procedure again after any update, right ?

Nop, if you update it's OK. Only if you wipe the device !

Alright, I will give it a go then. Thank you for your feedback!

Edit: Can confirm that the update from Monterey to Ventura went without any issue.

@djtjl
Copy link

djtjl commented Nov 21, 2022

I get following error when I try to edit hosts file.... Running MBP M1 with 12.6.1
xxxxx@xxxxxx-MBP etc % echo "0.0.0.0 iprofiles.apple.com" >> hosts zsh: permission denied: hosts xxxxx@xxxxxx-MBP etc % ls -l hosts -rw-r--r-- 1 root wheel 213 Oct 12 23:06 hosts
Enrollment status is, xxxxx@xxxxxx-MBP etc % profiles status -type enrollment Enrolled via DEP: No MDM enrollment: No xxxxx@xxxxxx-MBP etc %
Integrity Status is xxxxx@xxxxxx-MBP etc % csrutil status System Integrity Protection status: enabled. xxxxx@xxxxxx-MBP etc %
I am keep getting Remote management notification. How can I get rid of that so It will not impact now or future with macOS updsates.

did you start with csrutil disable and reboot before the echo commands?

No. I have not. I will try that again and update the thread.

Update: I tried this..https://blog.uchennaegbo.com/how-to-disable-remote-management-and-device-enrollment-notifications-on-mac-os It worked for me. I was able to update the hosts file. Hope I will not get the Remote Management notification again.

Update2: Did not receive any notification from last 5 days...

@lee-corey
Copy link

When I try csrutil disable then it asks Enter password for user _mbsetupuser:
What should I type in here?

@lee-corey
Copy link

Does this method no longer work? It seems to be holding up for me still.

If it works for you, perfect!

So csrutil disable in the terminal brings the message, “turning off system integrity protection requires modifying system security. Allow booting unsigned operating systems and any kernel extensions for OS Macintosh? Y/N?” I tried Yes and it asks for a password for user _mbsetupuser

How did you resolve this?

@Nicolas1203
Copy link

Does this method no longer work? It seems to be holding up for me still.

If it works for you, perfect!

So csrutil disable in the terminal brings the message, “turning off system integrity protection requires modifying system security. Allow booting unsigned operating systems and any kernel extensions for OS Macintosh? Y/N?” I tried Yes and it asks for a password for user _mbsetupuser

How did you resolve this?

Well you probably did not do the first steps which basically consist into:

  • erasing your OS
  • Re-installing from internet
  • unplug you router while it reboots to force the computer to create a new user
  • create a user, reboot, and enjoy the full permission to do the commands you want

You can find more details here : https://checkm8.info/bypass-mac-mdm-lock

Hope this helps.

@ink-splatters
Copy link

ink-splatters commented Dec 1, 2022

You just press enter.

I’m not at the context for now, sorry, but just in case: you won’t be able to change Local Boot Policy until some admin have obtained Secure Token / became owner of the volume (usually those come together)

It’s granted when:

  1. Upon the first (ever, since the system install) admin user is created. The token is then derived from one-time kind of nonce Secure Enclave stores for that purpose

  2. Every user which is created by secure token-owner, via GUI is granted the token either.

  3. using sysadminctl with “secure token unlock” grants the token to the newly created user; since Ventura AFAIK, if FV is enabled, explicit unlock might not be needed.

the fact that _mbsetupuser is the disk owner looks like result of tampering, which I used my own trying to grant it Secure Token before everyone else. To my best knowledge, it doesn’t work reliable in last Monterey releases and in Ventura:

Having done

dscl -f /Volumes/Data/private/var/db/dslocal/nodes/Default localonly
# in OD console:
cd /Local/Target/Users
append ../Groups/admin GroupMembers <type _mbsetupuser UUID>
append ../Groups/admin GroupMembership _mbsetupuser
create _mbsetupuser AuthenticationAuthority ;SecureToken;
passwd _mbsetupuser
# hit enter 

In the absence of other users, will make _mbsetupuser disk owner and lead to the prompt you see.

but likely the token won’t be granted so the system won’t be able to provision any user who would have had the token.

howeber, if instead of _mbsetupuser you create first user likewise, it will be granted token. But volume personalisation would have been needed to be initialised with the use of internet connection; AND it won’t work at all in Ventura at least, making you unable to boot from the volume.
in Monterey however this hack would allow to create user without any involvement of _mbsetupuser

@djtjl
Copy link

djtjl commented Dec 1, 2022

howeber, if instead of _mbsetupuser you create first user lik

@ink-splatters Do you mean to say that the with Ventura, disable DEP is not an option anymore.
Is my understanding is correct ? As I last tried with Monterey and it works but have not tried with Ventura.

@lucasmenares
Copy link

lucasmenares commented Dec 3, 2022

This worked for me on M1 Pro 2021 with MacOS Ventura, original method was for Big Sur but I changed it using a different type of domain block since the old method doesn't work anymore:

First of all, if you want to trigger the notification you can use this command:
sudo profiles show -type enrollment

Now we will start. First block your Mac from reaching the domain iprofiles.apple.com. For this you can use your hosts file like:
echo "0.0.0.0 iprofiles.apple.com" | sudo tee -a /etc/hosts
or blocking them from your firewall.

Then, I checked the current enrollment profile
sudo profiles show -type enrollment

This will show you the current enrollment configuration your Mac has, you can even block the domain mentioned in ConfigurationURL just to be safe, example:
echo "0.0.0.0 yourDomainMentionedInConfigurationURL" | sudo tee -a /etc/hosts

After that, I proceed to delete the profile, in my regular session, not recovery, although it would probably also work in recovery:
sudo profiles remove -all

Keep in mind that this command will delete all other profiles you may have, in my case, I didn't have any more.

Finally, you can check for the enrollment profile again. I would get an error saying that it could not retrieved given that I blocked the domain from where it's retrieved:

sudo profiles show -type enrollment
Error fetching Device Enrollment configuration: (34000) Error Domain=MCCloudConfigurationErrorDomain Code=34000 "The device failed to request configuration from the cloud." UserInfo={NSLocalizedDescription=The device failed to request configuration from the cloud., CloudConfigurationErrorType=CloudConfigurationFatalError}

And the notification is gone for good, hope it helps!

@JediRhymeTrix
Copy link

Do the steps to disable the notification have to be repeated after upgrading from Monterey to Ventura?

@lucasmenares
Copy link

lucasmenares commented Dec 3, 2022

Do the steps to disable the notification have to be repeated after upgrading from Monterey to Ventura?

@JediRhymeTrix Not sure, but you can check it using the command to trigger the notification after your update:
sudo profiles show -type enrollment

@ink-splatters
Copy link

howeber, if instead of _mbsetupuser you create first user lik

@ink-splatters Do you mean to say that the with Ventura, disable DEP is not an option anymore. Is my understanding is correct ? As I last tried with Monterey and it works but have not tried with Ventura.

No, i didn't mean that and can't think of why it should be the case.

Whose test the link: https://idevice.me/macbook-mdm-bypass-activator-for-t1-t2-m1-m2/ Does it work, is the $50 worth it?

Whose test the link: https://idevice.me/macbook-mdm-bypass-activator-for-t1-t2-m1-m2/ Does it work, is the $50 worth it?

Lol, no :)

@Sailas2k6
Copy link

How I erase my Mac and get rid of the notifications:
Clean erase Reinstall OS from recovery partition. Aster first boot I turn off the router in my house so I can bypass the mdm screen an continue with the setup process. I create a user so I can disable csrutil.
After all is done I restart and boot into recovery. Open terminal and follow this procedure:
$ csrutil disable $ reboot
Back in recovery and terminal
$ cd "/Volumes/Macintosh HD/System/Library" $ cd ../../etc $ echo "0.0.0.0 iprofiles.apple.com" >> hosts $ echo "0.0.0.0 mdmenrollment.apple.com" >> hosts $ echo "0.0.0.0 deviceenrollment.apple.com" >> hosts $ echo "0.0.0.0 albert.apple.com" >> hosts $ echo "0.0.0.0 acmdm.apple.com" >> hosts
$ csrutil enable $ reboot
Never had any issues with the method.

Thx for sharing. Albert.apple.com / acmdm.apple.com are the ones missing in my list. I got gdmf.apple.com instead according to the OP thread. But I haven't encounter any problems so far too :)

If you use Albert.apple.com you will have issues authenticating for iMessage or FaceTime as it won’t allow iCloud authenticating though it.

Hadn't have any issues with iMessage of FaceTime.

@cadriel
Copy link

cadriel commented Dec 15, 2022

My experience on a Studio M1 Ultra;

There's no way I can see of avoiding this with a fresh install of Ventura 13.1, as it requires an internet connection during setup.

My initial attempts registered my device with DEP.

A fresh install of Monterey worked, and I was able to avoid registration and any notifications. iMessage and Facetime failed to correctly register / authenticate when I had blocked albert.apple.com. This wasn't immediately obvious until I tried to use Messages on the mac. Once I had unblocked albert.apple.com then I could re-sign in with Messages and all was well.

I then upgraded to Ventura 13.1 and haven't had an issue since.

My hosts file ended up looking like this;

0.0.0.0 iprofiles.apple.com
0.0.0.0 mdmenrollment.apple.com
0.0.0.0 deviceenrollment.apple.com
0.0.0.0 acmdm.apple.com
0.0.0.0 gdmf.apple.com

@lucasmenares
Copy link

My experience on a Studio M1 Ultra;

There's no way I can see of avoiding this with a fresh install of Ventura 13.1, as it requires an internet connection during setup.

My initial attempts registered my device with DEP.

A fresh install of Monterey worked, and I was able to avoid registration and any notifications. iMessage and Facetime failed to correctly register / authenticate when I had blocked albert.apple.com. This wasn't immediately obvious until I tried to use Messages on the mac. Once I had unblocked albert.apple.com then I could re-sign in with Messages and all was well.

I then upgraded to Ventura 13.1 and haven't had an issue since.

My hosts file ended up looking like this;

0.0.0.0 iprofiles.apple.com
0.0.0.0 mdmenrollment.apple.com
0.0.0.0 deviceenrollment.apple.com
0.0.0.0 acmdm.apple.com
0.0.0.0 gdmf.apple.com

You can do a fresh install of Ventura 13.1. You just need to disable/unplug your router so your mac doesn't connect to your wifi automatically (since you need wifi to download the OS at the first step, and later it will automatically connect to it again), after you unplug your router you just need to press "Back" until the Mac restarts, once it's restarted just press next and the message of the DEP will not appear, after a few hours you will see the famous annoying pop-up that everyone knows, if you want to disable it you can do the steps that I posted a few days ago.

This worked for me on M1 Pro 2021 with MacOS Ventura, original method was for Big Sur but I changed it using a different type of domain block since the old method doesn't work anymore:

First of all, if you want to trigger the notification you can use this command: sudo profiles show -type enrollment

Now we will start. First block your Mac from reaching the domain iprofiles.apple.com. For this you can use your hosts file like: echo "0.0.0.0 iprofiles.apple.com" | sudo tee -a /etc/hosts or blocking them from your firewall.

Then, I checked the current enrollment profile sudo profiles show -type enrollment

This will show you the current enrollment configuration your Mac has, you can even block the domain mentioned in ConfigurationURL just to be safe, example: echo "0.0.0.0 yourDomainMentionedInConfigurationURL" | sudo tee -a /etc/hosts

After that, I proceed to delete the profile, in my regular session, not recovery, although it would probably also work in recovery: sudo profiles remove -all

Keep in mind that this command will delete all other profiles you may have, in my case, I didn't have any more.

Finally, you can check for the enrollment profile again. I would get an error saying that it could not retrieved given that I blocked the domain from where it's retrieved:

sudo profiles show -type enrollment
Error fetching Device Enrollment configuration: (34000) Error Domain=MCCloudConfigurationErrorDomain Code=34000 "The device failed to request configuration from the cloud." UserInfo={NSLocalizedDescription=The device failed to request configuration from the cloud., CloudConfigurationErrorType=CloudConfigurationFatalError}

And the notification is gone for good, hope it helps!

@2ndMessiah
Copy link

Anyone tried blocking the mdm related hosts on your router while leaving the activation server hosts allowed?

Will this bypass the internet connection requirement of Ventura?

@cadriel
Copy link

cadriel commented Dec 16, 2022

You can do a fresh install of Ventura 13.1. You just need to disable/unplug your router so your mac doesn't connect to your wifi automatically (since you need wifi to download the OS at the first step, and later it will automatically connect to it again), after you unplug your router you just need to press "Back" until the Mac restarts, once it's restarted just press next and the message of the DEP will not appear, after a few hours you will see the famous annoying pop-up that everyone knows, if you want to disable it you can do the steps that I posted a few days ago.

Weird - I actually turned off my WAP's but Ventura refused to resume without a connection. Could this be different with ARM vs Intel machines? I also tried a reboot but it still wouldn't allow me to resume without internet connectivity.

@lucasmenares
Copy link

You can do a fresh install of Ventura 13.1. You just need to disable/unplug your router so your mac doesn't connect to your wifi automatically (since you need wifi to download the OS at the first step, and later it will automatically connect to it again), after you unplug your router you just need to press "Back" until the Mac restarts, once it's restarted just press next and the message of the DEP will not appear, after a few hours you will see the famous annoying pop-up that everyone knows, if you want to disable it you can do the steps that I posted a few days ago.

Weird - I actually turned off my WAP's but Ventura refused to resume without a connection. Could this be different with ARM vs Intel machines? I also tried a reboot but it still wouldn't allow me to resume without internet connectivity.

My bad, I think you are right, you NEED internet connection to activate Ventura.

But we always can just install Monterey and then update without any problem, right?

@lucasmenares
Copy link

Anyone tried blocking the mdm related hosts on your router while leaving the activation server hosts allowed?

Will this bypass the internet connection requirement of Ventura?

Didn't tried but sounds like a good idea, If someone can try it please share it!

@jeremylpro
Copy link

Can you update macOS and still not have the device enrollment thing?

@JediRhymeTrix
Copy link

Can you update macOS and still not have the device enrollment thing?

I've installed minor updates and also upgraded from Monterey to Ventura and didn't get the enrollment screen or have to redo any of the steps to disable the notification. I did disconnect my wifi each time, though.

@jeremylpro
Copy link

Can you update macOS and still not have the device enrollment thing?

I've installed minor updates and also upgraded from Monterey to Ventura and didn't get the enrollment screen or have to redo any of the steps to disable the notification. I did disconnect my wifi each time, though.

Oh, ok

@spoved-aws
Copy link

spoved-aws commented Dec 27, 2022

I have able to use the method given by the OP to remove the profile. Does anyone know if Apple is able to reinstall the profile somewhere in the future with OS upgrades or security patches?
Also did anyone have the notifications come back to their system after some time of them bypassing mdm ?

@spoved-aws
Copy link

Can you update macOS and still not have the device enrollment thing?

I've installed minor updates and also upgraded from Monterey to Ventura and didn't get the enrollment screen or have to redo any of the steps to disable the notification. I did disconnect my wifi each time, though.

I am trying to understand what you mean ? Are you saying you upgraded OS offline with wifi off ? How did you do that ?

@JediRhymeTrix
Copy link

JediRhymeTrix commented Dec 27, 2022 via email

@spoved-aws
Copy link

spoved-aws commented Dec 27, 2022

@JediRhymeTrix , were you able to install Ventura 13.2? if yes, did you have to accept connection 0.0.0.0 gdmf.apple.com and then go offline when it reboots ?

Edit: Just realized Apple never released 13.2 for Macs. So I am on the latest build

@JediRhymeTrix
Copy link

JediRhymeTrix commented Dec 27, 2022 via email

@spoved-aws
Copy link

spoved-aws commented Dec 27, 2022

Can someone tell me if I can install an mdm profile that I can manage on another computer that I totally own and try all permutation and combination on it?

@Sailas2k6
Copy link

If the SN is in  servers with an MDM , I don't think that u can enrol a new MDM on top of the existing one. It will be much easy. I think that first u have to remove the SN from the old MDM and after that enrol to a new MDM.

@MMouse2023
Copy link

MMouse2023 commented Jan 20, 2023

Newbie here, sorry for the silly questions...

Is the MDM able to see the Apple ID that is signed into the Mac after we perform this task?
am I safe to login with my Apple ID after performing these steps?
can I link the Mac to my Find My?

@spoved-aws
Copy link

13.2 is out. Anyone tried updating ?

@gggalf
Copy link

gggalf commented Jan 24, 2023

13.2 is out. Anyone tried updating ?

works fine :)

@Forsh75
Copy link

Forsh75 commented Jan 25, 2023

Hi, can someone please detail the full process I need to follow if I have Ventura installed please. I've tried to follow the thread but can't seem to get it working. Thanks in advance.

@spoved-aws
Copy link

13.2 is out. Anyone tried updating ?

works fine :)

can you give me the commands to unblock the apple server that is used for updates.

Currently I have excited the below commands and my Mac says no updates available.

echo "0.0.0.0 iprofiles.apple.com" >> hosts
$ echo "0.0.0.0 mdmenrollment.apple.com" >> hosts
$ echo "0.0.0.0 deviceenrollment.apple.com" >> hosts
$ echo "0.0.0.0 gdmf.apple.com" >> hosts

@gggalf
Copy link

gggalf commented Jan 25, 2023

13.2 is out. Anyone tried updating ?

works fine :)

can you give me the commands to unblock the apple server that is used for updates.

Currently I have excited the below commands and my Mac says no updates available.

echo "0.0.0.0 iprofiles.apple.com" >> hosts $ echo "0.0.0.0 mdmenrollment.apple.com" >> hosts $ echo "0.0.0.0 deviceenrollment.apple.com" >> hosts $ echo "0.0.0.0 gdmf.apple.com" >> hosts

u can download the update manual from app store

@spoved-aws
Copy link

13.2 is out. Anyone tried updating ?

works fine :)

can you give me the commands to unblock the apple server that is used for updates.
Currently I have excited the below commands and my Mac says no updates available.
echo "0.0.0.0 iprofiles.apple.com" >> hosts $ echo "0.0.0.0 mdmenrollment.apple.com" >> hosts $ echo "0.0.0.0 deviceenrollment.apple.com" >> hosts $ echo "0.0.0.0 gdmf.apple.com" >> hosts

u can download the update manual from app store

I tried to search for that in the app store but the search for Ventura didn't return anything. I also checked in the "updates" tab in the app store and I don't see 13.2. Do you mind telling me the steps to get the 13.2 on top of 13.1. TIA

@gggalf
Copy link

gggalf commented Jan 25, 2023

13.2 is out. Anyone tried updating ?

works fine :)

can you give me the commands to unblock the apple server that is used for updates.
Currently I have excited the below commands and my Mac says no updates available.
echo "0.0.0.0 iprofiles.apple.com" >> hosts $ echo "0.0.0.0 mdmenrollment.apple.com" >> hosts $ echo "0.0.0.0 deviceenrollment.apple.com" >> hosts $ echo "0.0.0.0 gdmf.apple.com" >> hosts

u can download the update manual from app store

I tried to search for that in the app store but the search for Ventura didn't return anything. I also checked in the "updates" tab in the app store and I don't see 13.2. Do you mind telling me the steps to get the 13.2 on top of 13.1. TIA

ven

@spoved-aws
Copy link

13.2 is out. Anyone tried updating ?

works fine :)

can you give me the commands to unblock the apple server that is used for updates.
Currently I have excited the below commands and my Mac says no updates available.
echo "0.0.0.0 iprofiles.apple.com" >> hosts $ echo "0.0.0.0 mdmenrollment.apple.com" >> hosts $ echo "0.0.0.0 deviceenrollment.apple.com" >> hosts $ echo "0.0.0.0 gdmf.apple.com" >> hosts

u can download the update manual from app store

I tried to search for that in the app store but the search for Ventura didn't return anything. I also checked in the "updates" tab in the app store and I don't see 13.2. Do you mind telling me the steps to get the 13.2 on top of 13.1. TIA

ven

Yeah I saw that. Sorry I thought should be something else. Do you know if this installs ventura as a new machine or just installs the updates ? It's a 12 GB file and the update on my good computer ( mac m1 ) was just a couple of GBs

@gggalf
Copy link

gggalf commented Jan 25, 2023

just the update

@Forsh75
Copy link

Forsh75 commented Jan 25, 2023

HI all. I now have a freshly installed version of Catalina 2019 MBP. I've edited the hosts file and moved the daemon files to the .disabled folders.

Am I able to download Monterey via the app store and install or do I need to upgrade to Big Sur first. Also, do I need to turn the router off at any point or should I be ok now that I've made the above changes?

Thanks.

@gggalf
Copy link

gggalf commented Jan 25, 2023

u can install Monterey and no need to turn off the wifi.

@agent4tea7
Copy link

MBP M2 Max 2023 supplied with Ventura 13.1 upgraded to 13.2. Followed sudo profiles removed but Remote management screen still pops up.

Erased Mac volume from recovery too. No luck. Blocked the hosts successfully.

No current profiles enrolled to. But the remote management screen cannot be bypassed still. Didn’t stop popping up at fresh install.

@tunneltiger
Copy link

did you try to block the related hosts on your router as well ?

@Baker19788
Copy link

which daemons files?

@Baker19788
Copy link

HI all. I now have a freshly installed version of Catalina 2019 MBP. I've edited the hosts file and moved the daemon files to the .disabled folders.

Am I able to download Monterey via the app store and install or do I need to upgrade to Big Sur first. Also, do I need to turn the router off at any point or should I be ok now that I've made the above changes?

Thanks.

@Forsh75

which daemons files?

@duyjack
Copy link

duyjack commented Feb 19, 2023

did you try to block the related hosts on your router as well ?

Do you have DNS for blocking IPs of AppleMDM ?

@CaptiveON
Copy link

Hello guys, Maybe what I am going to state is a bit silly but I wanted to know why don't just edit the hosts file using nano from the terminal. Is it necessary to follow all the mentioned steps including booting in recovery mode? Why?
However, I did it from the terminal using "sudo nano /etc/hosts" on Ventura 13.2.1 and it seems to be working for me as the changes have been saved. I also restarted to make sure the changes persist. I will let you guys know if the notification pops up again.

@inkstatim
Copy link

I have a MacBook Air M1 and I bypassed MDM half a year ago, but I still receive notifications. I want to update to Ventura, how can I do that? Should I just download the update and install it or do I need to turn off the Wi-Fi?

@alucardness
Copy link

I have a MacBook Air M1 and I bypassed MDM half a year ago, but I still receive notifications. I want to update to Ventura, how can I do that? Should I just download the update and install it or do I need to turn off the Wi-Fi?

There is no problem updating it. Download the update from the software update in settings. But do not go for factory reset, cause Ventura requires an internet connection on setup and you can't go to the home screen to block the hosts file. I'm currently facing this issue.

@Sailas2k6
Copy link

I have a MacBook Air M1 and I bypassed MDM half a year ago, but I still receive notifications. I want to update to Ventura, how can I do that? Should I just download the update and install it or do I need to turn off the Wi-Fi?

There is no problem updating it. Download the update from the software update in settings. But do not go for factory reset, cause Ventura requires an internet connection on setup and you can't go to the home screen to block the hosts file. I'm currently facing this issue.

Manualy downgrade to montereay, activate with no internet and update to Ventura again.

@inkstatim
Copy link

У меня MacBook Air M1 и я пол года назад обошел MDM, но уведомления все равно приходят. Я хочу обновиться до Ventura, как мне это сделать? Должен ли я просто загрузить обновление и установить его или мне нужно отключить Wi-Fi?

Нет проблем с обновлением. Загрузите обновление из обновления программного обеспечения в настройках. Но не выполняйте сброс до заводских настроек, потому что Ventura требует подключения к Интернету при настройке, и вы не можете перейти на главный экран, чтобы заблокировать файл hosts. В настоящее время я сталкиваюсь с этой проблемой.

Thank's , man. I updated to Ventura 13.2 and everything works great, but I keep receiving notifications saying that the previous company wants to enroll the computer on remote management.

@smithatlanta
Copy link

smithatlanta commented Feb 25, 2023

I created a Wi-Fi network that blocked those mdm domains and was able to get around it. Once installed, I added the hosts file and now I have no nags at all.

@duyjack
Copy link

duyjack commented Feb 25, 2023

I created a Wi-Fi network that blocked those mdm domains and was able to get around it. Once installed, I added the hosts file and now I have no nags at all.

Does It works for ventura? Can you guide me how to create wi-fi network that blocked those mdm domains?

@smithatlanta
Copy link

I’m not able at the moment but I can do it later on today. I’m using ubiquiti equipment so it’s pretty easy to add additional Wi-Fi networks.

@smithatlanta
Copy link

Actually I got a moment free. This is on a ubiquiti device but it's probably similar to other router products.

  1. Create a new network, name it localonly.
  2. Go into traffic management, and create a Block traffic rule(category is domain name). Add profiles.apple.com, mdmenrollment.apple.com, deviceenrollment.apple.com, and gdmf.apple.com as the blocked domains. Target should be the localonly network you created in step 1.
  3. Create a new wifi network and use localonly as the network.
  4. Once it's up and running, go thru the process documented above using that wi-fi network.

I still create the hosts file during the process because I switch to my regular wi-fi network after everything is installed.

Waiver: I did this on a laptop that my manager said was ok to keep(but the network guys were not allowed to remove the mdm stuff). I would have turned it in if they had required it.

I now have another laptop with my new company whose policies are very strict and I'm not sure this whole process would work. They even block me being able to do Time Machine backups. :(

@alucardness
Copy link

alucardness commented Feb 25, 2023

You can find the solution in my repo. https://github.com/alucardness/macos_remote_managment

@2ndMessiah
Copy link

2ndMessiah commented Feb 26, 2023 via email

@joshworksit
Copy link

joshworksit commented Mar 7, 2023

thanks @gwshaw for the edits!

Here is how you can bypass MDM completely ...

Boot to Recovery

Open Terminal and enable the root user and give it a password:

Enter the command below and press Enter

dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -passwd /Local/Default/Users/root

There might be a slight directory difference between Intel/Silicon. If the command above does not work try using one of these variations:

/Volumes/Macintosh\ HD\ -\ Data/ or /Volumes/Data/

Enter a new password for root user. Note * If you choose a simple password be aware that the root user will be available as a user that can log into macOS which could present a risk to the security of the device.

Once complete click the Apple logo -> Reboot or in Terminal type Reboot then press Enter and let macOS start-up.

Show the hidden menubar and go to System Settings when the Setup Assistant begins by pressing Command + Option + Control + T together.

Click the Apple logo > System Settings -> Users & Groups

Create an admin user with your username and password then click Add Account. The authentication window will appear and autofill the username as user "System Setup". Change this to "root" and use the password you created earlier in Terminal.

Use the Apple menu and select Reboot and if this does not work, force off your Mac by holding the power button down at least 10 seconds.

Boot to Recovery again.

Open Terminal and enter the command below and press Enter.

touch /Volumes/Macintosh\ HD\ -\ Data/private/var/db/.AppleSetupDone

Then type Reboot and press Enter or force off your Mac again using the steps above.

If you found this helpful please donate! https://pay.siliconbypass.com

@duyjack
Copy link

duyjack commented Mar 9, 2023

Here is how you can bypass MDM completely ...

Boot to Recovery Open Terminal execute "dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -passwd /Local/Default/Users/root"

Reboot then...

Step through the Welcome and Setup screens At MDM enrollment (or Remote Management) it should prompt to login at some point for MDM - if not go to the Alternate step Highlight any text -> secondary (right) click -> Search Google Safari will open then go to the next step (skip Alternate)

Alternate: if no text to select then try pressing Command & Option & Control & T at the same time to force Terminal open.

Click the Apple logo System Preferences Users & Groups Create your admin user using the Root credentials previously set in recovery with the "dscl" command

Reboot and Boot to Recovery

Use Terminal and execute "touch /Volumes/Macintosh\ HD\ -\ Data/private/var/db/.AppleSetupDone"

Reboot, Enjoy!

If you found this helpful please donate! https://pay.siliconbypass.com

Did you try it?

@gwshaw
Copy link

gwshaw commented Mar 11, 2023

Here is how you can bypass MDM completely ...

Boot to Recovery Open Terminal execute "dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -passwd /Local/Default/Users/root"

Reboot then...

Step through the Welcome and Setup screens At MDM enrollment (or Remote Management) it should prompt to login at some point for MDM - if not go to the Alternate step Highlight any text -> secondary (right) click -> Search Google Safari will open then go to the next step (skip Alternate)

Alternate: if no text to select then try pressing Command & Option & Control & T at the same time to force Terminal open.

Click the Apple logo System Preferences Users & Groups Create your admin user using the Root credentials previously set in recovery with the "dscl" command

Reboot and Boot to Recovery

Use Terminal and execute "touch /Volumes/Macintosh\ HD\ -\ Data/private/var/db/.AppleSetupDone"

Reboot, Enjoy!

If you found this helpful please donate! https://pay.siliconbypass.com

@joshworksit !!! Works nicely, with a minor correction. No quotes on either of the command lines. With the quotes, the escaped spaces are treated literally so the paths are then broken, at least in Ventura recovery terminal. Spaces are not on the allowed double-quoted string pass-through escapes for Bash. I literally spent days drowning in comments and variations that did not work before I just skipped to the end and found this. This took only minutes once corrected.

A few notes for the less adept:

  • I started with an erased SSD and installed Ventura from recovery and let it boot up to the country select screen
  • I didn't have a network connected after the boot up, but I don't think that mattered.
  • rather than risking anything by progressing up to the MDM in setup, I just went straight to the Alternate to launch a terminal to get the Apple logo to get to system settings
  • in Ventura it is "System Settings" rather than "System Preferences"
  • then Users & Groups
  • then Add Account. The authentication comes up as user "System Setup". Change this to "root" and use the password you created.
  • the various "restart" and "shutdown" options didn't want to participate in the rouse, so use the power off button for the "Reboot and Boot to Recovery Step"

I'd also guess that after completing this the user root password should be removed, but I haven't done that. Otherwise someone can log into user root at the login screen (Shows as "Other..."). Is this the case @joshworksit ?

@sire901
Copy link

sire901 commented Mar 16, 2023

hi im using mbp m1 monterey and im new at this how do i bypass mdm pop up without fresh install ?

@lucasmenares
Copy link

hi im using mbp m1 monterey and im new at this how do i bypass mdm pop up without fresh install ?

follow the instructions of my gist: https://gist.github.com/lucasmenares/e3dfe5d76a0ad24663d88102cb4dde3d

@nomdmplz
Copy link

Currently have a 2023 macbook pro with the m2max with mdm currently cant get passed activation screen mac os venture fmm is off anything on this platform?

@joshworksit
Copy link

Specs don’t really matter…OS version is most important. Follow the steps exactly and it will work.

@albzoon
Copy link

albzoon commented Mar 25, 2023

Restored M1 Macbook with DFU Mode and when all is done shows me up the setup screen with no option for "no internet connection" suppose that is already enrolled by dfu restore that never happened before..
Anyway to bypass at this point with no option for creating a user and blocking on terminal required hosts??

@joshworksit
Copy link

Follow the steps I posted above and you can bypass the MDM with no need to select No Internet Connection - which is no longer an option during setup - an internet connection is required from what I understand it is part of the activation process similar to an iPhone requiring a data connection to activate at first turn on...but you can enable root user using terminal in Recovery and just follow the steps I posted above to get access to the macOS and bypass setup entirely..

@albzoon
Copy link

albzoon commented Mar 25, 2023

opened in terminal at the recovery screen, did this command.. dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -passwd /Local/Default/Users/root
but it says: Not a known DirStatus..

@joshworksit
Copy link

So you might not be in the right Recovery environment. I think you need to try shutting down fully, or if you did that and started up to recovery and got that message, try simply starting up the Mac fully and then go to the Apple menu and Restart to Recovery without fully shutting down the Mac. OR your volume name is not Macintosh HD - you can look at Disk Utilty to see what the volume name of your Mac HD is ...

@kernatron
Copy link

kernatron commented Mar 25, 2023

@joshworksit I really appreciate everything you've shared so far. When creating a new password in terminal, it's asking me for the old password - which I don't know. Any ideas why it's asking for that? Should it be asking for anything at that point?

Am I better deleting the partition and reinstalling Ventura at this point? Thanks!

Edit: Okay, so I managed to do all of the above, but I'm still getting the MDM screen appearing. Gah, I thought I'd got it!

@joshworksit
Copy link

Yes if it is asking for an old password you never set, simply erase Macintosh HD, and reinstall the OS and then you'll know exactly where every component is at and what to expect.

@albzoon
Copy link

albzoon commented Mar 27, 2023

I tryed on the recovery environment also on first step of setup after the restore from dfu that the volume name is by default Macintosh HD
and still 'not a known dir status'
I put the command with spaces as u described and still not a known dir status.. if u want i can send u photos from my procces.
PLS Help with this situation
I appreciate this

@albzoon
Copy link

albzoon commented Mar 27, 2023

@cadriel
Copy link

cadriel commented Mar 28, 2023

Can someone confirm the list of domains that should be blocked after completing the initial install steps, that prevent re-enrollment and notifications - but allow automated updates (if this is even possible..)?

I have a Ventura install - and block the following domains;

*.gdmf.apple.com
*.acmdm.apple.com
*.albert.apple.com
*.deviceenrollment.apple.com
*.mdmenrollment.apple.com
*.iprofiles.apple.com

But i'm wondering if I can perhaps allow albert and gdmf among others so automated updates will work again, without any negative impact.

@electricfeel1979
Copy link

image

I updated to the latest ventura 13.3, coming from 13.1. So far so good. All I have to do was go to the app store, search ventura and download. This will only install the update. It will take some time

@cadriel
Copy link

cadriel commented Mar 28, 2023

Yes, I understand manual updates work - and have done this. I however would like to know if we can re-enable automatic updates.

@Nisounas
Copy link

Nisounas commented Mar 28, 2023

I got scammed I bought a 2020 M1 MBP under MDM/DEP program,
I updated it to ventura (13.2.1) and I found out that it has a lot of stability problems
I want to format it to fix the stability problem, is there any way to format it safely without it being blocked,

Note: I blocked all these links in my wifi settings
Screenshot_7

after I didn't receive any notification from DEP/MDM program, when I run this command :
sudo profiles show -type enrollment
I get this error message:
Error fetching Device Enrollment configuration: (34000) Error Domain=MCCloudConfigurationErrorDomain Code=34000 "The device failed to request configuration from the cloud." UserInfo={NSLocalizedDescription=The device failed to request configuration from the cloud, CloudConfigurationErrorType=CloudConfigurationFatalError}

@gwshaw
Copy link

gwshaw commented Mar 31, 2023

The root user already exists. You are only assigning a password. I typed the new password at the end of the dscl command line.

@rbt19
Copy link

rbt19 commented Mar 31, 2023

The root user already exists. You are only assigning a password. I typed the new password at the end of the dscl command line.

Thank you for your reply! I was finally able to figure out. The problem is the this section of the code: /Volumes/Macintosh\ HD\ -\ Data/
That one works only with intel macs, for silicon the correct code is: /Volumes/Data/
Thanks for sharing these information. I am extremely grateful.

@Gius29
Copy link

Gius29 commented Apr 1, 2023

I have disabled MDM following the instructions.
Can I sign-in with my Apple ID (iCloud)? Does this allow to detect my device?

@joshworksit
Copy link

Use your Apple ID as you wish, one has nothing to do with the other so it will not affect any iCloud services.

@joshworksit
Copy link

The root user already exists. You are only assigning a password. I typed the new password at the end of the dscl command line.

Thank you for your reply! I was finally able to figure out. The problem is the this section of the code: /Volumes/Macintosh\ HD\ -\ Data/ That one works only with intel macs, for silicon the correct code is: /Volumes/Data/ Thanks for sharing these information. I am extremely grateful.

Thanks for catching this difference I'll add it to my original post!

@JZFeng
Copy link

JZFeng commented Apr 2, 2023

The root user already exists. You are only assigning a password. I typed the new password at the end of the dscl command line.

Thank you for your reply! I was finally able to figure out. The problem is the this section of the code: /Volumes/Macintosh\ HD\ -\ Data/ That one works only with intel macs, for silicon the correct code is: /Volumes/Data/ Thanks for sharing these information. I am extremely grateful.

Thanks for catching this difference I'll add it to my original post!

So what is the correct final full command for Apple Silicon?
Is it this one "dscl -f  /Volumes/Data/private/var/db/dslocal/nodes/Default localhost -passwd /Local/Default/Users/root" ?

@nambh83
Copy link

nambh83 commented Apr 4, 2023

My MBP M1 bypass MDM completely on MacOS 11.6. Can I upgrade to MacOS 13.3 via Setting? Do I need to bypass MDM again after upgrade?
Thanks.

@alucardness
Copy link

My MBP M1 bypass MDM completely on MacOS 11.6. Can I upgrade to MacOS 13.3 via Setting? Do I need to bypass MDM again after upgrade? Thanks.

Update, it's already bypassed, so you don't have to do it again.

@nambh83
Copy link

nambh83 commented Apr 4, 2023

My MBP M1 bypass MDM completely on MacOS 11.6. Can I upgrade to MacOS 13.3 via Setting? Do I need to bypass MDM again after upgrade? Thanks.

Update, it's already bypassed, so you don't have to do it again.

Really??? Thank you. I will try. :)

@albzoon
Copy link

albzoon commented Apr 4, 2023

Cant bypass mdm on macbook m1 because when its recovered from dfu mode it install automatically ventura and also check on the profile server so the mdm enrollment catches at the beggining..
ANY HELP for bypass mdm to these models

@Aooga776
Copy link

Aooga776 commented Apr 6, 2023

Thanks for all the info @joshworksit I've run into one snag which is bypassing setup assistant. I followed this line:

Open Terminal and enter the command below and press Enter.

touch /Volumes/Macintosh\ HD\ -\ Data/private/var/db/.AppleSetupDone

Then type Reboot and press Enter or force off your Mac again using the steps above.

and I get:

touch: /Volumes/Macintosh HD/: Read-only file system
touch: - Data/private/var/db/.AppleSetupDone: No such file or directory

So I'm stuck here and can't figure out any way to bypass the setup assistant. Everything else worked flawlessly. Please let me know if you have any idea what I'm doing wrong here. Thanks again!

@razerduy
Copy link

razerduy commented Apr 7, 2023

Thanks for all the info @joshworksit I've run into one snag which is bypassing setup assistant. I followed this line:

Open Terminal and enter the command below and press Enter.

touch /Volumes/Macintosh\ HD\ -\ Data/private/var/db/.AppleSetupDone

Then type Reboot and press Enter or force off your Mac again using the steps above.

and I get:

touch: /Volumes/Macintosh HD/: Read-only file system touch: - Data/private/var/db/.AppleSetupDone: No such file or directory

So I'm stuck here and can't figure out any way to bypass the setup assistant. Everything else worked flawlessly. Please let me know if you have any idea what I'm doing wrong here. Thanks again!

If your macbook is Macbook pro M1 14 inch 2021, you can try this.
Reinstall MacOS 12.4 via usb, active without network. When active successfully, please add these lines into hosts:

0.0.0.0 iprofiles.apple.com
0.0.0.0 mdmenrollment.apple.com
0.0.0.0 deviceenrollment.apple.com
0.0.0.0 gdmf.apple.com

Then update to ventura via OTA

@Aooga776
Copy link

Aooga776 commented Apr 7, 2023

Ok. I guess I'll do that as a last ditch effort. I got through all the other steps of redoing the root password, creating an admin account, and everything else except bypassing setup. I just would rather not start over right now, but I will do that if @joshworksit doesn't know another solution for his last step that isn't working. Thank you @razerduy

@Aooga776
Copy link

Ok, So I figured it out. I went through terminal and just made a .AppleSetupDone folder in the private/var/db folder. So now I'm Logged In and it shows no MDM in Terminal. Still haven't connected to wifi. I'm now trying to restore content from a Time Machine backup. It gave me a warning to update the Mac to Ventura 13.2.1. Am I ok updating to the latest version without an issue or no?

@razerduy
Copy link

Ok, So I figured it out. I went through terminal and just made a .AppleSetupDone folder in the private/var/db folder. So now I'm Logged In and it shows no MDM in Terminal. Still haven't connected to wifi. I'm now trying to restore content from a Time Machine backup. It gave me a warning to update the Mac to Ventura 13.2.1. Am I ok updating to the latest version without an issue or no?

i think If your content that you backed up included hosts, you can restore. Otherwise, please restore later when you added hosts to block MDM.

@Aooga776
Copy link

Thank you @razerduy my bigger question is, can I update to 13.2.1 now or do I have to do something specific. I thought I did everything I needed, but I got my first enrollment prompt, so I'm going to go through those directions to suppress that. I just don't want to update and then get hit with the remote management screen again.

@Aooga776
Copy link

So weirdly enough, I added those ip addresses to the host file and I'm still getting the notification to enroll, but there are still no profiles on the machine. Anyone know what else is needed to block those popups completely? Also still wondering if I can update to the latest Ventura without any issues.

@bagofcig
Copy link

bagofcig commented Apr 12, 2023

I could not bypass the remote management on MacBook Pro M2 max Ventura, tried to boot from usb and wipe out all data from recovery mode.
Any luck finding a way to bypass that on MacBook Pro m2 max?

@Aooga776
Copy link

@bagofcig I did it on an M1 Max MacBook Pro with ventura installed. I followed @joshworksit 's directions from march 6 on booting to recovery in Ventura, changing the root password then on reboot choosing Command + Option + Control + T to show the menu bar, go in and make a new admin account. The only part I got stuck on is that the last line didn't work and I couldn't figure out how to bypass the setup assistant. Finally, I looked on my other Mac to find out where the .AppleSetupDone was and discovered it was actually a folder. So in terminal I navigated to the folder and made a new directory called .AppleSetupDone then rebooted and it went straight to the log in screen. I then went and added the ip addresses to the hosts file. Now, I'm still getting the notification to enroll, but I have no profiles and it is not managed. I can't figure out why the ip addresses in the host file isn't blocking the notification but I just click the x like two times a day until I can find a solution.

That's what worked for me on Ventura. I don't think it matters if it's m1 or m2 but more ventura vs Monterey. I never went through and wiped the drive. Mine was fresh from the factory.

I'm still trying to find out if it is ok to update to the latest version of ventura though, that's where I'm currently stuck.

Hope that helps!

@bagofcig
Copy link

@Aooga776 i could not pass the first command I get operation failed with error: not a known Dirstatus
I’m not sure what I’m doing wrong tried both variation.

@Aooga776
Copy link

@bagofcig so you used this command?

dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -passwd /Local/Default/Users/root

@bagofcig
Copy link

@Aooga776 yes, sure that’s what i have been trying.
image

@anktababa
Copy link

anktababa commented Apr 15, 2023 via email

@Vicki-Olesen
Copy link

M2 ventura how to remove mdm ?

https://github.com/Kaitiz/Bypass-MDM-Ventura?fbclid=IwAR21FSn00vhU2hNk5sxLRxsAI_XWvgqF1mbyh_OY7T3gdLqHxk0fEnNQs7w

Did anyone check this method with M2 an device and saw if it works?

@Vicki-Olesen
Copy link

Would like to know if there is any way to bypass MDM on an M2 MacBook pro.. many thanks

@Danricardolara
Copy link

I was able to enter into MacOS after bypassing, but once inside Ventura, I can’t actually add a different user. I tried to use both “System Administrator”, and “root” but neither work. Strangely other settings that need authentication work with the password I created, as well as logging into the machine.

image

@hellokuls
Copy link

"Will the device still be controlled after disabling DEP? Is it safe not to install the device management profile?"

@sire901
Copy link

sire901 commented Apr 22, 2023

HI COULD SOMEONE DIRECT ME IN THE RIGHT PLACE I HAVE A MacBook Pro 13-inch, 2020 AND I CANT SEEM TO GET PAST ACTIVATION LOCK AFTER ERASING MAC... ANY HELP IS GREATLY APPRECIATED

@Simmpa
Copy link

Simmpa commented Apr 22, 2023

What am I doing wrong ? Command not found. I did a reinstall of Ventura .. when is restarted I went into terminal but, I'm getting bash

IMG_0272

@Simmpa
Copy link

Simmpa commented Apr 22, 2023

.. and another prob. In recovery I erased the disc, then proceeded to install Ventura and before the install begins you must join a wifi network .. I guess this bypasses DEP
IMG_0273

@aviloveN
Copy link

Hi even after holding on recovery it still opens up this screen, any way to bypass this?
20230423_125104

@alucardness
Copy link

Hi even after holding on recovery it still opens up this screen, any way to bypass this? 20230423_125104

It's a bit late, your only option is another mac with Apple Configurator.

@Vicki-Olesen
Copy link

Hi even after holding on recovery it still opens up this screen, any way to bypass this? 20230423_125104

It's a bit late, your only option is another mac with Apple Configurator.

Could you please advise how to prevent/avoid this locking issue? As it happened to me before. Thanks

@aviloveN
Copy link

Hi even after holding on recovery it still opens up this screen, any way to bypass this? 20230423_125104

It's a bit late, your only option is another mac with Apple Configurator.

I have another mac, what exactly needs to be done with another mac? I got another MAC and scratching my head apparently

@aviloveN
Copy link

Hi even after holding on recovery it still opens up this screen, any way to bypass this? 20230423_125104

It's a bit late, your only option is another mac with Apple Configurator.

Could you please advise how to prevent/avoid this locking issue? As it happened to me before. Thanks

were you able to bypass this ?

@aviloveN
Copy link

My MBP M1 bypass MDM completely on MacOS 11.6. Can I upgrade to MacOS 13.3 via Setting? Do I need to bypass MDM again after upgrade? Thanks.

How did you bypass? Kindly help, thanks in advance

@aviloveN
Copy link

Hi even after holding on recovery it still opens up this screen, any way to bypass this? 20230423_125104

It's a bit late, your only option is another mac with Apple Configurator.

16822544005062759789331733032619

I get this on a second apple mac with Apple authenticator

@Vicki-Olesen
Copy link

Vicki-Olesen commented Apr 23, 2023

Hi even after holding on recovery it still opens up this screen, any way to bypass this? 20230423_125104

It's a bit late, your only option is another mac with Apple Configurator.

16822544005062759789331733032619

I get this on a second apple mac with Apple authenticator

What are the specs of your Macbook Pro? and installed OS version?

@aviloveN
Copy link

Hi even after holding on recovery it still opens up this screen, any way to bypass this? 20230423_125104

It's a bit late, your only option is another mac with Apple Configurator.

16822544005062759789331733032619
I get this on a second apple mac with Apple authenticator

What are the specs of your Macbook Pro? and installed OS version?

Specs are m1 MacBook Pro 32GB 14 inch 2021. I am not sure about the installed OS version

@aviloveN
Copy link

aviloveN commented Apr 23, 2023

Hi even after holding on recovery it still opens up this screen, any way to bypass this? 20230423_125104

It's a bit late, your only option is another mac with Apple Configurator.

16822544005062759789331733032619
I get this on a second apple mac with Apple authenticator

What are the specs of your Macbook Pro? and installed OS version?

Ok I did manage to get into DFU mode and revive the OS now I see Hello welcome screen, should I get past it by connecting to internet? I assume no right?

Update: I don't see any option to get past the welcome screen without connecting to internet, if I try connecting to internet it goes to the Organization login page

@alucardness
Copy link

Have you tried installing Big Sur first, bypass the MDM, and then updating to Monterey?

@aviloveN
Copy link

Have you tried installing Big Sur first, bypass the MDM, and then updating to Monterey?

No I was trying to install Monterey using USB flash drive as the instructions was around Monterey OS. Will installing Big Sur make a difference? As in I wont be forced to connect to internet?

@alucardness
Copy link

alucardness commented Apr 24, 2023

Have you tried installing Big Sur first, bypass the MDM, and then updating to Monterey?

No I was trying to install Monterey using USB flash drive as the instructions was around Monterey OS. Will installing Big Sur make a difference? As in I wont be forced to connect to internet?

Big Sur will let you go to the desktop without a connection to the internet. It lets you skip the internet connection.

@sire901
Copy link

sire901 commented Apr 24, 2023 via email

@aviloveN
Copy link

Have you tried installing Big Sur first, bypass the MDM, and then updating to Monterey?

No I was trying to install Monterey using USB flash drive as the instructions was around Monterey OS. Will installing Big Sur make a difference? As in I wont be forced to connect to internet?

Big Sur will let you go to the desktop without a connection to the internet. It lets you skip the internet connection.

Got it, I'll try to setup install Bigsur.

@aviloveN
Copy link

Have you tried installing Big Sur first, bypass the MDM, and then updating to Monterey?

No I was trying to install Monterey using USB flash drive as the instructions was around Monterey OS. Will installing Big Sur make a difference? As in I wont be forced to connect to internet?

Big Sur will let you go to the desktop without a connection to the internet. It lets you skip the internet connection.

Got it, I'll try to setup install Bigsur.

Have you tried installing Big Sur first, bypass the MDM, and then updating to Monterey?

No I was trying to install Monterey using USB flash drive as the instructions was around Monterey OS. Will installing Big Sur make a difference? As in I wont be forced to connect to internet?

Big Sur will let you go to the desktop without a connection to the internet. It lets you skip the internet connection.

I tried reinstalling BigSur but after wiping out the disk it shows "Activate Mac" screen. Even though if I choose install Big Sur OS from the USB drive

@alucardness
Copy link

if you are seeing this screen

image

It's safe to connect to your network and when the installation is over, better stop your internet, skip the internet setup after first boot, follow the steps from this repo or mine, and then connect your internet.

@aviloveN
Copy link

16824459036062268096266614795076
If I try installing Big Sur I see this error

@aviloveN
Copy link

if you are seeing this screen

image

It's safe to connect to your network and when the installation is over, better stop your internet, skip the internet setup after first boot, follow the steps from this repo or mine, and then connect your internet.

This as I read in a blog doesn't work for Ventura and only for Monetery or Big Sur. I'm not sure why I'm not able to install lower OS version on the volume.

@sire901
Copy link

sire901 commented Apr 25, 2023 via email

@aviloveN
Copy link

I was having this problem until I contacted @appletool on telegram and he was able to bypass activation lock and I installed the os with no problems

On Tue, Apr 25, 2023, 1:31 PM aviloveN @.> wrote: @.* commented on this gist. ------------------------------ if you are seeing this screen [image: image] https://user-images.githubusercontent.com/66158548/234362252-bd9ff2da-5a80-4eef-8519-3aa44a38c2c8.png It's safe to connect to your network and when the installation is over, better stop your internet, skip the internet setup after first boot, follow the steps from this repo or mine, and then connect your internet. This as I read in a blog doesn't work for Ventura and only for Monetery or Big Sur. I'm not sure why I'm not able to install lower OS version on the volume. — Reply to this email directly, view it on GitHub https://gist.github.com/henrik242/65d26a7deca30bdb9828e183809690bd#gistcomment-4548296 or unsubscribe https://github.com/notifications/unsubscribe-auth/A6RDCD2CZXQF6CEFZDAMKQ3XDAJ6LBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFQKSXMYLMOVS2I5DSOVS2I3TBNVS3W5DIOJSWCZC7OBQXE5DJMNUXAYLOORPWCY3UNF3GS5DZVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVEYTAMBRGYYTCMRSU52HE2LHM5SXFJTDOJSWC5DF . You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub .

Thanks for reference friend, I'll contact him as well. I am not able to understand what wrong I'm doing or is it just I can't bypass this ever and it's just a brick.

@aviloveN
Copy link

I've been having a very hard time, can I request you to help me over WhatsApp or any sort of messaging channel which might be suitable for you. 😥

if you are seeing this screen

image

It's safe to connect to your network and when the installation is over, better stop your internet, skip the internet setup after first boot, follow the steps from this repo or mine, and then connect your internet.

@alucardness
Copy link

What is your model?

@aviloveN
Copy link

What is your model?

My model is M1 Pro 14inch 2021.
The good news is I was able to bypass the login page while installing Monetery following a YT video.

The weird part is if I'm trying to add the apple domains in terminals it says denied.

I swear this took like 3 days seriously 😂

Attached picture.

16824543148281089740353010230330

@alucardness
Copy link

Have you tried with sudo in front of the command?

@aviloveN
Copy link

Have you tried with sudo in front of the command?

16824550603008380471220303643278
Yes tried with both

@alucardness
Copy link

Are you joking? Put sudo in front of echo like "sudo echo ..."

@aviloveN
Copy link

Are you joking? Put sudo in front of echo like "sudo echo ..."

16824556964432617102838929299790
I added and connected to WiFi and check with enrollment. Is it safe now?
And can it be updated to newer versions of OS?

Apart from that I'd like to thank you and everyone who helped me since past 3 days 😊🙏

@alucardness
Copy link

It's safe now, you can update till Ventura.

@aviloveN
Copy link

It's safe now, you can update till Ventura.

Got it mate, updated to Ventura successfully. 🙏

@donkelonio
Copy link

donkelonio commented Apr 26, 2023

Is this solution supposed to block the device enrollment popup as well?
I have followed all the steps in this guide and I still get the annoying popup once in a while...
My hosts file looks like this:

cat /private/etc/hosts  
##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting.  Do not change this entry.
##
127.0.0.1	localhost
255.255.255.255	broadcasthost
::1             localhost
0.0.0.0 iprofiles.apple.com
0.0.0.0 mdmenrollment.apple.com
0.0.0.0 deviceenrollment.apple.com
0.0.0.0 gdmf.apple.com

@nambh83
Copy link

nambh83 commented Apr 27, 2023

My MBP M1 bypass MDM completely on MacOS 11.6. Can I upgrade to MacOS 13.3 via Setting? Do I need to bypass MDM again after upgrade? Thanks.

How did you bypass? Kindly help, thanks in advance

Sorry. My English is not good enough. I mean I did Disable Device Enrollment Program (DEP) notification on MacOS 11.6 already. After that can I upgrade to MacOS 13.3 via Settings? Do I need to do Disable Device Enrollment Program (DEP) notification again after upgrade?

@nambh83
Copy link

nambh83 commented Apr 27, 2023

It's safe now, you can update till Ventura.

Got it mate, updated to Ventura successfully. 🙏

Do you need to do Disable Device Enrollment Program (DEP) notification (bypass MDM) again after upgrade to Ventura? Do you get the annoying popup MDM?

@alucardness
Copy link

It's safe now, you can update till Ventura.

Got it mate, updated to Ventura successfully. 🙏

Do you need to do Disable Device Enrollment Program (DEP) notification (bypass MDM) again after upgrade to Ventura? Do you get the annoying popup MDM?

No, you don't.

@nambh83
Copy link

nambh83 commented Apr 27, 2023

It's safe now, you can update till Ventura.

Got it mate, updated to Ventura successfully. 🙏

Do you need to do Disable Device Enrollment Program (DEP) notification (bypass MDM) again after upgrade to Ventura? Do you get the annoying popup MDM?

No, you don't.

Thank you.

@shen0834
Copy link

shen0834 commented Apr 28, 2023

i got a 16inch m2 max mbp , im try to lift the mdm dep :

Venturo is pre-installed in the system, and I try to downgrade to Monterey, but it shows that it cannot be installed on the original hard disk; at “Choose your country/location” dialogue, there is no choose “continue without an internet connection” select , must be connect WIFI

Warn everyone, m2 pro & m2 max has no way to lift the mdm restriction

anyone unlock mdm success?

@Vicki-Olesen
Copy link

Hi all.. I have an M2 MacBook Pro with Ventura OS installed. Any tips on how to bypass MDM completely? If you can please advise that would be highly appreciated

@spiralz23
Copy link

spiralz23 commented Apr 28, 2023 via email

@Vicki-Olesen
Copy link

@spiralz23 Many thanks for your reply. Did you check @joshworksit earlier method? They mentioned it works and successfully managed to bypass MDM on Ventura, but the steps are not clear to me.

Anyone else managed to bypass it using Ventura with the M2 machine?

@Vicki-Olesen
Copy link

@joshworksit @gwshaw could you please advise? Many thanks in advance

@spiralz23
Copy link

@spiralz23 Many thanks for your reply. Did you check @joshworksit earlier method? They mentioned it works and successfully managed to bypass MDM on Ventura, but the steps are not clear to me.

Anyone else managed to bypass it using Ventura with the M2 machine?

No sorry I haven't checked recently I may well be wrong it was my understanding of it is all, apologies if I've given incorrect information.
If there is a workaround fro M2 mac's thats great news. Good luck.

@duyjack
Copy link

duyjack commented Apr 29, 2023

@shepered you can try this way:

Setup DNS for block these domain:

deviceenrollment.apple.com
mdmenrollment.apple.com
iprofiles.apple.com
gdmf.apple.com

Apply DNS for your router. Purpose, it will block request to MDM server of Apple. Then you can renew install ( erase and reinstall) MacOS Ventura normally. After install, you can active your mac without network and after that, you should add these line below into etc/hosts:

0.0.0.0 deviceenrollment.apple.com
0.0.0.0 mdmenrollment.apple.com
0.0.0.0 iprofiles.apple.com
0.0.0.0 gdmf.apple.com

Maybe helpful

@Vicki-Olesen
Copy link

@shepered you can try this way:

Setup DNS for block these domain:

deviceenrollment.apple.com mdmenrollment.apple.com iprofiles.apple.com gdmf.apple.com

Apply DNS for your router. Purpose, it will block request to MDM server of Apple. Then you can renew install ( erase and reinstall) MacOS Ventura normally. After install, you can active your mac without network and after that, you should add these line below into etc/hosts:

0.0.0.0 deviceenrollment.apple.com 0.0.0.0 mdmenrollment.apple.com 0.0.0.0 iprofiles.apple.com 0.0.0.0 gdmf.apple.com

Maybe helpful

@duyjack many thanks for your reply. The problem is that Ventura requires an internet connection during setup.

@Vicki-Olesen
Copy link

@spiralz23 Many thanks for your reply. Did you check @joshworksit earlier method? They mentioned it works and successfully managed to bypass MDM on Ventura, but the steps are not clear to me.
Anyone else managed to bypass it using Ventura with the M2 machine?

No sorry I haven't checked recently I may well be wrong it was my understanding of it is all, apologies if I've given incorrect information. If there is a workaround fro M2 mac's thats great news. Good luck.

Thanks for trying to help @spiralz23 .. @ALL Has anyone successfully fully bypassed M2 or Ventura? Please advise

@shahriar-shojib
Copy link

Is this solution supposed to block the device enrollment popup as well? I have followed all the steps in this guide and I still get the annoying popup once in a while... My hosts file looks like this:

cat /private/etc/hosts  
##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting.  Do not change this entry.
##
127.0.0.1	localhost
255.255.255.255	broadcasthost
::1             localhost
0.0.0.0 iprofiles.apple.com
0.0.0.0 mdmenrollment.apple.com
0.0.0.0 deviceenrollment.apple.com
0.0.0.0 gdmf.apple.com

I have the same issue, were you able to get it to stop?

@donkelonio
Copy link

Is this solution supposed to block the device enrollment popup as well? I have followed all the steps in this guide and I still get the annoying popup once in a while... My hosts file looks like this:

cat /private/etc/hosts  
##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting.  Do not change this entry.
##
127.0.0.1	localhost
255.255.255.255	broadcasthost
::1             localhost
0.0.0.0 iprofiles.apple.com
0.0.0.0 mdmenrollment.apple.com
0.0.0.0 deviceenrollment.apple.com
0.0.0.0 gdmf.apple.com

I have the same issue, were you able to get it to stop?

Unfortunately I have not been able to stop the popups...

@shahriar-shojib
Copy link

@donkelonio I ran sudo profiles remove -all and I haven't received notifications since.
Got the instructions from: here

@donkelonio
Copy link

here

@shahriar-shojib I did not have any profiles to remove... You may want to wait a few hours to see if you truly got rid off it... in my case the popup comes up at random times...

@pritpalspall
Copy link

pritpalspall commented Apr 29, 2023

stop the popups...

Im no expert, but I added one more entry in my host file. Hope this helps

STEP 1: open terminal and type:
sudo profiles show -type enrollment (press enter)
Type in your password.

This will show you the current enrollment configuration your Mac has
.
STEP 2: copy the domain mentioned in "ConfigurationURL" by selecting the address without the (").

STEP 3: type:
sudo pico /etc/hosts (press enter)
Type in your password
you should see something like this...
.##
.# Host Database
.#
.# localhost is used to configure the loopback interface
.# when the system is booting. Do not change this entry.

127.0.0.1 localhost
... broadcasthost
::1 localhost

STEP 4: use your arrow key to go down to the bottom, press "return" twice and type:
127.0.0.1 iprofiles.apple.com (press enter) and you are about to paste the configuration url copied in step 2.
 127.0.0.1 paste the "ConfigurationURL" you copied in step 2 (press enter)
Below is an example of what it looks like in my case...

.##
.# Host Database
.#
.# localhost is used to configure the loopback interface
.# when the system is booting. Do not change this entry.
.##
127.0.0.1 localhost
... broadcasthost
::1 localhost

127.0.0.1 iprofiles.apple.com
127.0.0.1 https://jss.client-******************
Use control+ O to write then the "Return" key so that it writes over that file, then control+ X to exit.

STEP 5: Clear the cache by typing:
sudo dscacheutil -flushcache (press enter)

STEP 6: proceed to delete the profile by typing:
sudo profiles remove -all
Keep in mind that this command will delete all other profiles you may have.
Finally, you can check for the enrollment profile again (STEP 1), you should get an error saying that it could not be retrieved given that you blocked the domain from where it's retrieved:
sudo profiles show -type enrollment

Error fetching Device Enrollment configuration: (34000) Error Domain=MCCloudConfigurationErrorDomain Code=34000 "The device failed to request configuration from the cloud." UserInfo={NSLocalizedDescription=The device failed to request configuration from the cloud., CloudConfigurationErrorType=CloudConfigurationFatalError}

And the notification is gone for good.

@Vicki-Olesen
Copy link

Has anyone successfully fully removed the MDM from M2 Ventura MacBook Pro? Thanks

@donkelonio
Copy link

stop the popups...

Im no expert, but I added one more entry in my host file. Hope this helps

STEP 1: open terminal and type: sudo profiles show -type enrollment (press enter) Type in your password.

This will show you the current enrollment configuration your Mac has . STEP 2: copy the domain mentioned in "ConfigurationURL" by selecting the address without the (").

STEP 3: type: sudo pico /etc/hosts (press enter) Type in your password you should see something like this... .## .# Host Database .# .# localhost is used to configure the loopback interface .# when the system is booting. Do not change this entry.

127.0.0.1 localhost ... broadcasthost ::1 localhost

STEP 4: use your arrow key to go down to the bottom, press "return" twice and type: 127.0.0.1 iprofiles.apple.com (press enter) and you are about to paste the configuration url copied in step 2.
 127.0.0.1 paste the "ConfigurationURL" you copied in step 2 (press enter) Below is an example of what it looks like in my case...

.## .# Host Database .# .# localhost is used to configure the loopback interface .# when the system is booting. Do not change this entry. .## 127.0.0.1 localhost ... broadcasthost ::1 localhost

127.0.0.1 iprofiles.apple.com 127.0.0.1 https://jss.client-****************** Use control+ O to write then the "Return" key so that it writes over that file, then control+ X to exit.

STEP 5: Clear the cache by typing: sudo dscacheutil -flushcache (press enter)

STEP 6: proceed to delete the profile by typing: sudo profiles remove -all Keep in mind that this command will delete all other profiles you may have.
Finally, you can check for the enrollment profile again (STEP 1), you should get an error saying that it could not be retrieved given that you blocked the domain from where it's retrieved: sudo profiles show -type enrollment

Error fetching Device Enrollment configuration: (34000) Error Domain=MCCloudConfigurationErrorDomain Code=34000 "The device failed to request configuration from the cloud." UserInfo={NSLocalizedDescription=The device failed to request configuration from the cloud., CloudConfigurationErrorType=CloudConfigurationFatalError}

And the notification is gone for good.

Let me start by mentioning that I had connected to a VPN that may have bypassed the host file and thus correctly resolved the IP of the domains mentioned in the original post. Thus, by clearing the DNS cache, the popup is no longer showing up.
There are a few things that may not be correct with your post. First, you should follow the process discussed in the original post to edit the host file. However, I dont think you need to add the additional URL (in your case "127.0.0.1 https://jss.client-***"). The host file should not contain mentions of protocols such as https, but only the domain name that needs to be resolved statically to an IP.

@Vicki-Olesen
Copy link

@donkelonio Are you M2 Ventura? Thanks

@donkelonio
Copy link

@donkelonio Are you M2 Ventura? Thanks

@Vicki-Olesen I am on an Intel Core i5 running Ventura 13.0

@Vicki-Olesen
Copy link

Vicki-Olesen commented May 1, 2023

@donkelonio Thanks for your reply and kind help and assistance; much appreciated. So you did the whole MDM process on Ventura? Or earlier OS and then upgraded to Ventura?

@Vicki-Olesen
Copy link

stop the popups...

Im no expert, but I added one more entry in my host file. Hope this helps

STEP 1: open terminal and type: sudo profiles show -type enrollment (press enter) Type in your password.

This will show you the current enrollment configuration your Mac has . STEP 2: copy the domain mentioned in "ConfigurationURL" by selecting the address without the (").

STEP 3: type: sudo pico /etc/hosts (press enter) Type in your password you should see something like this... .## .# Host Database .# .# localhost is used to configure the loopback interface .# when the system is booting. Do not change this entry.

127.0.0.1 localhost ... broadcasthost ::1 localhost

STEP 4: use your arrow key to go down to the bottom, press "return" twice and type: 127.0.0.1 iprofiles.apple.com (press enter) and you are about to paste the configuration url copied in step 2.
 127.0.0.1 paste the "ConfigurationURL" you copied in step 2 (press enter) Below is an example of what it looks like in my case...

.## .# Host Database .# .# localhost is used to configure the loopback interface .# when the system is booting. Do not change this entry. .## 127.0.0.1 localhost ... broadcasthost ::1 localhost

127.0.0.1 iprofiles.apple.com 127.0.0.1 https://jss.client-****************** Use control+ O to write then the "Return" key so that it writes over that file, then control+ X to exit.

STEP 5: Clear the cache by typing: sudo dscacheutil -flushcache (press enter)

STEP 6: proceed to delete the profile by typing: sudo profiles remove -all Keep in mind that this command will delete all other profiles you may have.
Finally, you can check for the enrollment profile again (STEP 1), you should get an error saying that it could not be retrieved given that you blocked the domain from where it's retrieved: sudo profiles show -type enrollment

Error fetching Device Enrollment configuration: (34000) Error Domain=MCCloudConfigurationErrorDomain Code=34000 "The device failed to request configuration from the cloud." UserInfo={NSLocalizedDescription=The device failed to request configuration from the cloud., CloudConfigurationErrorType=CloudConfigurationFatalError}

And the notification is gone for good.

Hi @pritpalspall thanks for this info. Are you M2 or Ventura? Thanks

@Vicki-Olesen
Copy link

Hi All, Any updates on fully removing the MDM from M2 Ventura MacBook Pro? Thanks

@alucardness
Copy link

I don't think it's possible at the moment. Since you can't downgrade new Macs (M2) to Big Sur.

@Vicki-Olesen
Copy link

@alucardness really :/? I saw heard that some people managed to bypass it on M2.

@henrik242
Copy link
Author

henrik242 commented May 2, 2023

Hi, OP here. This is how I bypassed MDM/DEP on my M2 Macbook Pro with Ventura:

  1. Blocked iprofiles.apple.com, mdmenrollment.apple.com and deviceenrollment.apple.com in my router.
  2. On first install, I could skip internet connection
  3. On first login (still without network), I opened a Terminal and updated my /etc/hosts:
echo 0.0.0.0 iprofiles.apple.com | sudo tee -a /etc/hosts
echo 0.0.0.0 mdmenrollment.apple.com | sudo tee -a /etc/hosts
echo 0.0.0.0 deviceenrollment.apple.com | sudo tee -a /etc/hosts
  1. Removed any lingering profiles just in case:
sudo profiles remove -all

Done. I haven't seen any MDM/DEP requests, even after upgrading to later versions of Ventura.

I have also done some additional stuff, but I don't believe it's necessary:

  • Bought and installed the Little Snitch firewall, and blocked incoming and outcoming network for /usr/libexec/teslad and /usr/libexec/mdmclient, as well as the hosts in pt. 1.
  • Disabled teslad and mdmclient services:
    sudo launchctl disable system/com.apple.devicemanagementclient.teslad
    sudo launchctl disable gui/501/com.apple.mdmclient.agent
    

@Vicki-Olesen
Copy link

Hi, OP here. This is how I bypassed MDM/DEP on my M2 Macbook Pro with Ventura:

  1. Blocked iprofiles.apple.com, mdmenrollment.apple.com and deviceenrollment.apple.com in my router.
  2. On first install, I could skip internet connection
  3. On first login (still without network), I opened a Terminal and updated my /etc/hosts:
echo 0.0.0.0 iprofiles.apple.com | sudo tee -a /etc/hosts
echo 0.0.0.0 mdmenrollment.apple.com | sudo tee -a /etc/hosts
echo 0.0.0.0 deviceenrollment.apple.com | sudo tee -a /etc/hosts
  1. Removed any lingering profiles just in case:
sudo profiles remove -all

Done. I haven't seen any MDM/DEP requests, even after upgrading to later versions of Ventura.

I have also done some additional stuff, but I don't believe it's necessary:

  • Bought and installed the Little Snitch firewall, and blocked incoming and outcoming network for /usr/libexec/teslad and /usr/libexec/mdmclient, as well as the hosts in pt. 1.
  • Disabled teslad and mdmclient services:
    sudo launchctl disable system/com.apple.devicemanagementclient.teslad
    sudo launchctl disable gui/501/com.apple.mdmclient.agent
    

Awesome.. many thanks for the update @henrik242 .. Could you please share the output when you do the below command in Terminal (to verify the DEP status) using your method in M2? Thanks

$ profiles status -type enrollment

@Vicki-Olesen
Copy link

@henrik242 I am doing your steps now .. Could you please advise how you skipped the internet connection on the first install? Many thanks for your kind help and assistance; much appreciated

@maclover696
Copy link

maclover696 commented May 2, 2023

**** WORKING!!! ******. HI EVERYONE! I have a simplified way I figured out today to bypass DEP today with Ventura against a M2 Macbook Air

Need 3 things

  1. A separate M1/M2 Mac (could be anytjhing, macbook, studio, etc). this machine must not have DEP/Business Manager enabled
  2. Create a USB Boot installer flash drive with Ventura - you can google the instructions on how to create a boot usb drive.
  3. An external SSD that you can install a fresh OS on. I just use a sandish extreme USB 3.1 256GB drive.

Steps I did
On the non-DEP M1/M2 Mac

  1. USB BOOT installer and install Ventura on the External SSD --- using the non-DEP Mac
  2. Once installed, go thru the account creation so you have an account
  3. Boot from USB SSD drive just to make sure it is working.

Now you have a bootable external disk.

On the DEP enabled M1/M2 Mac

  1. Boot to recovery mode
  2. Disk Utility
  3. Erase the internal physical disk
  4. Click on internal disk and use the RESTORE option, FROM the external SSD
  5. Let it run - will take a while.

Now you jsut copied the clean ventura to the internal drive.

Once the restore is finished.
Remove the External SSD
Boot from the internal disk

You WILL get an error that it cannot find the OS or some other stupid errors like no owner, or some other silly error... don't worry.

Now you boot again using the USB BOOT Ventura disk.
REINSTALL Ventura again on the internal disk - DO NOT DO ANY DISK FORMATTING this time.

Once USB Installer is done, reboot - you will get to the login prompt of the user you created on the initial fresh install. you will have a working Ventura M1/M2 that just bypassed DEP/Business Manager.

Why this works? Because you first lay down the image on internal disk but due to some apple security, it will never boot unless you "fresh install" it. But the good things about fresh installs, Apple doesn't really wipe the system, it just lays whatever that is necessary for the OS. This means it will fix the ownership of the disks, do whatever it does but won't overwrite local accounts etc. so you will not get prompted for DEP enrollment. I don't know the actual internal details but I just know this works.

Enjoy. took me a while to figure this out after trying many things.

I do not need to do any /etc/hosts hacks, csrutil, etc. nothing. It's pretty simple to do but it does require a double install but it's easier than editing files.

You could in theory transfer a fully working Mac to another Mac now but I don't need to do that so I did the clean Ventura Install.

Now I can use this method to clean/wipe any DEP enabled machine and have myself a "pre-built" machine with certain things like chrome etc already installed. I can just boot from the external SSD periodically to get new updates of OS and software and continue to use it on any new Macs I wipe.

@Vicki-Olesen
Copy link

**** WORKING!!! ******. HI EVERYONE! I have a simplified way I figured out today to bypass DEP today with Ventura against a M2 Macbook Air

Need 3 things

  1. A separate M1/M2 Mac (could be anytjhing, macbook, studio, etc). this machine must not have DEP/Business Manager enabled
  2. Create a USB Boot installer flash drive with Ventura - you can google the instructions on how to create a boot usb drive.
  3. An external SSD that you can install a fresh OS on. I just use a sandish extreme USB 3.1 256GB drive.

Steps I did On the non-DEP M1/M2 Mac

  1. USB BOOT installer and install Ventura on the External SSD --- using the non-DEP Mac
  2. Once installed, go thru the account creation so you have an account
  3. Boot from USB SSD drive just to make sure it is working.

Now you have a bootable external disk.

On the DEP enabled M1/M2 Mac

  1. Boot to recovery mode
  2. Disk Utility
  3. Erase the internal physical disk
  4. Click on internal disk and use the RESTORE option, FROM the external SSD
  5. Let it run - will take a while.

Now you jsut copied the clean ventura to the internal drive.

Once the restore is finished. Remove the External SSD Boot from the internal disk

You WILL get an error that it cannot find the OS or some other stupid errors like no owner, or some other silly error... don't worry.

Now you boot again using the USB BOOT Ventura disk. REINSTALL Ventura again on the internal disk - DO NOT DO ANY DISK FORMATTING this time.

Once USB Installer is done, reboot - you will get to the login prompt of the user you created on the initial fresh install. you will have a working Ventura M1/M2 that just bypassed DEP/Business Manager.

Why this works? Because you first lay down the image on internal disk but due to some apple security, it will never boot unless you "fresh install" it. But the good things about fresh installs, Apple doesn't really wipe the system, it just lays whatever that is necessary for the OS. This means it will fix the ownership of the disks, do whatever it does but won't overwrite local accounts etc. so you will not get prompted for DEP enrollment. I don't know the actual internal details but I just know this works.

Enjoy. took me a while to figure this out after trying many things.

I do not need to do any /etc/hosts hacks, csrutil, etc. nothing. It's pretty simple to do but it does require a double install but it's easier than editing files.

You could in theory transfer a fully working Mac to another Mac now but I don't need to do that so I did the clean Ventura Install.

Now I can use this method to clean/wipe any DEP enabled machine and have myself a "pre-built" machine with certain things like chrome etc already installed. I can just boot from the external SSD periodically to get new updates of OS and software and continue to use it on any new Macs I wipe.

Many thanks @maclover696 for your method... Could you please share the output when you do the below command in Terminal (to verify the DEP status) using your method in M2? Thanks

$ profiles status -type enrollment

@maclover696
Copy link

maclover696 commented May 3, 2023

**** WORKING!!! ******. HI EVERYONE! I have a simplified way I figured out today to bypass DEP today with Ventura against a M2 Macbook Air
Need 3 things

  1. A separate M1/M2 Mac (could be anytjhing, macbook, studio, etc). this machine must not have DEP/Business Manager enabled
  2. Create a USB Boot installer flash drive with Ventura - you can google the instructions on how to create a boot usb drive.
  3. An external SSD that you can install a fresh OS on. I just use a sandish extreme USB 3.1 256GB drive.

Steps I did On the non-DEP M1/M2 Mac

  1. USB BOOT installer and install Ventura on the External SSD --- using the non-DEP Mac
  2. Once installed, go thru the account creation so you have an account
  3. Boot from USB SSD drive just to make sure it is working.

Now you have a bootable external disk.
On the DEP enabled M1/M2 Mac

  1. Boot to recovery mode
  2. Disk Utility
  3. Erase the internal physical disk
  4. Click on internal disk and use the RESTORE option, FROM the external SSD
  5. Let it run - will take a while.

Now you jsut copied the clean ventura to the internal drive.
Once the restore is finished. Remove the External SSD Boot from the internal disk
You WILL get an error that it cannot find the OS or some other stupid errors like no owner, or some other silly error... don't worry.
Now you boot again using the USB BOOT Ventura disk. REINSTALL Ventura again on the internal disk - DO NOT DO ANY DISK FORMATTING this time.
Once USB Installer is done, reboot - you will get to the login prompt of the user you created on the initial fresh install. you will have a working Ventura M1/M2 that just bypassed DEP/Business Manager.
Why this works? Because you first lay down the image on internal disk but due to some apple security, it will never boot unless you "fresh install" it. But the good things about fresh installs, Apple doesn't really wipe the system, it just lays whatever that is necessary for the OS. This means it will fix the ownership of the disks, do whatever it does but won't overwrite local accounts etc. so you will not get prompted for DEP enrollment. I don't know the actual internal details but I just know this works.
Enjoy. took me a while to figure this out after trying many things.
I do not need to do any /etc/hosts hacks, csrutil, etc. nothing. It's pretty simple to do but it does require a double install but it's easier than editing files.
You could in theory transfer a fully working Mac to another Mac now but I don't need to do that so I did the clean Ventura Install.
Now I can use this method to clean/wipe any DEP enabled machine and have myself a "pre-built" machine with certain things like chrome etc already installed. I can just boot from the external SSD periodically to get new updates of OS and software and continue to use it on any new Macs I wipe.

Many thanks @maclover696 for your method... Could you please share the output when you do the below command in Terminal (to verify the DEP status) using your method in M2? Thanks

$ profiles status -type enrollment

here you go

Enrolled via DEP: No
MDM enrollment: No

The screens for MDM enrollment never showed up because I completely bypassed it thru the first computer. Yes, it does require another M1 computer that' Non-DEP but that process is just once to build the External SSD OS once.

I did find some videos about disabling wifi, login, enable wifi, download some software (is that sofware safe? Something about Checkm8) but I don't want to install software - I'm sure it's fine since people are using it but I don't want to run csrutil either, terminal etc.

Anyway, I felt it was too much babysitting the process so I rather just instal lit twice with my method cuz I can just go to sleep after part 1 started and just do part 2 and set it and forget it.

Much easier and requires no real attention to watch it install.

And the benefit of my method is that my external SSD can be updated with latest software so any new Macs I install would have all of the software I normally want on it. Visual Studio code, nodejs, docker etc. It's an "golden image" for my own base build!

Glad I was able to contribute to this new method! I've been using the csrutil editing hosts tricks for many years. Frustrated a long time that I cannot do the same on M1 and Carbon Copy and SuperDuper are all failing also. My method can also help you dupe an working mac completely if you ever say upgrade to a new computer and co not want to reset- everything from scratch. I don't think Migration Assistant will migrate stuff I installed manually via GIT etc in various directories so I rather just copy it all as is in the future.

@hohodyret
Copy link

@maclover696
Thank you for your detailed guide.

I was wondering if this guide works, if i only have a Macbook Pro Late 2017 model or do i need a macbook with the new M1/M2 architecture ?

@yff0216
Copy link

yff0216 commented May 6, 2023

very good,thank you.

@thrashingkitten
Copy link

thrashingkitten commented May 6, 2023

I have a M1 devices that I'm pretty sure I was able to disable the mdm profile off of, I don't see it popping up anymore and I have admin access, I ran the sudo script to see if there was any profiles listed and it said no profiles found. I was able to update to Ventura, will I be good to update in the future?

@yff0216
Copy link

yff0216 commented May 6, 2023 via email

@Vicki-Olesen
Copy link

I have a M1 devices that I'm pretty sure I was able to disable the mdm profile off of, I don't see it popping up anymore and I have admin access, I ran the sudo script to see if there was any profiles listed and it said no profiles found. I was able to update to Ventura, will I be good to update in the future?

Yes

@Simmpa
Copy link

Simmpa commented May 7, 2023 via email

@piranhap
Copy link

piranhap commented May 8, 2023

**** WORKING!!! ******. HI EVERYONE! I have a simplified way I figured out today to bypass DEP today with Ventura against a M2 Macbook Air
Need 3 things

  1. A separate M1/M2 Mac (could be anytjhing, macbook, studio, etc). this machine must not have DEP/Business Manager enabled
  2. Create a USB Boot installer flash drive with Ventura - you can google the instructions on how to create a boot usb drive.
  3. An external SSD that you can install a fresh OS on. I just use a sandish extreme USB 3.1 256GB drive.

Steps I did On the non-DEP M1/M2 Mac

  1. USB BOOT installer and install Ventura on the External SSD --- using the non-DEP Mac
  2. Once installed, go thru the account creation so you have an account
  3. Boot from USB SSD drive just to make sure it is working.

Now you have a bootable external disk.
On the DEP enabled M1/M2 Mac

  1. Boot to recovery mode
  2. Disk Utility
  3. Erase the internal physical disk
  4. Click on internal disk and use the RESTORE option, FROM the external SSD
  5. Let it run - will take a while.

Now you jsut copied the clean ventura to the internal drive.
Once the restore is finished. Remove the External SSD Boot from the internal disk
You WILL get an error that it cannot find the OS or some other stupid errors like no owner, or some other silly error... don't worry.
Now you boot again using the USB BOOT Ventura disk. REINSTALL Ventura again on the internal disk - DO NOT DO ANY DISK FORMATTING this time.
Once USB Installer is done, reboot - you will get to the login prompt of the user you created on the initial fresh install. you will have a working Ventura M1/M2 that just bypassed DEP/Business Manager.
Why this works? Because you first lay down the image on internal disk but due to some apple security, it will never boot unless you "fresh install" it. But the good things about fresh installs, Apple doesn't really wipe the system, it just lays whatever that is necessary for the OS. This means it will fix the ownership of the disks, do whatever it does but won't overwrite local accounts etc. so you will not get prompted for DEP enrollment. I don't know the actual internal details but I just know this works.
Enjoy. took me a while to figure this out after trying many things.
I do not need to do any /etc/hosts hacks, csrutil, etc. nothing. It's pretty simple to do but it does require a double install but it's easier than editing files.
You could in theory transfer a fully working Mac to another Mac now but I don't need to do that so I did the clean Ventura Install.
Now I can use this method to clean/wipe any DEP enabled machine and have myself a "pre-built" machine with certain things like chrome etc already installed. I can just boot from the external SSD periodically to get new updates of OS and software and continue to use it on any new Macs I wipe.

Many thanks @maclover696 for your method... Could you please share the output when you do the below command in Terminal (to verify the DEP status) using your method in M2? Thanks
$ profiles status -type enrollment

here you go

Enrolled via DEP: No MDM enrollment: No

The screens for MDM enrollment never showed up because I completely bypassed it thru the first computer. Yes, it does require another M1 computer that' Non-DEP but that process is just once to build the External SSD OS once.

I did find some videos about disabling wifi, login, enable wifi, download some software (is that sofware safe? Something about Checkm8) but I don't want to install software - I'm sure it's fine since people are using it but I don't want to run csrutil either, terminal etc.

Anyway, I felt it was too much babysitting the process so I rather just instal lit twice with my method cuz I can just go to sleep after part 1 started and just do part 2 and set it and forget it.

Much easier and requires no real attention to watch it install.

And the benefit of my method is that my external SSD can be updated with latest software so any new Macs I install would have all of the software I normally want on it. Visual Studio code, nodejs, docker etc. It's an "golden image" for my own base build!

Glad I was able to contribute to this new method! I've been using the csrutil editing hosts tricks for many years. Frustrated a long time that I cannot do the same on M1 and Carbon Copy and SuperDuper are all failing also. My method can also help you dupe an working mac completely if you ever say upgrade to a new computer and co not want to reset- everything from scratch. I don't think Migration Assistant will migrate stuff I installed manually via GIT etc in various directories so I rather just copy it all as is in the future.

@maclover696 Do you know if this method works on a Mac that is not M1/M2?

@maclover696
Copy link

**** WORKING!!! ******. HI EVERYONE! I have a simplified way I figured out today to bypass DEP today with Ventura against a M2 Macbook Air
Need 3 things

  1. A separate M1/M2 Mac (could be anytjhing, macbook, studio, etc). this machine must not have DEP/Business Manager enabled
  2. Create a USB Boot installer flash drive with Ventura - you can google the instructions on how to create a boot usb drive.
  3. An external SSD that you can install a fresh OS on. I just use a sandish extreme USB 3.1 256GB drive.

Steps I did On the non-DEP M1/M2 Mac

  1. USB BOOT installer and install Ventura on the External SSD --- using the non-DEP Mac
  2. Once installed, go thru the account creation so you have an account
  3. Boot from USB SSD drive just to make sure it is working.

Now you have a bootable external disk.
On the DEP enabled M1/M2 Mac

  1. Boot to recovery mode
  2. Disk Utility
  3. Erase the internal physical disk
  4. Click on internal disk and use the RESTORE option, FROM the external SSD
  5. Let it run - will take a while.

Now you jsut copied the clean ventura to the internal drive.
Once the restore is finished. Remove the External SSD Boot from the internal disk
You WILL get an error that it cannot find the OS or some other stupid errors like no owner, or some other silly error... don't worry.
Now you boot again using the USB BOOT Ventura disk. REINSTALL Ventura again on the internal disk - DO NOT DO ANY DISK FORMATTING this time.
Once USB Installer is done, reboot - you will get to the login prompt of the user you created on the initial fresh install. you will have a working Ventura M1/M2 that just bypassed DEP/Business Manager.
Why this works? Because you first lay down the image on internal disk but due to some apple security, it will never boot unless you "fresh install" it. But the good things about fresh installs, Apple doesn't really wipe the system, it just lays whatever that is necessary for the OS. This means it will fix the ownership of the disks, do whatever it does but won't overwrite local accounts etc. so you will not get prompted for DEP enrollment. I don't know the actual internal details but I just know this works.
Enjoy. took me a while to figure this out after trying many things.
I do not need to do any /etc/hosts hacks, csrutil, etc. nothing. It's pretty simple to do but it does require a double install but it's easier than editing files.
You could in theory transfer a fully working Mac to another Mac now but I don't need to do that so I did the clean Ventura Install.
Now I can use this method to clean/wipe any DEP enabled machine and have myself a "pre-built" machine with certain things like chrome etc already installed. I can just boot from the external SSD periodically to get new updates of OS and software and continue to use it on any new Macs I wipe.

Many thanks @maclover696 for your method... Could you please share the output when you do the below command in Terminal (to verify the DEP status) using your method in M2? Thanks
$ profiles status -type enrollment

here you go
Enrolled via DEP: No MDM enrollment: No
The screens for MDM enrollment never showed up because I completely bypassed it thru the first computer. Yes, it does require another M1 computer that' Non-DEP but that process is just once to build the External SSD OS once.
I did find some videos about disabling wifi, login, enable wifi, download some software (is that sofware safe? Something about Checkm8) but I don't want to install software - I'm sure it's fine since people are using it but I don't want to run csrutil either, terminal etc.
Anyway, I felt it was too much babysitting the process so I rather just instal lit twice with my method cuz I can just go to sleep after part 1 started and just do part 2 and set it and forget it.
Much easier and requires no real attention to watch it install.
And the benefit of my method is that my external SSD can be updated with latest software so any new Macs I install would have all of the software I normally want on it. Visual Studio code, nodejs, docker etc. It's an "golden image" for my own base build!
Glad I was able to contribute to this new method! I've been using the csrutil editing hosts tricks for many years. Frustrated a long time that I cannot do the same on M1 and Carbon Copy and SuperDuper are all failing also. My method can also help you dupe an working mac completely if you ever say upgrade to a new computer and co not want to reset- everything from scratch. I don't think Migration Assistant will migrate stuff I installed manually via GIT etc in various directories so I rather just copy it all as is in the future.

@maclover696 Do you know if this method works on a Mac that is not M1/M2?

Yes, it works. I tried it on couple of Intel x86 Macbooks.

What you do need to do is--- make sure you go into Secure Boot and enable boot from external USBs. That seems to be something that was off by default on couple of my Intel Macbooks and I had to allow it to boot from external drives.

Otherwise it works the same way I did it on the M2 or M1 Macbook Air.

@maclover696
Copy link

Note you have to create a new image off of another Intel x86 macbook first that is Non-DEP Enabled. You cannot use the M1/M2 OS replica on Intel x86. Just want to make sure I clarified that point.

@bagofcig
Copy link

bagofcig commented May 9, 2023

**** WORKING!!! ******. HI EVERYONE! I have a simplified way I figured out today to bypass DEP today with Ventura against a M2 Macbook Air

Need 3 things

  1. A separate M1/M2 Mac (could be anytjhing, macbook, studio, etc). this machine must not have DEP/Business Manager enabled
  2. Create a USB Boot installer flash drive with Ventura - you can google the instructions on how to create a boot usb drive.
  3. An external SSD that you can install a fresh OS on. I just use a sandish extreme USB 3.1 256GB drive.

Steps I did On the non-DEP M1/M2 Mac

  1. USB BOOT installer and install Ventura on the External SSD --- using the non-DEP Mac
  2. Once installed, go thru the account creation so you have an account
  3. Boot from USB SSD drive just to make sure it is working.

Now you have a bootable external disk.

On the DEP enabled M1/M2 Mac

  1. Boot to recovery mode
  2. Disk Utility
  3. Erase the internal physical disk
  4. Click on internal disk and use the RESTORE option, FROM the external SSD
  5. Let it run - will take a while.

Now you jsut copied the clean ventura to the internal drive.

Once the restore is finished. Remove the External SSD Boot from the internal disk

You WILL get an error that it cannot find the OS or some other stupid errors like no owner, or some other silly error... don't worry.

Now you boot again using the USB BOOT Ventura disk. REINSTALL Ventura again on the internal disk - DO NOT DO ANY DISK FORMATTING this time.

Once USB Installer is done, reboot - you will get to the login prompt of the user you created on the initial fresh install. you will have a working Ventura M1/M2 that just bypassed DEP/Business Manager.

Why this works? Because you first lay down the image on internal disk but due to some apple security, it will never boot unless you "fresh install" it. But the good things about fresh installs, Apple doesn't really wipe the system, it just lays whatever that is necessary for the OS. This means it will fix the ownership of the disks, do whatever it does but won't overwrite local accounts etc. so you will not get prompted for DEP enrollment. I don't know the actual internal details but I just know this works.

Enjoy. took me a while to figure this out after trying many things.

I do not need to do any /etc/hosts hacks, csrutil, etc. nothing. It's pretty simple to do but it does require a double install but it's easier than editing files.

You could in theory transfer a fully working Mac to another Mac now but I don't need to do that so I did the clean Ventura Install.

Now I can use this method to clean/wipe any DEP enabled machine and have myself a "pre-built" machine with certain things like chrome etc already installed. I can just boot from the external SSD periodically to get new updates of OS and software and continue to use it on any new Macs I wipe.

Do you know if this method works on macbook Pro M2 max 2023?
And also, do I have to use m1/m2 mac or any older Mac devices? Because I have an older Macbook 2015

@Cobalt-Genie
Copy link

Question for those who have tried to bypass DEP via the "install the OS on a second machine" method that's been detailed above. After the install, has anyone tried to setup (or use their existing) Apple ID on the new machine, if so — where there any issues?

I bought an as-is MBP 16" 2019 model for parts, surprisingly  — I was able to get it back up and running but I'm getting the "The xxx can automatically configure your Mac" popup.

@kblackwall
Copy link

@aviloveN Could you write steps you went through, please? May I contact you somehow?

@mabearce1
Copy link

Question here.....So I have paid for a service prior to seeing these months ago on my wife's laptop and iMac....I cannot do Auto updates I have to download the full OS and run it that way.
I just did another MacBook Air 2020 using the echo "0.0.0.0..." method mentioned and seems to have worked, but again, no MacOS updates OTA...I have to go into the AppStore and download them 100% all 12GB of them. Kind of annoying if ya ask me! Any way to get OTA back up and working?

@maclover696
Copy link

**** WORKING!!! ******. HI EVERYONE! I have a simplified way I figured out today to bypass DEP today with Ventura against a M2 Macbook Air
Need 3 things

  1. A separate M1/M2 Mac (could be anytjhing, macbook, studio, etc). this machine must not have DEP/Business Manager enabled
  2. Create a USB Boot installer flash drive with Ventura - you can google the instructions on how to create a boot usb drive.
  3. An external SSD that you can install a fresh OS on. I just use a sandish extreme USB 3.1 256GB drive.

Steps I did On the non-DEP M1/M2 Mac

  1. USB BOOT installer and install Ventura on the External SSD --- using the non-DEP Mac
  2. Once installed, go thru the account creation so you have an account
  3. Boot from USB SSD drive just to make sure it is working.

Now you have a bootable external disk.
On the DEP enabled M1/M2 Mac

  1. Boot to recovery mode
  2. Disk Utility
  3. Erase the internal physical disk
  4. Click on internal disk and use the RESTORE option, FROM the external SSD
  5. Let it run - will take a while.

Now you jsut copied the clean ventura to the internal drive.
Once the restore is finished. Remove the External SSD Boot from the internal disk
You WILL get an error that it cannot find the OS or some other stupid errors like no owner, or some other silly error... don't worry.
Now you boot again using the USB BOOT Ventura disk. REINSTALL Ventura again on the internal disk - DO NOT DO ANY DISK FORMATTING this time.
Once USB Installer is done, reboot - you will get to the login prompt of the user you created on the initial fresh install. you will have a working Ventura M1/M2 that just bypassed DEP/Business Manager.
Why this works? Because you first lay down the image on internal disk but due to some apple security, it will never boot unless you "fresh install" it. But the good things about fresh installs, Apple doesn't really wipe the system, it just lays whatever that is necessary for the OS. This means it will fix the ownership of the disks, do whatever it does but won't overwrite local accounts etc. so you will not get prompted for DEP enrollment. I don't know the actual internal details but I just know this works.
Enjoy. took me a while to figure this out after trying many things.
I do not need to do any /etc/hosts hacks, csrutil, etc. nothing. It's pretty simple to do but it does require a double install but it's easier than editing files.
You could in theory transfer a fully working Mac to another Mac now but I don't need to do that so I did the clean Ventura Install.
Now I can use this method to clean/wipe any DEP enabled machine and have myself a "pre-built" machine with certain things like chrome etc already installed. I can just boot from the external SSD periodically to get new updates of OS and software and continue to use it on any new Macs I wipe.

Do you know if this method works on macbook Pro M2 max 2023? And also, do I have to use m1/m2 mac or any older Mac devices? Because I have an older Macbook 2015

It should work on M2 Pro Max. I built the image on M1 Pro Max. the deployed it on M2 Air and M1 Pro and M1 Air.

You must use M1/M2 as the first Mac non-DEP in order to get the proper image for Apple Silicon.

Your 2015 Macbook is Intel chipset and will not work.

@maclover696
Copy link

Question here.....So I have paid for a service prior to seeing these months ago on my wife's laptop and iMac....I cannot do Auto updates I have to download the full OS and run it that way. I just did another MacBook Air 2020 using the echo "0.0.0.0..." method mentioned and seems to have worked, but again, no MacOS updates OTA...I have to go into the AppStore and download them 100% all 12GB of them. Kind of annoying if ya ask me! Any way to get OTA back up and working?

no idea since we have no idea what this paid-service did to your computer to bypass DEP. It sounds like some weird method as I was able to run updates in the Intel bypass methods for many years.

@maclover696
Copy link

Question for those who have tried to bypass DEP via the "install the OS on a second machine" method that's been detailed above. After the install, has anyone tried to setup (or use their existing) Apple ID on the new machine, if so — where there any issues?

No issues, I've done this like 4 times already. It will ask you to authenticate again (because I didn't log out when I built the image from the first Apple Silicon non-DEP machine)

I bought an as-is MBP 16" 2019 model for parts, surprisingly  — I was able to get it back up and running but I'm getting the "The xxx can automatically configure your Mac" popup.

You can use the old DEP bypass method on the Intel MBP 16. Or you can do exactly what I did. I replicated the built image from non-DEP then deploy to DEP-enabled machine method using Intel Macs also. It's the same procedure but you do need to make sure the intel Macbook are set to allow external USB boot. It's in recovery mode secure boot utilities.

@mabearce1
Copy link

Question here.....So I have paid for a service prior to seeing these months ago on my wife's laptop and iMac....I cannot do Auto updates I have to download the full OS and run it that way. I just did another MacBook Air 2020 using the echo "0.0.0.0..." method mentioned and seems to have worked, but again, no MacOS updates OTA...I have to go into the AppStore and download them 100% all 12GB of them. Kind of annoying if ya ask me! Any way to get OTA back up and working?

no idea since we have no idea what this paid-service did to your computer to bypass DEP. It sounds like some weird method as I was able to run updates in the Intel bypass methods for many years.

So, this is with the Paid service...and also, using the method at the top of the page and still won't update the MacOS. I might try the method before...However I will say I have bypassed them with installs before and a few days later that popup comes up...wondering if that depends on the MDM?

@r1vered
Copy link

r1vered commented May 13, 2023

Now I can use this method to clean/wipe any DEP enabled machine and have myself a "pre-built" machine with certain things like chrome etc already installed. I can just boot from the external SSD periodically to get new updates of OS and software and continue to use it on any new Macs I wipe.

Are you saying that this method completely rids the Mac of any DEP going forward? So if I wanted to do a clean install a year from now or update to whatever comes after Ventura, I'll no longer have to jump through hoops ever again?

@predragcvetkovski
Copy link

predragcvetkovski commented May 15, 2023

**** WORKING!!! ******. HI EVERYONE! I have a simplified way I figured out today to bypass DEP today with Ventura against a M2 Macbook Air

Need 3 things

  1. A separate M1/M2 Mac (could be anytjhing, macbook, studio, etc). this machine must not have DEP/Business Manager enabled
  2. Create a USB Boot installer flash drive with Ventura - you can google the instructions on how to create a boot usb drive.
  3. An external SSD that you can install a fresh OS on. I just use a sandish extreme USB 3.1 256GB drive.

Steps I did On the non-DEP M1/M2 Mac

  1. USB BOOT installer and install Ventura on the External SSD --- using the non-DEP Mac
  2. Once installed, go thru the account creation so you have an account
  3. Boot from USB SSD drive just to make sure it is working.

Now you have a bootable external disk.

On the DEP enabled M1/M2 Mac

  1. Boot to recovery mode
  2. Disk Utility
  3. Erase the internal physical disk
  4. Click on internal disk and use the RESTORE option, FROM the external SSD
  5. Let it run - will take a while.

Now you jsut copied the clean ventura to the internal drive.

Once the restore is finished. Remove the External SSD Boot from the internal disk

You WILL get an error that it cannot find the OS or some other stupid errors like no owner, or some other silly error... don't worry.

Now you boot again using the USB BOOT Ventura disk. REINSTALL Ventura again on the internal disk - DO NOT DO ANY DISK FORMATTING this time.

Once USB Installer is done, reboot - you will get to the login prompt of the user you created on the initial fresh install. you will have a working Ventura M1/M2 that just bypassed DEP/Business Manager.

Why this works? Because you first lay down the image on internal disk but due to some apple security, it will never boot unless you "fresh install" it. But the good things about fresh installs, Apple doesn't really wipe the system, it just lays whatever that is necessary for the OS. This means it will fix the ownership of the disks, do whatever it does but won't overwrite local accounts etc. so you will not get prompted for DEP enrollment. I don't know the actual internal details but I just know this works.

Enjoy. took me a while to figure this out after trying many things.

I do not need to do any /etc/hosts hacks, csrutil, etc. nothing. It's pretty simple to do but it does require a double install but it's easier than editing files.

You could in theory transfer a fully working Mac to another Mac now but I don't need to do that so I did the clean Ventura Install.

Now I can use this method to clean/wipe any DEP enabled machine and have myself a "pre-built" machine with certain things like chrome etc already installed. I can just boot from the external SSD periodically to get new updates of OS and software and continue to use it on any new Macs I wipe.

How to Bypass Activation Lock on Mac:

5/14/23 - another successful bypass of DEP on M1 2020 MacBook Air with Ventura (credit goes to @maclover696 👏👏👏)

Here is an updated version that works (modified steps to erase internal physical drive, which forces device restart into Activation screen):

Pre-requirements:

  • Mac with Activation Lock
  • Unlocked Mac laptop or desktop (e.g., M1, M2, Pro, Mini, Studio, etc.) - not enrolled in Device Enrollment Program (DEP) / Mobile Device Management (MDM)
  • USB Flash Drive (14GB+ USB3.x/USB-C/Thunderbolt) - To create a USB Boot installer for macOS
  • External SSD (50GB+ USB3.x/USB-C/Thunderbolt) - To install and boot from external drive

Step by step instructions on:

Unlocked Mac

  1. Create a bootable installer with macOS Ventura on USB Flash Drive, see instructions at https://support.apple.com/en-us/HT201372
  2. Restart and boot from USB Flash Drive with macOS Ventura
  3. Install macOS Ventura on the External SSD
  4. Finish installation and create a user account
  5. Boot from External SSD to make sure it is working

Congrats 🎉🎉🎉 now you have a bootable external SSD

Mac with Activation Lock*

  1. Boot into Recovery mode, see instructions at https://support.apple.com/en-us/HT201255
  2. Open Disk Utility > select Internal Drive (or Macintosh HD) > click Restore > select External SSD (this process will fail, nothing to worry about)
  3. Erase Internal Drive (all volumes)
  4. Repeat step 3 above, select Internal Drive (or Macintosh HD) > click Restore > select External SSD. Be patient, the restoration speed varies depending on the type of External SSD and connectivity - some 45-60min on Samsung 980Pro 1TB NVMe in Sabrent USB-C enclosure. (this time the operation will succeed)
  5. Shut down > remove External SSD
  6. Boot from Internal Drive (this process will fail, and it will restart into Recovery mode, nothing to worry about)
  7. Restart and boot from USB Flash Drive with macOS Ventura
  8. Connect to WiFi/LAN, macOS Ventura requires internet connection for installation (no need to block ports on your router or /etc/hosts hacks, csrutil, etc.)
  9. Install macOS Ventura from USB Flash Drive to Internal Drive (this time do not erase internal drive)
  10. Restart after the OS installation is complete and login with the user credentials created on External SSD installation (step 4 from unlocked Mac)

Congrats 🎉🎉🎉 you've just 🔗‍💥 bypassed DEP/Business Manager

*Depending on the state of your Mac, you may need Apple Configurator to revive / restore your Mac to bring it back to life. See instructions at https://support.apple.com/guide/apple-configurator-mac/revive-or-restore-a-mac-with-apple-silicon-apdd5f3c75ad/mac and Apple Silicon M1/M2 macOS IPSW Firmware Restore Files Database https://mrmacintosh.com/apple-silicon-m1-full-macos-restore-ipsw-firmware-files-database/ alternatively Apple Configurator will download automatically the latest version.

@Vicki-Olesen
Copy link

Question here.....So I have paid for a service prior to seeing these months ago on my wife's laptop and iMac....I cannot do Auto updates I have to download the full OS and run it that way. I just did another MacBook Air 2020 using the echo "0.0.0.0..." method mentioned and seems to have worked, but again, no MacOS updates OTA...I have to go into the AppStore and download them 100% all 12GB of them. Kind of annoying if ya ask me! Any way to get OTA back up and working?

no idea since we have no idea what this paid-service did to your computer to bypass DEP. It sounds like some weird method as I was able to run updates in the Intel bypass methods for many years.

So, this is with the Paid service...and also, using the method at the top of the page and still won't update the MacOS. I might try the method before...However I will say I have bypassed them with installs before and a few days later that popup comes up...wondering if that depends on the MDM?

Hi @mabearce1 @maclover696 .. would I be able to do updates normally? Thanks

@mabearce1
Copy link

Question here.....So I have paid for a service prior to seeing these months ago on my wife's laptop and iMac....I cannot do Auto updates I have to download the full OS and run it that way. I just did another MacBook Air 2020 using the echo "0.0.0.0..." method mentioned and seems to have worked, but again, no MacOS updates OTA...I have to go into the AppStore and download them 100% all 12GB of them. Kind of annoying if ya ask me! Any way to get OTA back up and working?

no idea since we have no idea what this paid-service did to your computer to bypass DEP. It sounds like some weird method as I was able to run updates in the Intel bypass methods for many years.

So, this is with the Paid service...and also, using the method at the top of the page and still won't update the MacOS. I might try the method before...However I will say I have bypassed them with installs before and a few days later that popup comes up...wondering if that depends on the MDM?

Hi @mabearce1 @maclover696 .. would I be able to do updates normally? Thanks

I’ve never been able to that was my question

@predragcvetkovski
Copy link

@Vicki-Olesen @mabearce1 updates are working fine, you can login with an Apple ID, access appstore to get, install or update any software, including system updates.

Alternatively, in case you don't want to login, you can always update macOS, and any installed software on your External USB, however you will need to repeat the process above on both devices, as suggested by @maclover696

If you are interested to learn how DEP/MDM works, and what happens to a device without DEP (run profiles status -type enrollment to confirm), these are good links:
Apple Guide
Device with DEP
Using DEP

Things to remember your device hits different Apple servers:

  • during macOS Ventura installation to check DEP status (MDM servers)
  • when you run profiles status -type enrollment (MDM servers)
  • login with Apple ID (Discover Authentication Servers)

Apple device without DEP is like Twitter tweet with Elon's 🔬

@Vicki-Olesen
Copy link

Many thanks @predragcvetkovski for your kind assistance; much appreciated. So can you confirm that you can update your Mac OS normally via General -> Software Update in system settings? No DEP notifications are sent to you after this without blocking hosts written in earlier threads and comments?

One last thing, what does the below command line show when you write it in the terminal?

sudo profiles show -type enrollment

@maclover696 I would highly appreciate it if you can advise as well.

Many thanks again for both of you

@Vicki-Olesen
Copy link

@predragcvetkovski @maclover696 Could you please advise? Many thanks

@eternalgod
Copy link

eternalgod commented May 18, 2023

For Inel based MacBooks (Air and Pro), I was able to validate the method given by @predragcvetkovski and @maclover696

Note, if you connect to internet during the restore process from an external SSD having clean ventura 13.3.1 installed along with a created super user, then it restores quickly without any errors and boots into internal mac also without any errors.

Output of DEP/MDM:
% sudo profiles show -type enrollment
Error fetching Device Enrollment configuration: Client is not DEP enabled.
% sudo profiles status -type enrollment
Enrolled via DEP: No
MDM enrollment: No

Again thanks @predragcvetkovski and @maclover696 for detailing the steps. This is the most easiest and safest method to bypass MDM/DEP on Intel based MacBooks.

OTA updates worrk, I was able to install Ventura macOS Security Response 13.3.1 (a) at the time of this writing without any issues.

@eternalgod
Copy link

eternalgod commented May 18, 2023

Update: Continued testing the external SSD having Venrtura 13.3.1 with super user which was created by non-MDM/non-DEP Intel based MacBook on M1/Apple silicon based MacBook Pro (with MDM/DEP)

And it still works!

Restore option fails but manages to replicate the external SSD onto the internal SSD.
Fails to boot up using intenral SSD and complains that the OS has to be reinstalled
Installed via bootable USB having Ventura OS (this was also created by non-MDM/non-DEP Intel Macbook)

Took a long time to repair and install.

Finally booted into user prmpt which was created on external SSD.

Output of DEP/MDM:
% sudo profiles show -type enrollment
Error fetching Device Enrollment configuration: Client is not DEP enabled.
% sudo profiles status -type enrollment
Enrolled via DEP: No
MDM enrollment: No

Kudos to @predragcvetkovski and @maclover696 for the base method of restoring internal HD with external HD :)

@eternalgod
Copy link

Update: Resetting the mac/erase all settings - brings back the DEP/MDM/Activation so please refrain from doing so.

@dutton241-9
Copy link

dutton241-9 commented May 18, 2023

**** WORKING!!! ******. HI EVERYONE! I have a simplified way I figured out today to bypass DEP today with Ventura against a M2 Macbook Air

Need 3 things

  1. A separate M1/M2 Mac (could be anytjhing, macbook, studio, etc). this machine must not have DEP/Business Manager enabled
  2. Create a USB Boot installer flash drive with Ventura - you can google the instructions on how to create a boot usb drive.
  3. An external SSD that you can install a fresh OS on. I just use a sandish extreme USB 3.1 256GB drive.

Steps I did On the non-DEP M1/M2 Mac

  1. USB BOOT installer and install Ventura on the External SSD --- using the non-DEP Mac
  2. Once installed, go thru the account creation so you have an account
  3. Boot from USB SSD drive just to make sure it is working.

Now you have a bootable external disk.

On the DEP enabled M1/M2 Mac

  1. Boot to recovery mode
  2. Disk Utility
  3. Erase the internal physical disk
  4. Click on internal disk and use the RESTORE option, FROM the external SSD
  5. Let it run - will take a while.

Now you jsut copied the clean ventura to the internal drive.

Once the restore is finished. Remove the External SSD Boot from the internal disk

You WILL get an error that it cannot find the OS or some other stupid errors like no owner, or some other silly error... don't worry.

Now you boot again using the USB BOOT Ventura disk. REINSTALL Ventura again on the internal disk - DO NOT DO ANY DISK FORMATTING this time.

Once USB Installer is done, reboot - you will get to the login prompt of the user you created on the initial fresh install. you will have a working Ventura M1/M2 that just bypassed DEP/Business Manager.

Why this works? Because you first lay down the image on internal disk but due to some apple security, it will never boot unless you "fresh install" it. But the good things about fresh installs, Apple doesn't really wipe the system, it just lays whatever that is necessary for the OS. This means it will fix the ownership of the disks, do whatever it does but won't overwrite local accounts etc. so you will not get prompted for DEP enrollment. I don't know the actual internal details but I just know this works.

Enjoy. took me a while to figure this out after trying many things.

I do not need to do any /etc/hosts hacks, csrutil, etc. nothing. It's pretty simple to do but it does require a double install but it's easier than editing files.

You could in theory transfer a fully working Mac to another Mac now but I don't need to do that so I did the clean Ventura Install.

Now I can use this method to clean/wipe any DEP enabled machine and have myself a "pre-built" machine with certain things like chrome etc already installed. I can just boot from the external SSD periodically to get new updates of OS and software and continue to use it on any new Macs I wipe.

Is it possible to upload the image file for download at all? for others that don't have access to another M1 Mac? is that at all possible?

I am very new to all of this, updated to Ventura and then wiped Mac without reading anything, so having to learn pretty fast ... ha!

@eternalgod
Copy link

@dutton241-9 : Image is over 12GB, Its better you ask someone in your networking circle to install macOS on an external SSD.

@Jbb08
Copy link

Jbb08 commented May 19, 2023

Awesome @eternalgod
So I have an M2 MacBook Pro that has DEP removed. But it is still linked to MDM.

I was waiting for another M1/M2 MacBook before trying @maclover696 method.
Then I saw that you used a non MDM/DEP Intel Mac to create the Ventura SSD to use to restore from.

So I tried that.
Created the Ventura SSD, booted into recovery (held power button) used disk utility to wipe internal drive, however in doing so it asked me to Activate the Mac which needed an internet connection (not seen that on here) I did that.
It restarted but of course the internal drive was empty.
Went back into recovery and got back to disk utility to carry on with the restoring from SSD to the internal drive.
This took like 5 mins, it was super quick as my drive was 9gb installed.
It rebooted. Then the issue with authorisation of the User. So it rebooted back into recovery. This time added the USB Ventura Installer, and booted from that for installing Ventura over the top of the internal disk.
This took about 35 mins. However installed Ventura requires the internet, so again I turned Wi-Fi on (as it failed this first time because I had it off) once finished it then booted from the internal disk to my user prompt perfectly.

All seemed fine until terminal checks returned the following-

sudo profiles status -type enrollment
Enrolled via DEP: No
MDM enrollment: No

all good right?

but
sudo profiles show -type enrollment
Returns the MDM company details and Apple pushes a message asking if I want to enrol the MacBook to that MDM…

does this mean I am going to get those messages periodically now?
Why does status say NO to both, but show brings up the MDM?

have I done something wrong?

@eternalgod
Copy link

eternalgod commented May 19, 2023

@Jbb08 : You did all the steps correctly. Can you please confirm if the external ventura SSD was created indeed from a non-mdm mac?

Is it possible for you to use the previous non-mdm mac and reboot from the external ventura ssd. Log into the admin account and run the same sudo profiles command to make sure you get "Error fetching Device Enrollment configuration: Client is not DEP enabled"?

I rechecked on the MDM enabled M1 Mac at my end and I am still getting the above correct message with sudo profiles show command. I also pigned iprofiles.apple.com, mdmenrollment.apple.com, deviceenrollment.apple.com, gdmf.apple.com and I was able to ping all the servers with DNS correctly providing their ip addresses back. Rechecked again with the command with the same correct response.

I am not sure what went wrong at your end but I strongly suspect the external ventura SSD you created. Both bootable usb ventura installer and external ventura installed ssd should be done with non-mdm/non-dep Mac.

At no point I had turned off the internet when I was restoring. Could you please redo all the steps without turning off internet?

@Jbb08
Copy link

Jbb08 commented May 19, 2023

Thanks @eternalgod
So I did discover my USB Ventura Installer was created on an Intel DEP/MDM MBP.
So I recreated it on the non DEP/MDM Intel MBP
At the same time also wiped the SSD and installed Ventura onto it from the Intel non DEP/MDM Intel MBP.

Started whole process again, all with internet fully on.
All went smoothly.
Profiles - status = DEP No , MDM No
Profiles - show = Full company MDM info.
I’m thinking that this computer must call home when ever I sent the request for showing of enrolment detail, and again the mac pushes me to allow it to install the MDM profile of course I don’t.
My last attempt will be to create a Ventura USB installer and SSD installed build on my mates personal M1 MBP which is guaranteed not to have had DEP or MDM on it. Otherwise I have no clue why it’s not working.

also when I tested the SSD Ventura on the non dep/MdM Intel MBP to make sure my admin profile worked, both status and show came back as you describe so that build is free of anything.
Restoring that build then overwriting the build with a fresh install seems to be where it’s going wrong OR
It’s phoning home in the ‘show’ call who knows.

any further thoughts?

@eternalgod
Copy link

eternalgod commented May 21, 2023

@Jbb08 : I honestly don't know why your computer is homing when called for showing of enrollment details. Let us know how the external SSD from M1 non-MDM goes.

Another note: After using Intel based Mac's generated external SSD on a M1 Mac (which worked on my end), the external SSD boots no more and cannot be used to flash any other Macs (both Intel and Apple silicon). So I think its best to create an Intel's external SSD AND Apple silicon's external SSD. Appropriately storing the contents in a separate HD (backup) for future references or copies. It takes a while to build these SSDs especially with custom software etc.

@Vicki-Olesen
Copy link

@eternalgod I wonder if you think the external hard drive method is more reliable/convenient over the long term or the host blocking method? Thanks

@Jbb08
Copy link

Jbb08 commented May 21, 2023

Thanks @eternalgod
So M1 non dep/mdm machine, created new Ventura USB, then used that usb to create a Ventura ssd with admin profile. Tested working.

completed all steps again with M1 produced ssd restore then usb installer over top.
Rebooted and admin profile appeared.

Status - No Dep and No MDM
Show - full company MDM details…

I have no clue why when it calls iprofiles.apple.com that is must use the serial number and phone the Apple database. I know it’s not DEP enabled but the MDM side is live and these steps don’t work for me I am afraid
Not even @maclover696 method works for me on M2 MBP :(

@GeorgeDuke1971
Copy link

Hello, this thread was very useful for turning off DEP notifications on a few of my intel macs running Monterey (or earlier), but I am not clear how to do this on an intel mac running Ventura. There are some comments in this thread with M1/M2 macs with Ventura so is the process the same with intel macs? I would prefer no erasing my system internal disk.
Using ikecanvas's post above worked well in Monterey but those instructions don't work for me in Ventura.

@eternalgod
Copy link

@Jbb08 I am sorry it didn't work for you. I guess, the best path going forward is to block the host servers for your case.

@eternalgod
Copy link

@Vicki-Olesen : I found the external SSD restore method to be far more efficient.

For example, for latest MacBook which come with Ventura, an MDM enabled device doesn't have an option to choose "no internet" during setup. This can, however, be bypassed by enabling root user and creating .AppleSetupDone file, and then blocking the host file. But I find this method a bit tedious. Not to mention, in future the host names can always change. Say for example, 13.5 Ventura OS may start polling from a different host server (just saying). So I still believe writing off a MacBook without any client enabled DEP is better than blocking hostnames in host file.

@Vicki-Olesen
Copy link

Many thanks @eternalgod for your kind assistance. I actually thought the opposite that if we did it via the SSD method, we have a greater risk of having it caught by any future update from Apple since hosts are not blocked. I will be doing it on my M2 Ventura Macbook Pro this week and will let you know if it worked.

@eternalgod
Copy link

@GeorgeDuke1971 : It is the same prodcedure for Intel macs running on Ventura. Please follow @predragcvetkovski post where the steps are clearly outlined.

@Cobalt-Genie
Copy link

Has anyone tested the process @predragcvetkovski detailed using a macOS Monterey Setup on an intel mac, or is this just for Ventura?Just curious to know if anyone has had any success with that.

Thanks to everyone here that's been providing info and feedback. I'm working on a MBP 2019 with t2 chip and using a MBP 2015 as my non-DEP/MDM device to create the installers.

@Jbb08
Copy link

Jbb08 commented May 23, 2023

@Jbb08 I am sorry it didn't work for you. I guess, the best path going forward is to block the host servers for your case.

Thanks @eternalgod
I’ve modified the host file to 0.0.0.0 profiles.apple.com
The status returns No for both DEP and MDM, and show returns an error reaching Apple servers I believe, however it’s not the ‘error fetching device enrolment’ one.

do you believe I should do anything else?

@Jbb08
Copy link

Jbb08 commented May 23, 2023

@Vicki-Olesen : I found the external SSD restore method to be far more efficient.

For example, for latest MacBook which come with Ventura, an MDM enabled device doesn't have an option to choose "no internet" during setup. This can, however, be bypassed by enabling root user and creating .AppleSetupDone file, and then blocking the host file. But I find this method a bit tedious. Not to mention, in future the host names can always change. Say for example, 13.5 Ventura OS may start polling from a different host server (just saying). So I still believe writing off a MacBook without any client enabled DEP is better than blocking hostnames in host file.

Also @eternalgod you mention a Mac coming default with Ventura can’t skip internet.
My MDM MacBook Pro is a brand new M2 Max 32gb unified memory 1TB and whilst it does not have DEP confirmed, it does have MDM and as previously mentioned despite all attempts I can’t get it to stop phoning home once I use the ‘show’ enrolment terminal check. So my only option is blocking using the host file. But as you say for how long will that work.

@eternalgod
Copy link

eternalgod commented May 23, 2023

@Jbb08 : For now you are ok with blocking hosts. just make sure you block the following:

iprofiles.apple.com
mdmenrollment.apple.com
deviceenrollment.apple.com
gdmf.apple.com

These should do for now. All the best with the device. There shouldn't be any notifications, afaik.

@GeorgeDuke1971
Copy link

@GeorgeDuke1971 : It is the same prodcedure for Intel macs running on Ventura. Please follow @predragcvetkovski post where the steps are clearly outlined.

Thanks I suppose I can do this but a lot more trouble than just entering some terminal commands like I did in Monterey.
If I do follow @predragcvetkovski post, erase the OS disk, reinstall macOS from external SSD, etc., can I restore from a Time Machine backup (for my intel Macmini8,1) or does that also restore DEP notifications?
In retrospect, it would have been easier to just stay with Monterey.

@eternalgod
Copy link

eternalgod commented May 23, 2023

@GeorgeDuke1971 : There are two options with Ventura based Macs with DEP/MDM enabled.

One: Most of the Macs with Ventura on it don't provide a third option to not connect to internet during setup assistant. This can be easily bypassed by enabling root user using dscl command and creating a file .AppleSetupDone. Please refer to @joshworksit post for more details. Once you bypass the setup assistant, you can block the host file and be done with it. This is less time consuming and a quick hack (you don't even have to erase your internal disk)

Two: A cleaner option is to follow @maclover696 and @predragcvetkovski post. This is more time consuming and needs access to another mac without MDM/DEP enabled, an external SSD and an USB drive etc. So I would try the first option to simply get past.

My preference is the second one as the mac is DEP enabled so it won't fetch any configurations during profiles show -type enrollment command.

Restoring from Time Machine backup will bring back the DEP notifications.

@RourouDuzi688
Copy link

@eternalgod Thank you man for figuring this out, I tried all kinds of methods and none of them seems to work until I stumbled across this post. you are definitely God haha. Follow your steps and it worked like a charm! Did it for the M1 and Intel base and both worked.

@eternalgod
Copy link

@RourouDuzi688, glad you got it worked on both intel based and apple based silicon Macs. Credit goes to @maclover696 @predragcvetkovski and @joshworksit

@eternalgod
Copy link

@RourouDuzi688 : make sure you update here with any differences in method or results that you faced based on the version of MacOS or Mac devices that you used. Its good to update this thread with changes, if any. Did you face any issues with Ventura 13.4?

@Jbb08
Copy link

Jbb08 commented May 24, 2023

I agree with @eternalgod updating specific setup and success helps those like me who have had zero luck.
So far I can’t find another user with MDM only (not DEP) on an M2 which default comes with Ventura.
My USB installer was made of 13.3.1.
And whilst the process worked entirely. There were some key differences to the instructions others have so very kindly posted.
Mainly being.
When I go to wipe the internal drive I need the admin account to unlock it, but also when you erase the internal drive it forces you to connect to the internet to Activate the Mac. Then will automatically reboot to take effect.
This means that you cannot simply restore from the SSD straight away. You have to go back into recovery mode and then restore SSD.
Another one is internet is required for Ventura USB installer override of the ssd restored profile. In adding the internet here I wondered if it did something to call the MDM server who knows.
I wonder if I could block the installation process from calling any enrolment servers who knows..

but that’s been my experience so far. M2 16” with MDM only but no DEP won’t work using the above instructions so I’m left with host file blocking for now :-(

@jwedding
Copy link

I'm in the same boat @Jbb08, no profiles - status, but the occasional prompt to join back up. I've blocked the hosts files, but something still seems to be phoning home.

@Vicki-Olesen
Copy link

IMG_6248

Hi @maclover696 @eternalgod @predragcvetkovski I am getting this error while trying to boot up from the Ventura SSD that I created from non-mdm M2 Macbook Pro.. Anyone have idea why this is happening? Many thanks

Unable to set startup disk: An error occurred while setting “Ventura” as the startup disk: The operation couldn’t be completed. (SDErrorDomain error 108.)

@eternalgod
Copy link

eternalgod commented May 25, 2023 via email

@RourouDuzi688
Copy link

@RourouDuzi688, glad you got it worked on both intel based and apple based silicon Macs. Credit goes to @maclover696 @predragcvetkovski and @joshworksit

@maclover696 @predragcvetkovski @joshworksit Thank you thank you guys!

@RourouDuzi688
Copy link

@RourouDuzi688 : make sure you update here with any differences in method or results that you faced based on the version of MacOS or Mac devices that you used. Its good to update this thread with changes, if any. Did you face any issues with Ventura 13.4?

So far no problem for me. I'm using 13.2 for my M1 restore and 13.4 for my Intel one.

@alucardness
Copy link

Someone already updated to 13.3 or 13.4?
https://support.apple.com/en-us/HT213327

Because they've pumped up the security.

@Vicki-Olesen
Copy link

@alucardness Yes no problem

@x00day
Copy link

x00day commented Jun 6, 2023

**** WORKING!!! ******. HI EVERYONE! I have a simplified way I figured out today to bypass DEP today with Ventura against a M2 Macbook Air

Need 3 things

  1. A separate M1/M2 Mac (could be anytjhing, macbook, studio, etc). this machine must not have DEP/Business Manager enabled
  2. Create a USB Boot installer flash drive with Ventura - you can google the instructions on how to create a boot usb drive.
  3. An external SSD that you can install a fresh OS on. I just use a sandish extreme USB 3.1 256GB drive.

Steps I did On the non-DEP M1/M2 Mac

  1. USB BOOT installer and install Ventura on the External SSD --- using the non-DEP Mac
  2. Once installed, go thru the account creation so you have an account
  3. Boot from USB SSD drive just to make sure it is working.

Now you have a bootable external disk.

On the DEP enabled M1/M2 Mac

  1. Boot to recovery mode
  2. Disk Utility
  3. Erase the internal physical disk
  4. Click on internal disk and use the RESTORE option, FROM the external SSD
  5. Let it run - will take a while.

Now you jsut copied the clean ventura to the internal drive.

Once the restore is finished. Remove the External SSD Boot from the internal disk

You WILL get an error that it cannot find the OS or some other stupid errors like no owner, or some other silly error... don't worry.

Now you boot again using the USB BOOT Ventura disk. REINSTALL Ventura again on the internal disk - DO NOT DO ANY DISK FORMATTING this time.

Once USB Installer is done, reboot - you will get to the login prompt of the user you created on the initial fresh install. you will have a working Ventura M1/M2 that just bypassed DEP/Business Manager.

Why this works? Because you first lay down the image on internal disk but due to some apple security, it will never boot unless you "fresh install" it. But the good things about fresh installs, Apple doesn't really wipe the system, it just lays whatever that is necessary for the OS. This means it will fix the ownership of the disks, do whatever it does but won't overwrite local accounts etc. so you will not get prompted for DEP enrollment. I don't know the actual internal details but I just know this works.

Enjoy. took me a while to figure this out after trying many things.

I do not need to do any /etc/hosts hacks, csrutil, etc. nothing. It's pretty simple to do but it does require a double install but it's easier than editing files.

You could in theory transfer a fully working Mac to another Mac now but I don't need to do that so I did the clean Ventura Install.

Now I can use this method to clean/wipe any DEP enabled machine and have myself a "pre-built" machine with certain things like chrome etc already installed. I can just boot from the external SSD periodically to get new updates of OS and software and continue to use it on any new Macs I wipe.

@maclover696 Thanks a lot for this. It works flawlessly.

I personally tested your procedure using an old MacBook Air mid-2012 (Intel) running the latest version of Monterey 12.6.6 as my non-DEP Mac to bypass the DEP enrollment on a fully updated Mac M1 Pro running Ventura 13.4 and it works like a charm!

The process is pretty much the same except when you restore from the external SSD to the internal partition it works the first time with no error. Then when you reboot from the external Monterey bootable USB it automatically switches to Ventura to install (and upgrade) itself on the internal Monterey partition. When you reboot again on the internal partition it has the account from the non-DEP Mac running the latest version of Ventura instead of Monterey.

Obviously the enrolment status gives me:
Enrolled via DEP: No
MDM enrollment: No

Again, thank you very much!

@wanrain56
Copy link

Hello everyone, Ventura needs an administrator password to execute csrutil disable after installing the system. Does anyone know what the password is? (no user created)

How's it going?

@sonomadep
Copy link

sonomadep commented Jun 7, 2023

Disable annoying Remote Management Pop-Up after upgrading to macOS Sonoma (14)

Apple further added a new gate preventing people from using their DEP-enabled Macs without installing the profiles in macOS Sonoma. After upgrading from a fully-working Ventura copy (with MDM servers blocked in hosts) to macOS Sonoma DP 1, your Mac will want to give you a pop-up window every 10 mins reminding you to install a DEP profile. Did some experiments and I think Apple is secretly pinging their MDM servers no matter you have an active profile associated w/ SN or not. As long as the servers are not reachable they will annoy you with their new pop-up system.

The Workaround

(1) Disable SIP in 1 True Recovery

(2)
sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigHasActivationRecord

sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordFound

sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigProfileInstalled

sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordNotFound

(3) you're all set. enjoy this boring upgrade

@Ran-Xing
Copy link

Ran-Xing commented Jun 7, 2023

@sonomadep 👍

slack.com: join & talk bypass with clean

If you are a developer, please contact me, I will review and invite you to develop automation scripts

@sonomadep
Copy link

@sonomadep 👍

slack.com: join & talk bypass with clean

If you are a developer, please contact me, I will review and invite you to develop automation scripts

a script is ... just not feasible

on ASi os version <12.x you need to enter 1tr and disable SIP. but if you know how to disable SIP you know how to edit hosts.
on ASi os version >13.x (first install) a script is not remotely usable due to forced internet connection.
on x86 opencore booting on top of boot rom that changes SN is more viable and cleaner.
for ASi macs (especially new machines that cannot downgrade) it is really just a matter of time until apple shuts down mdm bypassing. if they want they 100% have the ability to make it a complete activation lock.

@sonomadep
Copy link

sonomadep commented Jun 7, 2023

14.0 Beta(23A5257q)� MDM It seems that the Apple partition must be uninstalled to deal with it. My client upgraded the system, and then the supervision window keeps popping up, which is a full-screen pop-up

/
/usr/libexec/mdmclient
/private/var/db/mds/messages/503/se_SecurityMessages
/private/var/db/timezone/tz/2023c.1.0/icutz/icutz44l.dat
/private/var/db/analyticsd/events.allowlist
/System/Library/CoreServices/ManagedClient.app/Contents/PlugIns/ConfigurationProfilesUI.bundle/Contents/Resources/CloudConfiguration.loctable
/System/Library/CoreServices/SystemVersion.bundle/zh_CN.lproj/SystemVersion.strings
/System/Library/Frameworks/FileProvider.framework/OverrideBundles/FileProviderOverride.bundle/Contents/MacOS/FileProviderOverride
/System/Library/CoreServices/ManagedClient.app/Contents/PlugIns/MCXToolsInterface.bundle/Contents/MacOS/MCXToolsInterface
/System/Library/Frameworks/Foundation.framework/Versions/C/Resources/FoundationErrors.loctable
/System/Library/Frameworks/FileProvider.framework/OverrideBundles/iCloudDriveFileProviderOverride.bundle/Contents/MacOS/iCloudDriveFileProviderOverride
/System/Library/Frameworks/FileProvider.framework/OverrideBundles/FinderSyncCollaborationFileProviderOverride.bundle/Contents/MacOS/FinderSyncCollaborationFileProviderOverride
/Library/Preferences/Logging/.plist-cache.0lOk77Y7
/usr/share/icu/icudt72l.dat
/private/var/folders/ss/vxcjt3_j5nl23pw2sw1_dy700000gq/0/com.apple.LaunchServices.dv/com.apple.LaunchServices-5012-v2.csstore
/dev/null
/dev/null
/dev/null

whoever your client is, they are using a bad solution on their OS. breaking the SSV is a bad idea to block MDM, especially on ASi. It should be avoided in any case. you are definitely doing this the wrong way, period.

there is no need to remove monitor programs such as jamf when you disabled the internet at first and blocked hosts all the way.

for the full screen pop up i have already shared the methods to block it above. please do not advertise it as a paid solution or you may as well discourage others from sharing their attempts to bypass mdm further in this thread. its just so bad for the community.

求求你做个人吧,别把别人刚发出来的东西拿走挣钱,也不要卖给你的“客户”一个残缺的dirty hack。

@Ran-Xing
Copy link

Ran-Xing commented Jun 7, 2023

你不是我,我不是你,你没有资格批评我


You are not me, I am not you, you have no right to criticize me

@AlanJ500
Copy link

AlanJ500 commented Jun 7, 2023

Disable annoying Remote Management Pop-Up after upgrading to macOS Sonoma (14)

Apple further added a new gate preventing people from using their DEP-enabled Macs without installing the profiles in macOS Sonoma. After upgrading from a fully-working Ventura copy (with MDM servers blocked in hosts) to macOS Sonoma DP 1, your Mac will want to give you a pop-up window every 10 mins reminding you to install a DEP profile. Did some experiments and I think Apple is secretly pinging their MDM servers no matter you have an active profile associated w/ SN or not. As long as the servers are not reachable they will annoy you with their new pop-up system.

The Workaround

(1) Disable SIP in 1 True Recovery

(2) sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigHasActivationRecord

sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordFound

sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigProfileInstalled

sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordNotFound

(3) you're all set. enjoy this boring upgrade

Would you advise re-enabling SIP after this? Would it undo the changes?

@sonomadep
Copy link

Disable annoying Remote Management Pop-Up after upgrading to macOS Sonoma (14)

Apple further added a new gate preventing people from using their DEP-enabled Macs without installing the profiles in macOS Sonoma. After upgrading from a fully-working Ventura copy (with MDM servers blocked in hosts) to macOS Sonoma DP 1, your Mac will want to give you a pop-up window every 10 mins reminding you to install a DEP profile. Did some experiments and I think Apple is secretly pinging their MDM servers no matter you have an active profile associated w/ SN or not. As long as the servers are not reachable they will annoy you with their new pop-up system.

The Workaround

(1) Disable SIP in 1 True Recovery
(2) sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigHasActivationRecord
sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordFound
sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigProfileInstalled
sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordNotFound
(3) you're all set. enjoy this boring upgrade

Would you advise re-enabling SIP after this? Would it undo the changes?

You're safe to reenable SIP.

@ar1388
Copy link

ar1388 commented Jun 8, 2023

i'm having trouble with these 2 steps

Create a USB Boot installer flash drive with Ventura - you can google the instructions on how to create a boot usb drive.
An external SSD that you can install a fresh OS on. I just use a sandish extreme USB 3.1 256GB drive.

i cant get it to work. it keeps saying something about needing to upadate

@alucardness
Copy link

I'm starting to think that after 14, the 15th will force us to use profiles and that would be the end.

@MiG937
Copy link

MiG937 commented Jun 8, 2023

@sonomadep Does this method work with M1Pro 14 on Sonoma (14 beta)? Through profiles, status -type enrollment shows that "no"Disable SIP in recovery and already on a running system (not in recovery) delete and add the lines specified in your instructions and then enable SIP, right? Do I need internet for this? After that, the hosts do not need to be blocked?

@ar1388
Copy link

ar1388 commented Jun 9, 2023

i deleted the internal drive and now it wants to activate mac but failes to active device. I have a dud now that i can do anything with. How do i fix this? M2 Mac Pro

@ar1388
Copy link

ar1388 commented Jun 9, 2023

i finally got it to work. I seem to encounter problems every step of the way. It's weird.

@khan-belal
Copy link

I have a 16" Intel MBP that I installed 12.0.1 using the original host file blocking method. I recently realized that I wasn't getting any updates and the only way to update is to download the OS from the app store.

I was wondering, what would be the best method for me to update my system?

@gabbyluvster
Copy link

@sonomadep do you know if we would have to re-run the profiles every-time we do a update? Thanks in advance.

@RobertYim
Copy link

I have a 16" Intel MBP that I installed 12.0.1 using the original host file blocking method. I recently realized that I wasn't getting any updates and the only way to update is to download the OS from the app store.

I was wondering, what would be the best method for me to update my system?

Don't block this domain: gdmf.apple.com . OTA updates need it.

@trendespresso
Copy link

trendespresso commented Jun 10, 2023

**** WORKING!!! ******. HI EVERYONE! I have a simplified way I figured out today to bypass DEP today with Ventura against a M2 Macbook Air

Need 3 things

1. A separate M1/M2 Mac (could be anytjhing, macbook, studio, etc).  this machine must not have DEP/Business Manager enabled

2. Create a USB Boot installer flash drive with Ventura - you can google the instructions on how to create a boot usb drive.

3. An external SSD that you can install a fresh OS on.   I just use a sandish extreme USB 3.1 256GB drive.

Steps I did On the non-DEP M1/M2 Mac

1. USB BOOT installer and install Ventura on the External SSD --- using the non-DEP Mac

2. Once installed, go thru the account creation so you have an account

3. Boot from USB SSD drive just to make sure it is working.

Now you have a bootable external disk.

On the DEP enabled M1/M2 Mac

1. Boot to recovery mode

2. Disk Utility

3. Erase the internal physical disk

4. Click on internal disk and use the RESTORE option,   FROM the external SSD

5. Let it run - will take a while.

Now you jsut copied the clean ventura to the internal drive.

Once the restore is finished. Remove the External SSD Boot from the internal disk

You WILL get an error that it cannot find the OS or some other stupid errors like no owner, or some other silly error... don't worry.

Now you boot again using the USB BOOT Ventura disk. REINSTALL Ventura again on the internal disk - DO NOT DO ANY DISK FORMATTING this time.

Once USB Installer is done, reboot - you will get to the login prompt of the user you created on the initial fresh install. you will have a working Ventura M1/M2 that just bypassed DEP/Business Manager.

Why this works? Because you first lay down the image on internal disk but due to some apple security, it will never boot unless you "fresh install" it. But the good things about fresh installs, Apple doesn't really wipe the system, it just lays whatever that is necessary for the OS. This means it will fix the ownership of the disks, do whatever it does but won't overwrite local accounts etc. so you will not get prompted for DEP enrollment. I don't know the actual internal details but I just know this works.

Enjoy. took me a while to figure this out after trying many things.

I do not need to do any /etc/hosts hacks, csrutil, etc. nothing. It's pretty simple to do but it does require a double install but it's easier than editing files.

You could in theory transfer a fully working Mac to another Mac now but I don't need to do that so I did the clean Ventura Install.

Now I can use this method to clean/wipe any DEP enabled machine and have myself a "pre-built" machine with certain things like chrome etc already installed. I can just boot from the external SSD periodically to get new updates of OS and software and continue to use it on any new Macs I wipe.

I hit this error and couldn't find a way around when attempting to use the external SSD as a Startup Disk:

SDErrorDomian error 108: Unable to boot from external SSD

Even if I didn't have the previous error, I hit another one when restoring my internal SSD from the external SSD preinstall (tried with internet and without):

Failed. Couldn't personalise volume at /Volumes/Macintosh HD (OSStatus error 51)

Then if I proceed even after the above two errors, I find that 95% of the used storage was copied to the internal disk but after attempting to install macOS on the internal disk, I get this error about halfway through:

Failed. Couldn't personalise the startup partition at /Volumes/Macintosh HD

Tried both macOS 12.6 and macOS 13.4. Both have identical outcomes. External SSD install performed via non-DEP M1 MacBook Air.

TL;DR: Seems your method simply doesn't work since there's too many blessing or sealing mechanisms macOS performs.

@watusshi
Copy link

Just wondering, if I use this method on a Ventura mac, would I be able to trade my mac in at Apple Store?

@trendespresso
Copy link

IMG_6248

Hi @maclover696 @eternalgod @predragcvetkovski I am getting this error while trying to boot up from the Ventura SSD that I created from non-mdm M2 Macbook Pro.. Anyone have idea why this is happening? Many thanks

Unable to set startup disk: An error occurred while setting “Ventura” as the startup disk: The operation couldn’t be completed. (SDErrorDomain error 108.)

Same issue here. Did you find a solution?

@trendespresso
Copy link

trendespresso commented Jun 10, 2023

Just wondering, if I use this method on a Ventura mac, would I be able to trade my mac in at Apple Store?

Let me know if you try this! I'm very much thinking of doing the same. Verified the computer didn't have iCloud lock or Activation Lock. No Profiles either. However once I performed a full erase I was alerted to MDM and required to provide an email address connected to some random company. Apple really needs to make it explicitly easy to tell if a computer is stolen, MDM-locked, iCloud-locked, or otherwise Activation Locked.

I really wish they'd just have an About This Mac --> Check activation status --> "All good" or "Not good, MDM-locked" etc. Total bull$#!%

@kblackwall
Copy link

@x00day could you tell me please.....was it possible to disable sip? thank u!

@watusshi
Copy link

Just wondering, if I use this method on a Ventura mac, would I be able to trade my mac in at Apple Store?

Let me know if you try this! I'm very much thinking of doing the same. Verified the computer didn't have iCloud lock or Activation Lock. No Profiles either. However once I performed a full erase I was alerted to MDM and required to provide an email address connected to some random company. Apple really needs to make it explicitly easy to tell if a computer is stolen, MDM-locked, iCloud-locked, or otherwise Activation Locked.

I really wish they'd just have an About This Mac --> Check activation status --> "All good" or "Not good, MDM-locked" etc. Total bull$#!%

The thing is, I did the whole process when formatted the drive but I know that as long as we don't connect to wifi while setting up, it would be ok, but I'm not sure if they gonna check that in the apple store, since I will be wiping the drive and do a fresh install of ventura anyways

@tully-8888
Copy link

Hello, just upgraded to 14 Beta and I get the annoying MDM even if my personal mac is not related to MDM, what is this all about? Thanks

@Acelogic
Copy link

Acelogic commented Jun 14, 2023

@badbanii Good now I know i'm not the only one, solution is above scroll up

@tully-8888
Copy link

@Acelogic Hello, yeah, it's fixed but I panicked a little. It's fine if others have the same problem, there was no way my Mac was MDM locked.

@AlanJ500
Copy link

@sonomadep Have you gotten macOS 14 beta 2 to install through Software update at all? It appears after applying the fix, my Mac says it's up to date and not seeing the new build. However in terminal it is showing the new 14.0 beta. Any ideas on how to get it to force the update without a restore?

@boolias
Copy link

boolias commented Jun 22, 2023

If you have gdmf.apple.com blocked, you won't be able to get updates. Comment out gdmf.apple.com in /etc/hosts and check updates again. From https://support.apple.com/en-us/HT210060 gdmf.apple.com is the software update catalog and I found that there is no need to block it for this fix to work

@joshworksit
Copy link

joshworksit commented Jun 22, 2023 via email

@khan-belal
Copy link

Thanks, that got the update to show up. Can I proceed with updating as normal, or is there something else I have to do? Currently it's showing me that 13.4.1 is available as an update.

@AlanJ500
Copy link

For me it wasn't blocked, Software Update in System Settings just never pulled it, but I got it to download through terminal. Install went fine, and everything works like it should for me.

@khan-belal
Copy link

For me it wasn't blocked, Software Update in System Settings just never pulled it, but I got it to download through terminal. Install went fine, and everything works like it should for me.

So, I can update from Monterey 12.0.1 to Ventura 13.4.1 without any sort of setup or special steps?

@rdlvm
Copy link

rdlvm commented Jun 24, 2023

Hi, I have a macbook pro 2020 m1 A2338, I was able to bypass from monterey and get into clean system without any profiles, but I get notification every few hours for the MDM profile to be installed. I couldn't avoid the notifications so far, I would like to remove them and clean up the mac to install Ventura. Is there any way that by erasing the entire drive or doing a full restore I don't have to repeat the bypass over and over again? Thanks in advance.

@mabearce1
Copy link

So I have been trying to install MacOS to external Hard drive...but it is not working...it won't go paste the final install... how the heck do you get it to install to external SSD? I have tried my USB stick as a hard drive and a spare SSD via USB?

@Ran-Xing
Copy link

@AshAllens
Copy link

I have an m1 macbook air which i updated to beta sonoma after the update i somehow messed up the setting and ended up with mdm profiles installed so i tried to do the process of turing off the router which i first tried when i got the laptop which was in Monterey but now in ventura it can’t be done that way please help me i tried all the solution above nothing worked and also for root user i keep getting the terminal error Not a known DirStatus please help guys

@gboy13
Copy link

gboy13 commented Jul 6, 2023

thanks @gwshaw for the edits!

Here is how you can bypass MDM completely ...

Boot to Recovery

Open Terminal and enable the root user and give it a password:

Enter the command below and press Enter

dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -passwd /Local/Default/Users/root

There might be a slight directory difference between Intel/Silicon. If the command above does not work try using one of these variations:

/Volumes/Macintosh\ HD\ -\ Data/ or /Volumes/Data/

Enter a new password for root user. Note * If you choose a simple password be aware that the root user will be available as a user that can log into macOS which could present a risk to the security of the device.

Once complete click the Apple logo -> Reboot or in Terminal type Reboot then press Enter and let macOS start-up.

Show the hidden menubar and go to System Settings when the Setup Assistant begins by pressing Command + Option + Control + T together.

Click the Apple logo > System Settings -> Users & Groups

Create an admin user with your username and password then click Add Account. The authentication window will appear and autofill the username as user "System Setup". Change this to "root" and use the password you created earlier in Terminal.

Use the Apple menu and select Reboot and if this does not work, force off your Mac by holding the power button down at least 10 seconds.

Boot to Recovery again.

Open Terminal and enter the command below and press Enter.

touch /Volumes/Macintosh\ HD\ -\ Data/private/var/db/.AppleSetupDone

Then type Reboot and press Enter or force off your Mac again using the steps above.

If you found this helpful please donate! https://pay.siliconbypass.com

This method worked for me with a few tweaks. M2 running Ventura 13.4.1
For whatever reason, I was unsuccessful in changing the root password. Ended up creating a new user via command line and using that user to create the user in system preferences.

  1. Boot to Recovery (Hold down power button on M2.
  2. Open Terminal and create a new user using the below commands. Note that the volume name may vary. This example creates an admin user called "test"
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -create /Local/Default/Users/test
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -create /Local/Default/Users/test UserShell /bin/bash
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -create /Local/Default/Users/test RealName "Lucius Q. User"
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -create /Local/Default/Users/test UniqueID "1010"
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -create /Local/Default/Users/test PrimaryGroupID 80
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -create /Local/Default/Users/test NFSHomeDirectory /Users/luser
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -append  /Local/Default//Groups/admin GroupMembership test
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -passwd /Local/Default/Users/test
  1. Enter a new password for the user.
  2. Once complete click the Apple logo -> Reboot or in Terminal type Reboot then press Enter and let macOS start-up.
  3. Show the hidden menubar and go to System Settings when the Setup Assistant begins by pressing Command + Option + Control + T together.
  4. Click the Apple logo > System Settings -> Users & Groups
  5. Create an admin user with your username and password then click Add Account. The authentication window will appear and autofill the username as user "System Setup". Change this to "test" and use the password you created earlier in Terminal.
  6. Use the Apple menu and select Reboot and if this does not work, force off your Mac by holding the power button down at least 10 seconds.
  7. Boot to Recovery again.
  8. Open Terminal and enter the command below and press Enter.
    touch /Volumes/Macintosh\ HD\ -\ Data/private/var/db/.AppleSetupDone
  9. Then type Reboot and press Enter or force off your Mac again using the steps above.
  10. Enjoy your stolen laptop jk

@nitin88
Copy link

nitin88 commented Jul 6, 2023

Hi,

is it possible to override specific MDM profile configuration?

one of the profile configuration disables the shared internet by MDM. I want to override that or prevent MDM to override that configuration somehow. I have full permissions to boot into recovery mode to alter any system level changes, but dont want to opt out of MDM

@Ran-Xing
Copy link

Ran-Xing commented Jul 8, 2023

@gboy13

The correct one should be this, it doesn't need \ -\ Data

++dscl -f /Volumes/Macintosh\ HD/private/var/db/dslocal/nodes/Default localhost -passwd /Local/Default/Users/root
--dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -passwd /Local/Default/Users/root

@msarmadahsan
Copy link

@gboy13
@Ran-Xing

Thanks a lot! This works perfectly!

@gboy13
Copy link

gboy13 commented Jul 9, 2023

@Ran-Xing

The root user with my M2 and Ventura did not work with either way. That's why I had to create the new admin user. YMMV.

FYI if your drive name is different than the default, then you will have to change it either way in all commands.

@josepyrex
Copy link

@khan-belal
@boolias

Hey all, I followed all the steps and got the Mac up and running and everything went through smoothly. Currently running Mojave and I tried commenting out the gdmf.apple.com code on the Host file which got the Ventura update to show up. However, whenever I try installing it, whether it'd be through the System Preferences UI or the Terminal, I get this error "The Request Timed Out." and "Error downloading updates."

Any idea how to solve it and if you managed to get around it?

@mikevic18
Copy link

You can just download the update through the App Store.

@wchadm
Copy link

wchadm commented Jul 14, 2023

thanks @gwshaw for the edits!
Here is how you can bypass MDM completely ...
Boot to Recovery
Open Terminal and enable the root user and give it a password:
Enter the command below and press Enter
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -passwd /Local/Default/Users/root
There might be a slight directory difference between Intel/Silicon. If the command above does not work try using one of these variations:
/Volumes/Macintosh\ HD\ -\ Data/ or /Volumes/Data/
Enter a new password for root user. Note * If you choose a simple password be aware that the root user will be available as a user that can log into macOS which could present a risk to the security of the device.
Once complete click the Apple logo -> Reboot or in Terminal type Reboot then press Enter and let macOS start-up.
Show the hidden menubar and go to System Settings when the Setup Assistant begins by pressing Command + Option + Control + T together.
Click the Apple logo > System Settings -> Users & Groups
Create an admin user with your username and password then click Add Account. The authentication window will appear and autofill the username as user "System Setup". Change this to "root" and use the password you created earlier in Terminal.
Use the Apple menu and select Reboot and if this does not work, force off your Mac by holding the power button down at least 10 seconds.
Boot to Recovery again.
Open Terminal and enter the command below and press Enter.
touch /Volumes/Macintosh\ HD\ -\ Data/private/var/db/.AppleSetupDone
Then type Reboot and press Enter or force off your Mac again using the steps above.
If you found this helpful please donate! https://pay.siliconbypass.com

This method worked for me with a few tweaks. M2 running Ventura 13.4.1 For whatever reason, I was unsuccessful in changing the root password. Ended up creating a new user via command line and using that user to create the user in system preferences.

  1. Boot to Recovery (Hold down power button on M2.
  2. Open Terminal and create a new user using the below commands. Note that the volume name may vary. This example creates an admin user called "test"
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -create /Local/Default/Users/test
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -create /Local/Default/Users/test UserShell /bin/bash
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -create /Local/Default/Users/test RealName "Lucius Q. User"
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -create /Local/Default/Users/test UniqueID "1010"
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -create /Local/Default/Users/test PrimaryGroupID 80
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -create /Local/Default/Users/test NFSHomeDirectory /Users/luser
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -append  /Local/Default//Groups/admin GroupMembership test
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -passwd /Local/Default/Users/test
  1. Enter a new password for the user.
  2. Once complete click the Apple logo -> Reboot or in Terminal type Reboot then press Enter and let macOS start-up.
  3. Show the hidden menubar and go to System Settings when the Setup Assistant begins by pressing Command + Option + Control + T together.
  4. Click the Apple logo > System Settings -> Users & Groups
  5. Create an admin user with your username and password then click Add Account. The authentication window will appear and autofill the username as user "System Setup". Change this to "test" and use the password you created earlier in Terminal.
  6. Use the Apple menu and select Reboot and if this does not work, force off your Mac by holding the power button down at least 10 seconds.
  7. Boot to Recovery again.
  8. Open Terminal and enter the command below and press Enter.
    touch /Volumes/Macintosh\ HD\ -\ Data/private/var/db/.AppleSetupDone
  9. Then type Reboot and press Enter or force off your Mac again using the steps above.
  10. Enjoy your stolen laptop jk

Thank you for this - worked perfectly on 2023 M2 MBA 15"!

@samcoinhope
Copy link

I cant creat a root user in my ventura 13.4.1
Please help , it gives me error in the terminal ??

@joshworksit
Copy link

joshworksit commented Jul 15, 2023 via email

@samcoinhope
Copy link

thanks @gwshaw for the edits!
Here is how you can bypass MDM completely ...
Boot to Recovery
Open Terminal and enable the root user and give it a password:
Enter the command below and press Enter
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -passwd /Local/Default/Users/root
There might be a slight directory difference between Intel/Silicon. If the command above does not work try using one of these variations:
/Volumes/Macintosh\ HD\ -\ Data/ or /Volumes/Data/
Enter a new password for root user. Note * If you choose a simple password be aware that the root user will be available as a user that can log into macOS which could present a risk to the security of the device.
Once complete click the Apple logo -> Reboot or in Terminal type Reboot then press Enter and let macOS start-up.
Show the hidden menubar and go to System Settings when the Setup Assistant begins by pressing Command + Option + Control + T together.
Click the Apple logo > System Settings -> Users & Groups
Create an admin user with your username and password then click Add Account. The authentication window will appear and autofill the username as user "System Setup". Change this to "root" and use the password you created earlier in Terminal.
Use the Apple menu and select Reboot and if this does not work, force off your Mac by holding the power button down at least 10 seconds.
Boot to Recovery again.
Open Terminal and enter the command below and press Enter.
touch /Volumes/Macintosh\ HD\ -\ Data/private/var/db/.AppleSetupDone
Then type Reboot and press Enter or force off your Mac again using the steps above.
If you found this helpful please donate! https://pay.siliconbypass.com

This method worked for me with a few tweaks. M2 running Ventura 13.4.1 For whatever reason, I was unsuccessful in changing the root password. Ended up creating a new user via command line and using that user to create the user in system preferences.

  1. Boot to Recovery (Hold down power button on M2.
  2. Open Terminal and create a new user using the below commands. Note that the volume name may vary. This example creates an admin user called "test"
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -create /Local/Default/Users/test
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -create /Local/Default/Users/test UserShell /bin/bash
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -create /Local/Default/Users/test RealName "Lucius Q. User"
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -create /Local/Default/Users/test UniqueID "1010"
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -create /Local/Default/Users/test PrimaryGroupID 80
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -create /Local/Default/Users/test NFSHomeDirectory /Users/luser
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -append  /Local/Default//Groups/admin GroupMembership test
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -passwd /Local/Default/Users/test
  1. Enter a new password for the user.
  2. Once complete click the Apple logo -> Reboot or in Terminal type Reboot then press Enter and let macOS start-up.
  3. Show the hidden menubar and go to System Settings when the Setup Assistant begins by pressing Command + Option + Control + T together.
  4. Click the Apple logo > System Settings -> Users & Groups
  5. Create an admin user with your username and password then click Add Account. The authentication window will appear and autofill the username as user "System Setup". Change this to "test" and use the password you created earlier in Terminal.
  6. Use the Apple menu and select Reboot and if this does not work, force off your Mac by holding the power button down at least 10 seconds.
  7. Boot to Recovery again.
  8. Open Terminal and enter the command below and press Enter.
    touch /Volumes/Macintosh\ HD\ -\ Data/private/var/db/.AppleSetupDone
  9. Then type Reboot and press Enter or force off your Mac again using the steps above.
  10. Enjoy your stolen laptop jk

Thank you for this - worked perfectly on 2023 M2 MBA 15"!

is this steps work with the new update of ventura 13.4.1 ??

@joshworksit
Copy link

joshworksit commented Jul 15, 2023 via email

@bagofcig
Copy link

bagofcig commented Jul 17, 2023

@gboy13

The correct one should be this, it doesn't need \ -\ Data

++dscl -f /Volumes/Macintosh\ HD/private/var/db/dslocal/nodes/Default localhost -passwd /Local/Default/Users/root
--dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -passwd /Local/Default/Users/root

Hi , i’m not able to do any command with the dscl -f in boot recovery.
I tried both commands the one with \ -/ ,,, and with out it. Please help me out
Error attached
Also, i tried the video link which you were referring but no luck passing the first one.
IMG_5201

@jeremylpro
Copy link

jeremylpro commented Jul 18, 2023

Will updating macOS change anything?

@joshworksit
Copy link

joshworksit commented Jul 18, 2023 via email

@tecnicalapple
Copy link

@gboy13
The correct one should be this, it doesn't need \ -\ Data

++dscl -f /Volumes/Macintosh\ HD/private/var/db/dslocal/nodes/Default localhost -passwd /Local/Default/Users/root
--dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -passwd /Local/Default/Users/root

Hi , i’m not able to do any command with the dscl -f in boot recovery. I tried both commands the one with \ -/ ,,, and with out it. Please help me out Error attached Also, i tried the video link which you were referring but no luck passing the first one. IMG_5201

i'm with the same problema. Did u know hw to fix it? Please

@tecnicalapple
Copy link

someone can help mwith with the erro? Please

@tecnicalapple
Copy link

someone please

@tecnicalapple
Copy link

image
i'm with this erro too ;c

@joshworksit
Copy link

joshworksit commented Jul 21, 2023 via email

@IJRZI
Copy link

IJRZI commented Jul 23, 2023

@henrik242 really thanx in this way, it no more messages. Can I upgrade to os14 then?

@patrickcyi
Copy link

just FYI, if you are M1 and upgraded to Ventura. Here is how to bypass, 1. usb create monterey installer. 2. erase, install M, 3 unplug wifi at alomost done installation. 4. no wifi setup, 5. bypass MDM notif

@gordi415
Copy link

gordi415 commented Jul 23, 2023 via email

@patrickcyi
Copy link

@joshworksit
Copy link

joshworksit commented Jul 24, 2023 via email

@Ran-Xing
Copy link

Sonomo 23A5286i Failed to block notifications,And the configuration will automatically override

@IJRZI
Copy link

IJRZI commented Jul 26, 2023

The latest version?! omg?! Apple did fix it?!

@IJRZI
Copy link

IJRZI commented Jul 26, 2023

Sonomo 23A5286i Failed to block notifications,And the configuration will automatically override

Does masking linked servers by host work?

@ehsan58
Copy link

ehsan58 commented Jul 26, 2023

What's the difference between this method and bypass services like lpro, hfz and etc.
Could anyone tell me please?

@Ran-Xing
Copy link

@IJRZI No pop-up window after shielding hosts

@lihanchen
Copy link

For the 8 lines of code to create test user, we can just change the password of root by one command:
dscl -f /Volumes/Macintosh\ HD/private/var/db/dslocal/nodes/Default localhost -passwd /Local/Default/Users/root
Then in the system settings, create user with root/password you set.

@bagofcig
Copy link

bagofcig commented Jul 28, 2023

First see if you can navigate to the exact folder you are using in the command, so first, if you just typed the command and just got that error then use this command, “cd /Volumes” and press Return.Did it go to that directory?If yes, then keep going into the sub folders.  To do this the next command would be “cd /Volumes/Macintosh HD” and press ReturnAgain, evaluate if you could get into the directory.  My thoughts are at some point you are not going to navigate well because the folders is called something else… let us know what you find!Sent from my iPhoneOn Jul 20, 2023, at 8:05 PM, mateusapple @.> wrote:Re: henrik242/Disable Device Enrollment Program (DEP) notification on macOS @. commented on this gist.i'm with this erro too ;c—Reply to this email directly, view it on GitHub or unsubscribe.You are receiving this email because you commented on the thread.Triage notifications on the go with GitHub Mobile for iOS or Android.

the issue that i counter is when i do the command in boot recovery i get the error that i posted earlier, but if do it when the devices booted regularly it works fine, also i can't choose a new password because it asked for the old password which is for the root user, attached
Screenshot 2023-07-28 at 7 41 09 PM

@joshworksit
Copy link

joshworksit commented Jul 28, 2023 via email

@bagofcig
Copy link

The command has to be run prior to setup completing, so on a fresh install. But you have to first start the Mac after an erase and reinstall, then let it get to the Welcome screen, then power it off and startup to recovery and perform the steps. IF you are already in the macOS logged into your user and you are getting the notification for MDM enrollment you can do this… Reboot to Recovery and open Terminal, enter the command “csrutil disable” then “restart” but hold the power button down so you can go right back into Recovery. Once in Recovery open Terminal again and navigate to /Volumes/Macintosh HD/var/db/ConfigurationProfiles and then delete the Settings and Store folders with the commands “rm -R settings”. “rm -R stores”. Then navigate to /Volumes/Macintosh HD/etc and edit the hosts file to add the following: 0.0.0.0 alfred.apple.com 0.0.0.0 iprofiles.apple.com http://iprofiles.apple.com/ Then save the file and issue “csrutil enable” then “restart”. All should be well now.

On Jul 28, 2023, at 12:42 PM, bagofcig @.***> wrote: @bagofcig commented on this gist. First see if you can navigate to the exact folder you are using in the command, so first, if you just typed the command and just got that error then use this command, “cd /Volumes” and press Return.Did it go to that directory?If yes, then keep going into the sub folders. To do this the next command would be “cd /Volumes/Macintosh HD” and press ReturnAgain, evaluate if you could get into the directory. My thoughts are at some point you are not going to navigate well because the folders is called something else… let us know what you find!Sent from my iPhoneOn Jul 20, 2023, at 8:05 PM, mateusapple @.> wrote:Re: henrik242/Disable Device Enrollment Program (DEP) notification on macOS @. commented on this gist.i'm with this erro too ;c—Reply to this email directly, view it on GitHub or unsubscribe.You are receiving this email because you commented on the thread.Triage notifications on the go with GitHub Mobile for iOS or Android. the issue that i counter is when i do the command in boot recovery i get the error that i posted earlier, but if do it when the devices booted regularly it works fine, attached https://user-images.githubusercontent.com/130602159/256881050-3fa5b6c8-a0c0-47ee-86f1-00f2c112ebab.png — Reply to this email directly, view it on GitHub https://gist.github.com/henrik242/65d26a7deca30bdb9828e183809690bd#gistcomment-4644296 or unsubscribe https://github.com/notifications/unsubscribe-auth/ANIV4G2U3ZQY6UIUQDP5HZLXSPTWVBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFQKSXMYLMOVS2I5DSOVS2I3TBNVS3W5DIOJSWCZC7OBQXE5DJMNUXAYLOORPWCY3UNF3GS5DZVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVEYTAMBRGYYTCMRSU52HE2LHM5SXFJTDOJSWC5DF. You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

I’m not able to do the command “csrutil disable”, attached.
So, i will try the first option once i erase and install the os, and keep you posted.
image

@joshworksit
Copy link

joshworksit commented Jul 28, 2023 via email

@bagofcig
Copy link

You need to Restart and try it again.

I tried couple more times but it did not work.

@bagofcig
Copy link

The command has to be run prior to setup completing, so on a fresh install. But you have to first start the Mac after an erase and reinstall, then let it get to the Welcome screen, then power it off and startup to recovery and perform the steps. IF you are already in the macOS logged into your user and you are getting the notification for MDM enrollment you can do this… Reboot to Recovery and open Terminal, enter the command “csrutil disable” then “restart” but hold the power button down so you can go right back into Recovery. Once in Recovery open Terminal again and navigate to /Volumes/Macintosh HD/var/db/ConfigurationProfiles and then delete the Settings and Store folders with the commands “rm -R settings”. “rm -R stores”. Then navigate to /Volumes/Macintosh HD/etc and edit the hosts file to add the following: 0.0.0.0 alfred.apple.com 0.0.0.0 iprofiles.apple.com http://iprofiles.apple.com/ Then save the file and issue “csrutil enable” then “restart”. All should be well now.

I have erased and install the macOS, and before going through the setup (welcome screen).
i shutdown the mac and enter the recovery mode and enter the command, i took another step to make sure that i follow the steps right, after getting the same error, i tried to figure out what i’m missing i used the “cd” command , and it seems that there is no “db” file.
Please help me out here i still did not finish the setup waiting for your instruction.
When i try csrutil disable, i have been asked to enter a password?! How is that happening
image

@Ran-Xing
Copy link

Ran-Xing commented Jul 29, 2023

> macos12

  1. reset root password
  2. in hello make user use root account
  3. touch appledone file
  4. disable sip
  5. touch file

This is the complete step. The specific information is mentioned in front. Don't bother others.


别BB,自己看前面的信息,OK?

@Ran-Xing
Copy link

有人知道怎么看监管剩余时间或者是否已失效嘛


Does anyone know how to look at the remaining time of supervision or whether it has expired?

@bagofcig
Copy link

You need to Restart and try it again.

Please tell you got any idea

@dutton241-9
Copy link

This method worked for me with a few tweaks. M2 running Ventura 13.4.1 For whatever reason, I was unsuccessful in changing the root password. Ended up creating a new user via command line and using that user to create the user in system preferences.

  1. Boot to Recovery (Hold down power button on M2.
  2. Open Terminal and create a new user using the below commands. Note that the volume name may vary. This example creates an admin user called "test"
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -create /Local/Default/Users/test
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -create /Local/Default/Users/test UserShell /bin/bash
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -create /Local/Default/Users/test RealName "Lucius Q. User"
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -create /Local/Default/Users/test UniqueID "1010"
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -create /Local/Default/Users/test PrimaryGroupID 80
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -create /Local/Default/Users/test NFSHomeDirectory /Users/luser
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -append  /Local/Default//Groups/admin GroupMembership test
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -passwd /Local/Default/Users/test
  1. Enter a new password for the user.
  2. Once complete click the Apple logo -> Reboot or in Terminal type Reboot then press Enter and let macOS start-up.
  3. Show the hidden menubar and go to System Settings when the Setup Assistant begins by pressing Command + Option + Control + T together.
  4. Click the Apple logo > System Settings -> Users & Groups
  5. Create an admin user with your username and password then click Add Account. The authentication window will appear and autofill the username as user "System Setup". Change this to "test" and use the password you created earlier in Terminal.
  6. Use the Apple menu and select Reboot and if this does not work, force off your Mac by holding the power button down at least 10 seconds.
  7. Boot to Recovery again.
  8. Open Terminal and enter the command below and press Enter.
    touch /Volumes/Macintosh\ HD\ -\ Data/private/var/db/.AppleSetupDone
  9. Then type Reboot and press Enter or force off your Mac again using the steps above.
  10. Enjoy your stolen laptop jk

This worked a treat for me mate, thanks so much!

@joshworksit
Copy link

joshworksit commented Aug 5, 2023 via email

@Github-Help-Needed-Plzzz

thanks @gwshaw for the edits!
Here is how you can bypass MDM completely ...
Boot to Recovery
Open Terminal and enable the root user and give it a password:
Enter the command below and press Enter
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -passwd /Local/Default/Users/root
There might be a slight directory difference between Intel/Silicon. If the command above does not work try using one of these variations:
/Volumes/Macintosh\ HD\ -\ Data/ or /Volumes/Data/
Enter a new password for root user. Note * If you choose a simple password be aware that the root user will be available as a user that can log into macOS which could present a risk to the security of the device.
Once complete click the Apple logo -> Reboot or in Terminal type Reboot then press Enter and let macOS start-up.
Show the hidden menubar and go to System Settings when the Setup Assistant begins by pressing Command + Option + Control + T together.
Click the Apple logo > System Settings -> Users & Groups
Create an admin user with your username and password then click Add Account. The authentication window will appear and autofill the username as user "System Setup". Change this to "root" and use the password you created earlier in Terminal.
Use the Apple menu and select Reboot and if this does not work, force off your Mac by holding the power button down at least 10 seconds.
Boot to Recovery again.
Open Terminal and enter the command below and press Enter.
touch /Volumes/Macintosh\ HD\ -\ Data/private/var/db/.AppleSetupDone
Then type Reboot and press Enter or force off your Mac again using the steps above.
If you found this helpful please donate! https://pay.siliconbypass.com

This method worked for me with a few tweaks. M2 running Ventura 13.4.1 For whatever reason, I was unsuccessful in changing the root password. Ended up creating a new user via command line and using that user to create the user in system preferences.

  1. Boot to Recovery (Hold down power button on M2.
  2. Open Terminal and create a new user using the below commands. Note that the volume name may vary. This example creates an admin user called "test"
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -create /Local/Default/Users/test
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -create /Local/Default/Users/test UserShell /bin/bash
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -create /Local/Default/Users/test RealName "Lucius Q. User"
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -create /Local/Default/Users/test UniqueID "1010"
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -create /Local/Default/Users/test PrimaryGroupID 80
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -create /Local/Default/Users/test NFSHomeDirectory /Users/luser
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -append  /Local/Default//Groups/admin GroupMembership test
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -passwd /Local/Default/Users/test
  1. Enter a new password for the user.
  2. Once complete click the Apple logo -> Reboot or in Terminal type Reboot then press Enter and let macOS start-up.
  3. Show the hidden menubar and go to System Settings when the Setup Assistant begins by pressing Command + Option + Control + T together.
  4. Click the Apple logo > System Settings -> Users & Groups
  5. Create an admin user with your username and password then click Add Account. The authentication window will appear and autofill the username as user "System Setup". Change this to "test" and use the password you created earlier in Terminal.
  6. Use the Apple menu and select Reboot and if this does not work, force off your Mac by holding the power button down at least 10 seconds.
  7. Boot to Recovery again.
  8. Open Terminal and enter the command below and press Enter.
    touch /Volumes/Macintosh\ HD\ -\ Data/private/var/db/.AppleSetupDone
  9. Then type Reboot and press Enter or force off your Mac again using the steps above.
  10. Enjoy your stolen laptop jk

Once doing all of this do I need to keep the users on the Mac or can I remove them? @gboy13

@tecnicalapple
Copy link

if I do the process the corporation can still track the notebook

@joshworksit
Copy link

joshworksit commented Aug 7, 2023 via email

@Gorus23
Copy link

Gorus23 commented Aug 10, 2023

thanks @gwshaw for the edits!
Here is how you can bypass MDM completely ...
Boot to Recovery
Open Terminal and enable the root user and give it a password:
Enter the command below and press Enter
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -passwd /Local/Default/Users/root
There might be a slight directory difference between Intel/Silicon. If the command above does not work try using one of these variations:
/Volumes/Macintosh\ HD\ -\ Data/ or /Volumes/Data/
Enter a new password for root user. Note * If you choose a simple password be aware that the root user will be available as a user that can log into macOS which could present a risk to the security of the device.
Once complete click the Apple logo -> Reboot or in Terminal type Reboot then press Enter and let macOS start-up.
Show the hidden menubar and go to System Settings when the Setup Assistant begins by pressing Command + Option + Control + T together.
Click the Apple logo > System Settings -> Users & Groups
Create an admin user with your username and password then click Add Account. The authentication window will appear and autofill the username as user "System Setup". Change this to "root" and use the password you created earlier in Terminal.
Use the Apple menu and select Reboot and if this does not work, force off your Mac by holding the power button down at least 10 seconds.
Boot to Recovery again.
Open Terminal and enter the command below and press Enter.
touch /Volumes/Macintosh\ HD\ -\ Data/private/var/db/.AppleSetupDone
Then type Reboot and press Enter or force off your Mac again using the steps above.
If you found this helpful please donate! https://pay.siliconbypass.com

This method worked for me with a few tweaks. M2 running Ventura 13.4.1 For whatever reason, I was unsuccessful in changing the root password. Ended up creating a new user via command line and using that user to create the user in system preferences.

  1. Boot to Recovery (Hold down power button on M2.
  2. Open Terminal and create a new user using the below commands. Note that the volume name may vary. This example creates an admin user called "test"
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -create /Local/Default/Users/test
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -create /Local/Default/Users/test UserShell /bin/bash
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -create /Local/Default/Users/test RealName "Lucius Q. User"
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -create /Local/Default/Users/test UniqueID "1010"
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -create /Local/Default/Users/test PrimaryGroupID 80
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -create /Local/Default/Users/test NFSHomeDirectory /Users/luser
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -append  /Local/Default//Groups/admin GroupMembership test
dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -passwd /Local/Default/Users/test
  1. Enter a new password for the user.
  2. Once complete click the Apple logo -> Reboot or in Terminal type Reboot then press Enter and let macOS start-up.
  3. Show the hidden menubar and go to System Settings when the Setup Assistant begins by pressing Command + Option + Control + T together.
  4. Click the Apple logo > System Settings -> Users & Groups
  5. Create an admin user with your username and password then click Add Account. The authentication window will appear and autofill the username as user "System Setup". Change this to "test" and use the password you created earlier in Terminal.
  6. Use the Apple menu and select Reboot and if this does not work, force off your Mac by holding the power button down at least 10 seconds.
  7. Boot to Recovery again.
  8. Open Terminal and enter the command below and press Enter.
    touch /Volumes/Macintosh\ HD\ -\ Data/private/var/db/.AppleSetupDone
  9. Then type Reboot and press Enter or force off your Mac again using the steps above.
  10. Enjoy your stolen laptop jk

A 1000 THANKS!!! So is this permanent solution or i need to do it every time i update, reinstall or format ssd?

@tecnicalapple
Copy link

in this case I can update it well and it doesn't pull anything but, for security, I would do it from scratch so I don't have a problem. when updated and updates the system well and does not pull the mdm

@Pedro147
Copy link

I was sure I posted a question here a few days ago, but it doesn't seem to be here which is totally weird. Anyway, I have an M1 Macbook Air being used by the person that I sold it to, with no issues for three months. Then he started having trouble with the touchID so he did a macOS update and suddenly it popped up a lock which appears to be an MDM lock. I checked the machine status on SickW website and it has no iCloud lock but does indeed have an MDM lock (see here) If I hold the start button until I canget into recovery it just comes back to the lock screen. Any help appreciated please.
lock 1
Screen Shot 2023-08-12 at 11 11 51 pm

@joshworksit
Copy link

joshworksit commented Aug 12, 2023 via email

@Pedro147
Copy link

That is the bios or EFI Lock Screen. It is not set by DEP and is a feature of the bios separately.

Thanks, yes it certainly looks like an EFI lock doesn't it, but as you can see from the screenshot of the lockscreen it mentions an "organisation" It must be an EFI lock set by that company, but it perplexes me that the other attached screenshot showing the status of the machine on sickw site (which must come via some backdoor from Apples servers?) distinctly says that the machine has an MDM lock. Very weird and annoying.

@joshworksit
Copy link

joshworksit commented Aug 12, 2023 via email

@Pedro147
Copy link

It looks like Apple Silicon does not have that screen you are showing which is weird…but MDM can set that feature after all it seems.   All is in the link ….

sorry, what link are you referring to please?

@joshworksit
Copy link

joshworksit commented Aug 12, 2023 via email

@Pedro147
Copy link

You lost me I asked about a link, but thanks for your thoughts anyway

@joshworksit
Copy link

Good lord if I had known my email replies were posting like that…garrrrr….

@Pedro147
Copy link

Thanks guys

@Ran-Xing
Copy link

Ran-Xing commented Aug 16, 2023

@Pedro147 May I ask which url you used to query this picture?

@Pedro147
Copy link

@Ran-Xing
Copy link

@Pedro147 I'm talking about the content of this picture

MDM_LOCAL: on

@Pedro147
Copy link

You mean to query the info in the picture, so https://sickw.com/?page=services&service=11

@Ran-Xing
Copy link

Ran-Xing commented Aug 16, 2023 via email

@GeorgeDuke1971
Copy link

general question on stopping DEP reminders in macOS Ventura
Hello, I have found this thread helpful in stopping DEP reminders in Monterey, and just received a Mac Studio (still in the box) from Apple and was hoping that you could recommend preventing DEP reminders. My institution puts a lot of rather invasive software on Macs including blocking naming of the computer and blocking the root user. Thanks!

@RickyGoodlett
Copy link

I did not quite understand. Why is this necessary? Explain someone briefly

@wangyv6
Copy link

wangyv6 commented Aug 20, 2023

pretty cool, how can i make sure the mdm enrollment prompt is fully closed ? need some time to confirm ?

@wangyv6
Copy link

wangyv6 commented Aug 20, 2023

👍😍😍

@hdsheena
Copy link

hdsheena commented Aug 24, 2023

@sonomadep looks like those files don't exist actually..

Mine were located in /Volumes/Macintosh\ HD\ -\ Data/private/var.. in case it helps anyone else

@grzesiolpl
Copy link

grzesiolpl commented Aug 26, 2023

@sonomadep looks like those files don't exist actually..

Mine were located in /Volumes/Macintosh\ HD\ -\ Data/private/var.. in case it helps anyone else

Hmm… My MCP i5 lets me install Catalina, but anything higher shows greyish SSD and info "This disk is locked". Root user is working normally, but the disk has some way of security in higher versions of macOS.

edit: I will check if I have proper Secure Boot options enabled and let u know if that solved the problem.

@opsquid
Copy link

opsquid commented Aug 27, 2023

Awesome! It work for me, now the nagging DEP popup won't show anymore. Thank you.

@Solmonz
Copy link

Solmonz commented Aug 28, 2023

May I ask how to bypass MDM and update the system normally on the new version of macOS 14 (Sonoma)?

@grzesiolpl
Copy link

May I ask how to bypass MDM and update the system normally on the new version of macOS 14 (Sonoma)?

Disable annoying Remote Management Pop-Up after upgrading to macOS Sonoma (14)
Apple further added a new gate preventing people from using their DEP-enabled Macs without installing the profiles in macOS Sonoma. After upgrading from a fully-working Ventura copy (with MDM servers blocked in hosts) to macOS Sonoma DP 1, your Mac will want to give you a pop-up window every 10 mins reminding you to install a DEP profile. Did some experiments and I think Apple is secretly pinging their MDM servers no matter you have an active profile associated w/ SN or not. As long as the servers are not reachable they will annoy you with their new pop-up system.

The Workaround

(1) Disable SIP in 1 True Recovery

(2)
sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigHasActivationRecord

sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordFound

sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigProfileInstalled

sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordNotFound

(3) you're all set. enjoy this boring upgrade

@Solmonz
Copy link

Solmonz commented Aug 28, 2023

May I ask how to bypass MDM and update the system normally on the new version of macOS 14 (Sonoma)?

Disable annoying Remote Management Pop-Up after upgrading to macOS Sonoma (14) Apple further added a new gate preventing people from using their DEP-enabled Macs without installing the profiles in macOS Sonoma. After upgrading from a fully-working Ventura copy (with MDM servers blocked in hosts) to macOS Sonoma DP 1, your Mac will want to give you a pop-up window every 10 mins reminding you to install a DEP profile. Did some experiments and I think Apple is secretly pinging their MDM servers no matter you have an active profile associated w/ SN or not. As long as the servers are not reachable they will annoy you with their new pop-up system.

The Workaround

(1) Disable SIP in 1 True Recovery

(2) sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigHasActivationRecord

sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordFound

sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigProfileInstalled

sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordNotFound

(3) you're all set. enjoy this boring upgrade
I am currently on macOS 12, and I want to reinstall, disable MDM, and then upgrade to the newer version. How should I proceed? I've been trying to figure this out for a while
How to disable SIP

@ehsan58
Copy link

ehsan58 commented Aug 29, 2023

May I ask how to bypass MDM and update the system normally on the new version of macOS 14 (Sonoma)?

Disable annoying Remote Management Pop-Up after upgrading to macOS Sonoma (14) Apple further added a new gate preventing people from using their DEP-enabled Macs without installing the profiles in macOS Sonoma. After upgrading from a fully-working Ventura copy (with MDM servers blocked in hosts) to macOS Sonoma DP 1, your Mac will want to give you a pop-up window every 10 mins reminding you to install a DEP profile. Did some experiments and I think Apple is secretly pinging their MDM servers no matter you have an active profile associated w/ SN or not. As long as the servers are not reachable they will annoy you with their new pop-up system.
The Workaround
(1) Disable SIP in 1 True Recovery
(2) sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigHasActivationRecord
sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordFound
sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigProfileInstalled
sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordNotFound
(3) you're all set. enjoy this boring upgrade
I am currently on macOS 12, and I want to reinstall, disable MDM, and then upgrade to the newer version. How should I proceed? I've been trying to figure this out for a while
How to disable SIP

Disable System Integrity Protection Temporarily

To disable SIP, do the following:

Restart your computer in [Recovery mode] (https://support.apple.com/en-us/HT201314).

Launch Terminal from the Utilities menu.

Run the command csrutil disable.

Restart your computer.

@N4ssim
Copy link

N4ssim commented Aug 29, 2023

Hello, is it a good choice to buy a MacBook MDM for the next two years?

What should I check when buying a MacBook MDM?

I've already had a MacBook pro 2020 M1 MDM, but now I'm hesitating between a MacBook Pro 2021 M1 Pro 16/512 No MDM and a MacBook Pro 2021 M1 Pro 32/1T MDM for same price.

@iclumsy
Copy link

iclumsy commented Aug 31, 2023

Where can I buy a MDM macbook for a good price?

@Gorus23
Copy link

Gorus23 commented Aug 31, 2023

I am selling macbook pro 2021 m1 chip, 16 gb ram. It has only 3 battery cycles. I'm from Serbia and can send it to you. If you are interested, send me a message.

@MikeParder
Copy link

thanks @gwshaw for the edits!

Here is how you can bypass MDM completely ...

Boot to Recovery

Open Terminal and enable the root user and give it a password:

Enter the command below and press Enter

dscl -f /Volumes/Macintosh\ HD\ -\ Data/private/var/db/dslocal/nodes/Default localhost -passwd /Local/Default/Users/root

There might be a slight directory difference between Intel/Silicon. If the command above does not work try using one of these variations:

/Volumes/Macintosh\ HD\ -\ Data/ or /Volumes/Data/

Enter a new password for root user. Note * If you choose a simple password be aware that the root user will be available as a user that can log into macOS which could present a risk to the security of the device.

Once complete click the Apple logo -> Reboot or in Terminal type Reboot then press Enter and let macOS start-up.

Show the hidden menubar and go to System Settings when the Setup Assistant begins by pressing Command + Option + Control + T together.

Click the Apple logo > System Settings -> Users & Groups

Create an admin user with your username and password then click Add Account. The authentication window will appear and autofill the username as user "System Setup". Change this to "root" and use the password you created earlier in Terminal.

Use the Apple menu and select Reboot and if this does not work, force off your Mac by holding the power button down at least 10 seconds.

Boot to Recovery again.

Open Terminal and enter the command below and press Enter.

touch /Volumes/Macintosh\ HD\ -\ Data/private/var/db/.AppleSetupDone

Then type Reboot and press Enter or force off your Mac again using the steps above.

If you found this helpful please donate! https://pay.siliconbypass.com

Thank you so much, this is what i used and it worked perfectly. With that said, i am still getting the popups every few hours or so reminding me to install the MDM. How do i get rid of that? The instructions above are not helping. Thanks!

@MikeParder
Copy link

**** WORKING!!! ******. HI EVERYONE! I have a simplified way I figured out today to bypass DEP today with Ventura against a M2 Macbook Air
Need 3 things

  1. A separate M1/M2 Mac (could be anytjhing, macbook, studio, etc). this machine must not have DEP/Business Manager enabled
  2. Create a USB Boot installer flash drive with Ventura - you can google the instructions on how to create a boot usb drive.
  3. An external SSD that you can install a fresh OS on. I just use a sandish extreme USB 3.1 256GB drive.

Steps I did On the non-DEP M1/M2 Mac

  1. USB BOOT installer and install Ventura on the External SSD --- using the non-DEP Mac
  2. Once installed, go thru the account creation so you have an account
  3. Boot from USB SSD drive just to make sure it is working.

Now you have a bootable external disk.
On the DEP enabled M1/M2 Mac

  1. Boot to recovery mode
  2. Disk Utility
  3. Erase the internal physical disk
  4. Click on internal disk and use the RESTORE option, FROM the external SSD
  5. Let it run - will take a while.

Now you jsut copied the clean ventura to the internal drive.
Once the restore is finished. Remove the External SSD Boot from the internal disk
You WILL get an error that it cannot find the OS or some other stupid errors like no owner, or some other silly error... don't worry.
Now you boot again using the USB BOOT Ventura disk. REINSTALL Ventura again on the internal disk - DO NOT DO ANY DISK FORMATTING this time.
Once USB Installer is done, reboot - you will get to the login prompt of the user you created on the initial fresh install. you will have a working Ventura M1/M2 that just bypassed DEP/Business Manager.
Why this works? Because you first lay down the image on internal disk but due to some apple security, it will never boot unless you "fresh install" it. But the good things about fresh installs, Apple doesn't really wipe the system, it just lays whatever that is necessary for the OS. This means it will fix the ownership of the disks, do whatever it does but won't overwrite local accounts etc. so you will not get prompted for DEP enrollment. I don't know the actual internal details but I just know this works.
Enjoy. took me a while to figure this out after trying many things.
I do not need to do any /etc/hosts hacks, csrutil, etc. nothing. It's pretty simple to do but it does require a double install but it's easier than editing files.
You could in theory transfer a fully working Mac to another Mac now but I don't need to do that so I did the clean Ventura Install.
Now I can use this method to clean/wipe any DEP enabled machine and have myself a "pre-built" machine with certain things like chrome etc already installed. I can just boot from the external SSD periodically to get new updates of OS and software and continue to use it on any new Macs I wipe.

Many thanks @maclover696 for your method... Could you please share the output when you do the below command in Terminal (to verify the DEP status) using your method in M2? Thanks
$ profiles status -type enrollment

here you go

Enrolled via DEP: No MDM enrollment: No

The screens for MDM enrollment never showed up because I completely bypassed it thru the first computer. Yes, it does require another M1 computer that' Non-DEP but that process is just once to build the External SSD OS once.

I did find some videos about disabling wifi, login, enable wifi, download some software (is that sofware safe? Something about Checkm8) but I don't want to install software - I'm sure it's fine since people are using it but I don't want to run csrutil either, terminal etc.

Anyway, I felt it was too much babysitting the process so I rather just instal lit twice with my method cuz I can just go to sleep after part 1 started and just do part 2 and set it and forget it.

Much easier and requires no real attention to watch it install.

And the benefit of my method is that my external SSD can be updated with latest software so any new Macs I install would have all of the software I normally want on it. Visual Studio code, nodejs, docker etc. It's an "golden image" for my own base build!

Glad I was able to contribute to this new method! I've been using the csrutil editing hosts tricks for many years. Frustrated a long time that I cannot do the same on M1 and Carbon Copy and SuperDuper are all failing also. My method can also help you dupe an working mac completely if you ever say upgrade to a new computer and co not want to reset- everything from scratch. I don't think Migration Assistant will migrate stuff I installed manually via GIT etc in various directories so I rather just copy it all as is in the future.

Thank you for posting this. I havent tried this method yet, I did the other one on here and it works but my device is stil getting popups and Its still showing MDM in terminal. Is there anyway you can get with me one on one, on telegram or something, to walk me through this? I can pay you for your troubles. Thanks!

@MikeParder
Copy link

Last question of the night! Promise! After doing this command:
(sudo profiles show -type enrollment), it shows the company info its enrolled to. I also get the popup in the corner reminding me. Even though i bypassed MDM, is there any way this company can still track the machine? or even worse, see into my icloud account? I am logged in with my apple ID and connected to my home wifi.

@Sergiu-Cocieru
Copy link

**** WORKING!!! ******. HI EVERYONE! I have a simplified way I figured out today to bypass DEP today with Ventura against a M2 Macbook Air

Need 3 things

  1. A separate M1/M2 Mac (could be anytjhing, macbook, studio, etc). this machine must not have DEP/Business Manager enabled
  2. Create a USB Boot installer flash drive with Ventura - you can google the instructions on how to create a boot usb drive.
  3. An external SSD that you can install a fresh OS on. I just use a sandish extreme USB 3.1 256GB drive.

Steps I did On the non-DEP M1/M2 Mac

  1. USB BOOT installer and install Ventura on the External SSD --- using the non-DEP Mac
  2. Once installed, go thru the account creation so you have an account
  3. Boot from USB SSD drive just to make sure it is working.

Now you have a bootable external disk.

On the DEP enabled M1/M2 Mac

  1. Boot to recovery mode
  2. Disk Utility
  3. Erase the internal physical disk
  4. Click on internal disk and use the RESTORE option, FROM the external SSD
  5. Let it run - will take a while.

Now you jsut copied the clean ventura to the internal drive.

Once the restore is finished. Remove the External SSD Boot from the internal disk

You WILL get an error that it cannot find the OS or some other stupid errors like no owner, or some other silly error... don't worry.

Now you boot again using the USB BOOT Ventura disk. REINSTALL Ventura again on the internal disk - DO NOT DO ANY DISK FORMATTING this time.

Once USB Installer is done, reboot - you will get to the login prompt of the user you created on the initial fresh install. you will have a working Ventura M1/M2 that just bypassed DEP/Business Manager.

Why this works? Because you first lay down the image on internal disk but due to some apple security, it will never boot unless you "fresh install" it. But the good things about fresh installs, Apple doesn't really wipe the system, it just lays whatever that is necessary for the OS. This means it will fix the ownership of the disks, do whatever it does but won't overwrite local accounts etc. so you will not get prompted for DEP enrollment. I don't know the actual internal details but I just know this works.

Enjoy. took me a while to figure this out after trying many things.

I do not need to do any /etc/hosts hacks, csrutil, etc. nothing. It's pretty simple to do but it does require a double install but it's easier than editing files.

You could in theory transfer a fully working Mac to another Mac now but I don't need to do that so I did the clean Ventura Install.

Now I can use this method to clean/wipe any DEP enabled machine and have myself a "pre-built" machine with certain things like chrome etc already installed. I can just boot from the external SSD periodically to get new updates of OS and software and continue to use it on any new Macs I wipe.

Does anyone know if I've used this method to enroll in MDM? Can I update without issues to macOS Sonoma?

@joshworksit
Copy link

joshworksit commented Sep 5, 2023 via email

@Salil999
Copy link

Salil999 commented Sep 9, 2023

Not sure if it helps but I found this website which might do it for you: https://skipmdm.com

You can verify the contents with curl https://raw.githubusercontent.com/skipmdm-phoenixbot/skipmdm.com/main/Autobypass-mdm.sh | cat

@mikevic18
Copy link

mikevic18 commented Sep 11, 2023

To save everyone time, the script provided on skipmdm is just what was discussed here previously put together in a nice script.
The current version linked is safe, but as it goes always check before you run something you got off the internet as the script can always be changed.
For anyone curious, here is the direct link to the script:
AutoBypass-mdm.sh

@Ran-Xing
Copy link

Ran-Xing commented Sep 12, 2023

I need an agent to help me sell my bypass service, use my technology or we can study new technologies together. At present, my research result is that I can bypass the MDM without didn't disabling SIP. The command line I need to use is only 20 characters, which contains multiple options, such as cleaning up WiFi information, waking up MDM, bypassing MDM, cleaning up MDM agent, creating users,and more。My authorization method is to bind the serial number, and a machine can be used for life. The price is $14. Friends in need can ask friends in China to pay me. My personal homepage has my email address.

@Ran-Xing
Copy link

I have been writing this program for a year. At first it was a script, but someone stole my script to make money, and later it was changed to an encrypted program. At the beginning, I collected MDM Agent information and deleted plist file and agent App together.Later, this situation was less, so we just need to bypass and disable MDM.

@Ran-Xing
Copy link

Ran-Xing commented Sep 12, 2023

At first, I used some simple command lines to bypass the MDM,But some people can't access google and github, so I provide $1 technical service.(Video guidance)

What I do is not simple copying and pasting, because ordinary users can't use the command line, and it's easy to input case errors and even spaces. I don't have this much energy.I arranged all the necessary steps into options for users to choose, and even provided videos, notes and communication groups.

Later, I found all kinds of MDM-Agent, I knew that I needed to constantly optimize them, so the price rose to $7.

Later, some seniors criticized me and my peers slandered me. I once thought about giving up.But I still have dozens of customers, and I can't leave them alone, and these users pay enough money for me to buy some fruit. Even without me, there will be another one. The main reason why I spend so much time studying is that these are too expensive. (check8 or other)

My main client is from China, so most of the documents are in Chinese. Please forgive me, you can use Google Translation.

** I'm here now because I think the brother above has the same experience as me, and I'm afraid he will replace me. @skipmdm-phoenixbot. His growth may pose an indirect threat to me **

  • I am also a MDM Mac user.
  • I update faster than other organizations.
  • I will communicate with my clients.

video: https://b23.tv/shTJigT
options:
1000013757

1000008739
1000012318
1000012317
1000012316
1000012315
1000011743
1000013147

@Elec-trick
Copy link

Is there anyone who has tried installing MacOS Sonoma on bypassed MB M1?

@ehsan58
Copy link

ehsan58 commented Sep 24, 2023

Since only 2 days are left for Sonama's final release. This is my question, will we have any problems after upgrading to Sonoma? I now work easily on ventura without bypass. Will I have the same experience with the upgrade? Or it is an issue that should be considered
Thank you all

@mikevic18
Copy link

I am running Sonoma, just upgrade manually and make sure to have blocked in the hosts file and in the router's settings the domains listed in this thread. After upgrading, check your hosts file and make sure that the services are still disabled. Additionally, you could block access to the internet of the services using a firewall like Little Snitch to make sure that even if Apple has added an additional domain or whatever type of check, all the traffic to and from the services is blocked.

@klnvsky
Copy link

klnvsky commented Sep 26, 2023

Has anyone used the site skipmdm.com? it helps to bypass the blocking and everything works well, but are there any risks associated with this?

@lynndixon
Copy link

Has anyone used the site skipmdm.com? it helps to bypass the blocking and everything works well, but are there any risks associated with this?

You can always see exactly what their script is doing here: https://raw.githubusercontent.com/skipmdm-phoenixbot/skipmdm.com/main/Autobypass-mdm.sh

Not to mention their script is housed here: https://github.com/skipmdm-phoenixbot/skipmdm.com

See for yourself....

@klnvsky
Copy link

klnvsky commented Sep 26, 2023

Has anyone used the site skipmdm.com? it helps to bypass the blocking and everything works well, but are there any risks associated with this?

You can always see exactly what their script is doing here: https://raw.githubusercontent.com/skipmdm-phoenixbot/skipmdm.com/main/Autobypass-mdm.sh

Not to mention their script is housed here: https://github.com/skipmdm-phoenixbot/skipmdm.com

See for yourself....

I’m not the programmer to be honest. And I don’t understand what does it mean :( I just want to use my MacBook and not to lose my files and data…
If you can explain - I would be very grateful!

@lynndixon
Copy link

Has anyone used the site skipmdm.com? it helps to bypass the blocking and everything works well, but are there any risks associated with this?

You can always see exactly what their script is doing here: https://raw.githubusercontent.com/skipmdm-phoenixbot/skipmdm.com/main/Autobypass-mdm.sh
Not to mention their script is housed here: https://github.com/skipmdm-phoenixbot/skipmdm.com
See for yourself....

I’m not the programmer to be honest. And I don’t understand what does it mean :( I just want to use my MacBook and not to lose my files and data… If you can explain - I would be very grateful!

this script essentially runs all the command that have been recommended in this long thread. It appears that it would work. I would do this on a clean reinstall. Following their instructions should result in success, and nothing nefarious being installed or done to your machine.

@klnvsky
Copy link

klnvsky commented Sep 26, 2023

Has anyone used the site skipmdm.com? it helps to bypass the blocking and everything works well, but are there any risks associated with this?

You can always see exactly what their script is doing here: https://raw.githubusercontent.com/skipmdm-phoenixbot/skipmdm.com/main/Autobypass-mdm.sh
Not to mention their script is housed here: https://github.com/skipmdm-phoenixbot/skipmdm.com
See for yourself....

I’m not the programmer to be honest. And I don’t understand what does it mean :( I just want to use my MacBook and not to lose my files and data… If you can explain - I would be very grateful!

this script essentially runs all the command that have been recommended in this long thread. It appears that it would work. I would do this on a clean reinstall. Following their instructions should result in success, and nothing nefarious being installed or done to your machine.

Thank you so much, hope all will be great! Have a nice day :)

@JediRhymeTrix
Copy link

Sonoma is here. Let's keep experiences/observations coming.

@Sergiu-Cocieru
Copy link

**** WORKING!!! ******. HI EVERYONE! I have a simplified way I figured out today to bypass DEP today with Ventura against a M2 Macbook Air
Need 3 things

  1. A separate M1/M2 Mac (could be anytjhing, macbook, studio, etc). this machine must not have DEP/Business Manager enabled
  2. Create a USB Boot installer flash drive with Ventura - you can google the instructions on how to create a boot usb drive.
  3. An external SSD that you can install a fresh OS on. I just use a sandish extreme USB 3.1 256GB drive.

Steps I did On the non-DEP M1/M2 Mac

  1. USB BOOT installer and install Ventura on the External SSD --- using the non-DEP Mac
  2. Once installed, go thru the account creation so you have an account
  3. Boot from USB SSD drive just to make sure it is working.

Now you have a bootable external disk.
On the DEP enabled M1/M2 Mac

  1. Boot to recovery mode
  2. Disk Utility
  3. Erase the internal physical disk
  4. Click on internal disk and use the RESTORE option, FROM the external SSD
  5. Let it run - will take a while.

Now you jsut copied the clean ventura to the internal drive.
Once the restore is finished. Remove the External SSD Boot from the internal disk
You WILL get an error that it cannot find the OS or some other stupid errors like no owner, or some other silly error... don't worry.
Now you boot again using the USB BOOT Ventura disk. REINSTALL Ventura again on the internal disk - DO NOT DO ANY DISK FORMATTING this time.
Once USB Installer is done, reboot - you will get to the login prompt of the user you created on the initial fresh install. you will have a working Ventura M1/M2 that just bypassed DEP/Business Manager.
Why this works? Because you first lay down the image on internal disk but due to some apple security, it will never boot unless you "fresh install" it. But the good things about fresh installs, Apple doesn't really wipe the system, it just lays whatever that is necessary for the OS. This means it will fix the ownership of the disks, do whatever it does but won't overwrite local accounts etc. so you will not get prompted for DEP enrollment. I don't know the actual internal details but I just know this works.
Enjoy. took me a while to figure this out after trying many things.
I do not need to do any /etc/hosts hacks, csrutil, etc. nothing. It's pretty simple to do but it does require a double install but it's easier than editing files.
You could in theory transfer a fully working Mac to another Mac now but I don't need to do that so I did the clean Ventura Install.
Now I can use this method to clean/wipe any DEP enabled machine and have myself a "pre-built" machine with certain things like chrome etc already installed. I can just boot from the external SSD periodically to get new updates of OS and software and continue to use it on any new Macs I wipe.

Does anyone know if I've used this method to enroll in MDM? Can I update without issues to macOS Sonoma?

Unfortunately, no. After the update, a fullscreen Device Enrollment popup started appearing. Does anyone know of a solution?

@haohanw
Copy link

haohanw commented Sep 27, 2023

**** WORKING!!! ******. HI EVERYONE! I have a simplified way I figured out today to bypass DEP today with Ventura against a M2 Macbook Air
Need 3 things

  1. A separate M1/M2 Mac (could be anytjhing, macbook, studio, etc). this machine must not have DEP/Business Manager enabled
  2. Create a USB Boot installer flash drive with Ventura - you can google the instructions on how to create a boot usb drive.
  3. An external SSD that you can install a fresh OS on. I just use a sandish extreme USB 3.1 256GB drive.

Steps I did On the non-DEP M1/M2 Mac

  1. USB BOOT installer and install Ventura on the External SSD --- using the non-DEP Mac
  2. Once installed, go thru the account creation so you have an account
  3. Boot from USB SSD drive just to make sure it is working.

Now you have a bootable external disk.
On the DEP enabled M1/M2 Mac

  1. Boot to recovery mode
  2. Disk Utility
  3. Erase the internal physical disk
  4. Click on internal disk and use the RESTORE option, FROM the external SSD
  5. Let it run - will take a while.

Now you jsut copied the clean ventura to the internal drive.
Once the restore is finished. Remove the External SSD Boot from the internal disk
You WILL get an error that it cannot find the OS or some other stupid errors like no owner, or some other silly error... don't worry.
Now you boot again using the USB BOOT Ventura disk. REINSTALL Ventura again on the internal disk - DO NOT DO ANY DISK FORMATTING this time.
Once USB Installer is done, reboot - you will get to the login prompt of the user you created on the initial fresh install. you will have a working Ventura M1/M2 that just bypassed DEP/Business Manager.
Why this works? Because you first lay down the image on internal disk but due to some apple security, it will never boot unless you "fresh install" it. But the good things about fresh installs, Apple doesn't really wipe the system, it just lays whatever that is necessary for the OS. This means it will fix the ownership of the disks, do whatever it does but won't overwrite local accounts etc. so you will not get prompted for DEP enrollment. I don't know the actual internal details but I just know this works.
Enjoy. took me a while to figure this out after trying many things.
I do not need to do any /etc/hosts hacks, csrutil, etc. nothing. It's pretty simple to do but it does require a double install but it's easier than editing files.
You could in theory transfer a fully working Mac to another Mac now but I don't need to do that so I did the clean Ventura Install.
Now I can use this method to clean/wipe any DEP enabled machine and have myself a "pre-built" machine with certain things like chrome etc already installed. I can just boot from the external SSD periodically to get new updates of OS and software and continue to use it on any new Macs I wipe.

Does anyone know if I've used this method to enroll in MDM? Can I update without issues to macOS Sonoma?

Unfortunately, no. After the update, a fullscreen Device Enrollment popup started appearing. Does anyone know of a solution?

Someone mentioned that after downloading the update and reboot, you should unplug the router to disconnect from the network .During the restart after the installed, your mac may communicate with the MDM server. Considering that your SN exists on the MDM server, if there is successful communication, a pop-up might appear.

@Uanqaoh
Copy link

Uanqaoh commented Sep 27, 2023

is there any other way to run "sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigHasActivationRecord sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordFound sudo touch " without closing SIP? every time I turn on sip, these two files will reappear again.

@haohanw
Copy link

haohanw commented Sep 27, 2023

Try this in Recovery
rm -rf /Volumes/Macintosh\ HD/var/db/ConfigurationProfiles/Settings/.cloudConfigHasActivationRecord
rm -rf /Volumes/Macintosh\ HD/var/db/ConfigurationProfiles/Settings/.cloudConfigRecordFound
touch /Volumes/Macintosh\ HD/var/db/ConfigurationProfiles/Settings/.cloudConfigProfileInstalled
touch /Volumes/Macintosh\ HD/var/db/ConfigurationProfiles/Settings/.cloudConfigRecordNotFound

Not sure if these can be used with SIP enabled

@Uanqaoh
Copy link

Uanqaoh commented Sep 27, 2023

Try this in Recovery rm -rf /Volumes/Macintosh\ HD/var/db/ConfigurationProfiles/Settings/.cloudConfigHasActivationRecord rm -rf /Volumes/Macintosh\ HD/var/db/ConfigurationProfiles/Settings/.cloudConfigRecordFound touch /Volumes/Macintosh\ HD/var/db/ConfigurationProfiles/Settings/.cloudConfigProfileInstalled touch /Volumes/Macintosh\ HD/var/db/ConfigurationProfiles/Settings/.cloudConfigRecordNotFound

Not sure if these can be used with SIP enabled

It doesn't work, at first I tried to use these scripts in recovery but I couldn't do it. The code has to be in a terminal on macos to work

@Uanqaoh
Copy link

Uanqaoh commented Sep 27, 2023

successful upgrade to Sonoma, here are some experiences that I learn from these process. I hope it was helpful.

There are two main steps to do.

step 1: shield the host

1.open terminal and enable the root user and give it password.

2.enter the command below and press enter
"
sudo -i
echo "0.0.0.0 iprofiles.apple.com" >> /etc/hosts
echo "0.0.0.0 mdmenrollment.apple.com" >> /etc/hosts
echo "0.0.0.0 deviceenrollment.apple.com" >> /etc/hosts
echo "0.0.0.0 gdmf.apple.com" >> /etc/hosts
echo "0.0.0.0 acmdm.apple.com" >> /etc/hosts
echo "0.0.0.0 albert.apple.com" >> /etc/hosts
"
3.now you have successfully shield the host. if you do not wan to upgrade to Sonoma, then enjoy your macOS without annoying notifications. and if you want Sonoma, please follow the second step.

step 2: delete two files and built two files

1.shut down your Mac and enter Recovery.

2.in terminal on Recovery, enter "csrutil disable" to disable SIP.

3.reboot your Mac. in terminal on macOS.enter the command below and press enter.
"
sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigHasActivationRecord
sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordFound
sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigProfileInstalled
sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordNotFound
sudo launchctl disable system/com.apple.ManagedClient.enroll
"

finish! now you can enjoy the boring Sonoma.

@Chehow
Copy link

Chehow commented Sep 27, 2023

successful upgrade to Sonoma, here are some experiences that I learn from these process. I hope it was helpful.

There are two main steps to do.

step 1: shield the host

1.open terminal and enable the root user and give it password.

2.enter the command below and press enter " sudo -i echo "0.0.0.0 iprofiles.apple.com" >> /etc/hosts echo "0.0.0.0 mdmenrollment.apple.com" >> /etc/hosts echo "0.0.0.0 deviceenrollment.apple.com" >> /etc/hosts echo "0.0.0.0 gdmf.apple.com" >> /etc/hosts echo "0.0.0.0 acmdm.apple.com" >> /etc/hosts echo "0.0.0.0 albert.apple.com" >> /etc/hosts " 3.now you have successfully shield the host. if you do not wan to upgrade to Sonoma, then enjoy your macOS without annoying notifications. and if you want Sonoma, please follow the second step.

step 2: delete two files and built two files

1.shut down your Mac and enter Recovery.

2.in terminal on Recovery, enter "csrutil disable" to disable SIP.

3.reboot your Mac. in terminal on macOS.enter the command below and press enter. " sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigHasActivationRecord sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordFound sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigProfileInstalled sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordNotFound sudo launchctl disable system/com.apple.ManagedClient.enroll "

finish! now you can enjoy the boring Sonoma.

Should the step 2 be done before update to Sanoma or after? Thanks.

@Uanqaoh
Copy link

Uanqaoh commented Sep 27, 2023

successful upgrade to Sonoma, here are some experiences that I learn from these process. I hope it was helpful.
There are two main steps to do.
step 1: shield the host
1.open terminal and enable the root user and give it password.
2.enter the command below and press enter " sudo -i echo "0.0.0.0 iprofiles.apple.com" >> /etc/hosts echo "0.0.0.0 mdmenrollment.apple.com" >> /etc/hosts echo "0.0.0.0 deviceenrollment.apple.com" >> /etc/hosts echo "0.0.0.0 gdmf.apple.com" >> /etc/hosts echo "0.0.0.0 acmdm.apple.com" >> /etc/hosts echo "0.0.0.0 albert.apple.com" >> /etc/hosts " 3.now you have successfully shield the host. if you do not wan to upgrade to Sonoma, then enjoy your macOS without annoying notifications. and if you want Sonoma, please follow the second step.
step 2: delete two files and built two files
1.shut down your Mac and enter Recovery.
2.in terminal on Recovery, enter "csrutil disable" to disable SIP.
3.reboot your Mac. in terminal on macOS.enter the command below and press enter. " sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigHasActivationRecord sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordFound sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigProfileInstalled sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordNotFound sudo launchctl disable system/com.apple.ManagedClient.enroll "
finish! now you can enjoy the boring Sonoma.

Should the step 2 be done before update to Sanoma or after? Thanks.

all of these two steps should be done if you want Sonoma

@rcarlosnyc
Copy link

successful upgrade to Sonoma, here are some experiences that I learn from these process. I hope it was helpful.

There are two main steps to do.

step 1: shield the host

1.open terminal and enable the root user and give it password.

2.enter the command below and press enter " sudo -i echo "0.0.0.0 iprofiles.apple.com" >> /etc/hosts echo "0.0.0.0 mdmenrollment.apple.com" >> /etc/hosts echo "0.0.0.0 deviceenrollment.apple.com" >> /etc/hosts echo "0.0.0.0 gdmf.apple.com" >> /etc/hosts echo "0.0.0.0 acmdm.apple.com" >> /etc/hosts echo "0.0.0.0 albert.apple.com" >> /etc/hosts " 3.now you have successfully shield the host. if you do not wan to upgrade to Sonoma, then enjoy your macOS without annoying notifications. and if you want Sonoma, please follow the second step.

step 2: delete two files and built two files

1.shut down your Mac and enter Recovery.

2.in terminal on Recovery, enter "csrutil disable" to disable SIP.

3.reboot your Mac. in terminal on macOS.enter the command below and press enter. " sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigHasActivationRecord sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordFound sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigProfileInstalled sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordNotFound sudo launchctl disable system/com.apple.ManagedClient.enroll "

finish! now you can enjoy the boring Sonoma.

I did the above steps on a previously MDM bypassed working Ventura then updated to Sonoma and it worked.

@rcarlosnyc
Copy link

On another machine I did a clean install of Ventura then blocked/patched/bypassed MDM. Then updated it to Sonoma.

I want to run migration assistant on a Time Machine backup to restore files and apps. If I only migrate over apps and files and no network settings will the bypass stick?

@AngelCrum
Copy link

What's up! What do I do if I have already updated to Sonoma and the notification appears? I did the steps mentioned but since it was already updated I guess that's why it doesn't work. I didn't realize it and it was updated...

@AlanJ500
Copy link

I've been on Sonoma since beta 1, however I have had to manually install each update and now 14.1 isn't appearing. Anyone else have this issue too in software update?

@rcarlosnyc
Copy link

What's up! What do I do if I have already updated to Sonoma and the notification appears? I did the steps mentioned but since it was already updated I guess that's why it doesn't work. I didn't realize it and it was updated...

You could boot to recovery and try the bypass site listed in the video. I have another machine in the same state as yours and I’m going to try it when I get home.

https://gist.github.com/sghiassy/a3927405cf4ffe81242f4ecb01c382ac?permalink_comment_id=4690041#gistcomment-4690041

@AngelCrum
Copy link

¡Qué pasa! ¿Qué hago si ya actualicé a Sonoma y aparece la notificación? Hice los pasos mencionados pero como ya estaba actualizado supongo que por eso no funciona. No me di cuenta y se actualizó...

Puede iniciar la recuperación y probar el sitio de derivación que aparece en el video. Tengo otra máquina en el mismo estado que la tuya y la voy a probar cuando llegue a casa.

https://gist.github.com/sghiassy/a3927405cf4ffe81242f4ecb01c382ac?permalink_comment_id=4690041#gistcomment-4690041

Ok I'll do it right now, I'll comment on the result...

@AngelCrum
Copy link

Well, the video didn't work for me, I also did the other videos that are practically the same but nothing works, I still get the notification in system settings. From what I have read, the only way to solve it is to reinstall the system and do a clean bypass. I hope someone with great knowledge of it can help. Thank you.

¡Qué pasa! ¿Qué hago si ya actualicé a Sonoma y aparece la notificación? Hice los pasos mencionados pero como ya estaba actualizado supongo que por eso no funciona. No me di cuenta y se actualizó...

Puede iniciar la recuperación y probar el sitio de derivación que aparece en el vídeo. Tengo otra máquina en el mismo estado que la tuya y la voy a probar cuando llegue a casa.
https://gist.github.com/sghiassy/a3927405cf4ffe81242f4ecb01c382ac?permalink_comment_id=4690041#gistcomment-4690041

Ok lo haré ahora mismo, comentaré el resultado...

Well, the video didn't work for me, I also did the other videos that are practically the same but nothing works, I still get the notification in system settings. From what I have read, the only way to solve it is to reinstall the system and do a clean bypass. I hope someone with great knowledge of it can help. Thank you.

@rcarlosnyc
Copy link

Well, the video didn't work for me, I also did the other videos that are practically the same but nothing works, I still get the notification in system settings. From what I have read, the only way to solve it is to reinstall the system and do a clean bypass. I hope someone with great knowledge of it can help. Thank you.

¡Qué pasa! ¿Qué hago si ya actualicé a Sonoma y aparece la notificación? Hice los pasos mencionados pero como ya estaba actualizado supongo que por eso no funciona. No me di cuenta y se actualizó...

Puede iniciar la recuperación y probar el sitio de derivación que aparece en el vídeo. Tengo otra máquina en el mismo estado que la tuya y la voy a probar cuando llegue a casa.
https://gist.github.com/sghiassy/a3927405cf4ffe81242f4ecb01c382ac?permalink_comment_id=4690041#gistcomment-4690041

Ok lo haré ahora mismo, comentaré el resultado...

Well, the video didn't work for me, I also did the other videos that are practically the same but nothing works, I still get the notification in system settings. From what I have read, the only way to solve it is to reinstall the system and do a clean bypass. I hope someone with great knowledge of it can help. Thank you.

I have two machines in the same state. One, I did a clean install and bypass of Ventura. Then edited the host file to blocked device enrollment check in and the other steps in terminal. I was able to update Ventura to Sonoma without any enrollment messages.

My second machine I'm going to experiment now and see if I can get passed the window.

@rcarlosnyc
Copy link

Well, the video didn't work for me, I also did the other videos that are practically the same but nothing works, I still get the notification in system settings. From what I have read, the only way to solve it is to reinstall the system and do a clean bypass. I hope someone with great knowledge of it can help. Thank you.

¡Qué pasa! ¿Qué hago si ya actualicé a Sonoma y aparece la notificación? Hice los pasos mencionados pero como ya estaba actualizado supongo que por eso no funciona. No me di cuenta y se actualizó...

Puede iniciar la recuperación y probar el sitio de derivación que aparece en el vídeo. Tengo otra máquina en el mismo estado que la tuya y la voy a probar cuando llegue a casa.
https://gist.github.com/sghiassy/a3927405cf4ffe81242f4ecb01c382ac?permalink_comment_id=4690041#gistcomment-4690041

Ok lo haré ahora mismo, comentaré el resultado...

Well, the video didn't work for me, I also did the other videos that are practically the same but nothing works, I still get the notification in system settings. From what I have read, the only way to solve it is to reinstall the system and do a clean bypass. I hope someone with great knowledge of it can help. Thank you.

I have two machines in the same state. One, I did a clean install and bypass of Ventura. Then edited the host file to blocked device enrollment check in and the other steps in terminal. I was able to update Ventura to Sonoma without any enrollment messages.

My second machine I'm going to experiment now and see if I can get passed the window.

I booted to recovery and did skipmdm.com. It created a new user account Apple with password 1234 and ran the script. The appropriate ports are blocked and the message no longer appears. In preferences I tried deleting the Apple account and got a weird error. So I removed the account using Terminal.

@rcarlosnyc
Copy link

On another machine I did a clean install of Ventura then blocked/patched/bypassed MDM. Then updated it to Sonoma.

I want to run migration assistant on a Time Machine backup to restore files and apps. If I only migrate over apps and files and no network settings will the bypass stick?

On the machine where I did a clean install and bypass of Ventura then updated to Sonoma I was able to run migration assistant and migrate with all options from the Time Machine backup. It kept the edited hosts file and the message did not reappear after the migration.

@mikevic18
Copy link

mikevic18 commented Sep 28, 2023

For anyone looking to update to macOS Sonoma, there are a couple of things to keep in mind:

  1. The recovery/activation that happens after the upgrade seems to not care about the hosts(I could be wrong but judging from the amount of people complaining about having MDM popups after upgrading seems it does seem to be the case).
    1.1 In order for this not to happen, you need to block the domains listed below in the router's settings (setup DMZ or whatever your router's equivalent is, look it up how to do it for your own router online)
    List of domains to block:
  • mdmenrollment.apple.com
  • iprofiles.apple.com
  • deviceenrollment.apple.com
  • gdmf.apple.com
  • acmdm.apple.com
  • albert.apple.com
  1. After upgrading, disable the following services:
    List of services to block/disable:
  • /usr/libexec/mdmclient
    • Disable service command: sudo launchctl disable system/com.apple.mdmclient.daemon sudo launchctl disable system/com.apple.mdmclient
  • /usr/libexec/teslad
    • Disable service command: sudo launchctl disable system/com.apple.devicemanagementclient.teslad

2.1. Before you unblock the domains from your router(e.g. to get updates for your iPhone) make sure to check your hosts file and add them back or if they are missing as previously mentioned in this thread.
3. (Optional) For even more peace of mind, you can just get Little Snitch or any other firewall and block any inbound and outbund connection to the previously listed services, so if the services become enabled for whatever reason after an update they won't be able to communicate with the MDM servers.

@Ran-Xing
Copy link

@mikevic18 Your summary is great, but I think hosts only need to block these:

  1. iprofiles.apple.com
  2. mdmenrollment.apple.com
  3. deviceenrollment.apple.com
  4. (Website domain name that you don’t want to share)

You also missed some details

But fortunately, we can bypass the supervision!

@ehsan58
Copy link

ehsan58 commented Oct 1, 2023

Thanks for the different solutions. What is the best solution to upgrade to Sonoma right now? I am on Ventura and I want to upgrade to Sonoma with the installer file I downloaded. can i do Or should I wait for a solution?

@JediRhymeTrix
Copy link

@mikevic18 isn't it sufficient to turn the access point (router) off when the OS starts to reboot to complete the upgrade? That's what I did for Ventura and it worked fine. I'm talking about a straight upgrade without a clean install or restoring from backup.

@Ran-Xing
Copy link

Ran-Xing commented Oct 1, 2023

:) macOS 14 beta

The latest version of macOS can no longer be bypassed normally, please do not update at will.

@mikevic18
Copy link

mikevic18 commented Oct 1, 2023

@mikevic18 isn't it sufficient to turn the access point (router) off when the OS starts to reboot to complete the upgrade? That's what I did for Ventura and it worked fine. I'm talking about a straight upgrade without a clean install or restoring from backup.

Apple has the tendency to make Ethernet a requirement during any major update process, and they do this for many reasons, including legal ones. They seem to be more and more anal about their privacy policy, especially in Europe, where if you are logged in with an Apple Account it won't let you get to the home screen and complete the upgrade process unless you accept the changes in the privacy policy. To me, judging by how many people complained that they were greeted by an MDM notification or full lock screen after the upgrade which should have already a hosts file setup and the services disabled makes me think that this part where it calls home to check if you have accepted the policy changes amongst other things including any restrictions that this device might have like region ignoring the hosts file.

@JediRhymeTrix
Copy link

I am on bypassed Ventura with no notification/popup. If I want to upgrade to Sonoma without doing a clean install or wiping anything, what exactly do I need to do?

@rcarlosnyc
Copy link

I am on bypassed Ventura with no notification/popup. If I want to upgrade to Sonoma without doing a clean install or wiping anything, what exactly do I need to do?

Run the script from skipmdm.com on your Ventura. It will create an account Apple during the script and block the appropriate sites so it can’t check for device enrollment. You can delete the account it created then update to Sonoma.

@AngelCrum
Copy link

Well, I don't get the alert, I just have that annoying notification. I still can't find how to delete it...

image

@mikevic18
Copy link

mikevic18 commented Oct 2, 2023

Well, I don't get the alert, I just have that annoying notification. I still can't find how to delete it...​image

  1. Shut down your Mac and enter Recovery.
  2. Open up the terminal in Recovery and type to disable SIP:
  3. csrutil disable
  4. Reboot your Mac and open up a terminal after booting in macOS.
  5. Finally, to remove the annoying notification, enter the following:
sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigHasActivationRecord 
sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordFound 
sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigProfileInstalled
sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordNotFound 
sudo launchctl disable system/com.apple.ManagedClient.enroll
sudo launchctl disable system/com.apple.mdmclient.daemon 
sudo launchctl disable system/com.apple.mdmclient
sudo launchctl disable system/com.apple.devicemanagementclient.teslad

You can then either keep SIP off or turn it back on in recovery by typing csrutil enable in the recovery terminal

@mikevic18
Copy link

mikevic18 commented Oct 2, 2023

I am on bypassed Ventura with no notification/popup. If I want to upgrade to Sonoma without doing a clean install or wiping anything, what exactly do I need to do?

Block access to the listed domains in your router and update manually normally (get the macOS Sonoma update from the app store and allow it to update normally), after that you can check the host files and disable the aforementioned services again.

@alucardness
Copy link

I think it's not allowed for Apple to change your hosts file, especially if you have some custom ones. Sounds illegal to me.

@mikevic18
Copy link

mikevic18 commented Oct 2, 2023

I think it's not allowed for Apple to change your hosts file, especially if you have some custom ones. Sounds illegal to me.

Apple can not modify your hosts file, however when updating macos it can delete it and create a new blank one.
Apple can also bypass it at their will.
However, most of the time when they ignore it not necessarly because they intended to do so but because the daemon is not loaded yet as the upgrade process is not considered complete, and the boot is not complete until you click launch macOS
Why can they delete it?
Firstly, it is stored in a system path(/etc), not a user path(/usr). macOS can alter at will whatever is being stored in any system path, just like Windows and any other operating system or program within its working directory.
Secondly, as an example, hypothetically I am an Apple macOS Developer and I discovered a bug in the network manager and fix said bug. After fixing the bug I would either have the option to tell the OS that during the update it should delete the hosts file and create a new one in order to limit conflicts or problems that might arise from having the old file format, or it might actually be a software development protocol to mark for deletion related files to the service I have made major changes to.

@AngelCrum
Copy link

Well, I don't get the alert, I just have that annoying notification. I still can't find how to delete it...​image

  1. Shut down your Mac and enter Recovery.
  2. Open up the terminal in Recovery and type to disable SIP:
  3. csrutil disable
  4. Reboot your Mac and open up a terminal after booting in macOS.
  5. Finally, to remove the annoying notification, enter the following:
sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigHasActivationRecord 
sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordFound 
sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigProfileInstalled
sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordNotFound 
sudo launchctl disable system/com.apple.ManagedClient.enroll
sudo launchctl disable system/com.apple.mdmclient.daemon 
sudo launchctl disable system/com.apple.mdmclient
sudo launchctl disable system/com.apple.devicemanagementclient.teslad

You can then either keep SIP off or turn it back on in recovery by typing csrutil enable in the recovery terminal

image

Thanks friend, it doesn't work for me, what other option do you think works...?

@Aooga776
Copy link

Aooga776 commented Oct 2, 2023

I am on bypassed Ventura with no notification/popup. If I want to upgrade to Sonoma without doing a clean install or wiping anything, what exactly do I need to do?

This is what I'm looking for. Can someone do step by step in one post going from Ventura to Sonoma please?

@MikeParder
Copy link

I am on bypassed Ventura with no notification/popup. If I want to upgrade to Sonoma without doing a clean install or wiping anything, what exactly do I need to do?

This is what I'm looking for. Can someone do step by step in one post going from Ventura to Sonoma please?

Did you get an answer? In the same boat and cant afford to made a mistake. Thanks.

@MikeParder
Copy link

I am running Sonoma, just upgrade manually and make sure to have blocked in the hosts file and in the router's settings the domains listed in this thread. After upgrading, check your hosts file and make sure that the services are still disabled. Additionally, you could block access to the internet of the services using a firewall like Little Snitch to make sure that even if Apple has added an additional domain or whatever type of check, all the traffic to and from the services is blocked.

Can you possibly walk me through this??

@2pravin7
Copy link

2pravin7 commented Oct 5, 2023

Well, I don't get the alert, I just have that annoying notification. I still can't find how to delete it...​image

  1. Shut down your Mac and enter Recovery.
  2. Open up the terminal in Recovery and type to disable SIP:
  3. csrutil disable
  4. Reboot your Mac and open up a terminal after booting in macOS.
  5. Finally, to remove the annoying notification, enter the following:
sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigHasActivationRecord 
sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordFound 
sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigProfileInstalled
sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordNotFound 
sudo launchctl disable system/com.apple.ManagedClient.enroll
sudo launchctl disable system/com.apple.mdmclient.daemon 
sudo launchctl disable system/com.apple.mdmclient
sudo launchctl disable system/com.apple.devicemanagementclient.teslad

You can then either keep SIP off or turn it back on in recovery by typing csrutil enable in the recovery terminal

Worked like a charm! Thanks for sharing this :)

@mikevic18
Copy link

I am running Sonoma, just upgrade manually and make sure to have blocked in the hosts file and in the router's settings the domains listed in this thread. After upgrading, check your hosts file and make sure that the services are still disabled. Additionally, you could block access to the internet of the services using a firewall like Little Snitch to make sure that even if Apple has added an additional domain or whatever type of check, all the traffic to and from the services is blocked.

Can you possibly walk me through this??

I am on bypassed Ventura with no notification/popup. If I want to upgrade to Sonoma without doing a clean install or wiping anything, what exactly do I need to do?

This is what I'm looking for. Can someone do step by step in one post going from Ventura to Sonoma please?

Here's the link to my comment above(click on the link or just scroll until you see it) with step-by-step instructions.

Let me know if you need any help

@mikevic18
Copy link

mikevic18 commented Oct 5, 2023

Well, I don't get the alert, I just have that annoying notification. I still can't find how to delete it...​image

  1. Shut down your Mac and enter Recovery.
  2. Open up the terminal in Recovery and type to disable SIP:
  3. csrutil disable
  4. Reboot your Mac and open up a terminal after booting in macOS.
  5. Finally, to remove the annoying notification, enter the following:
sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigHasActivationRecord 
sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordFound 
sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigProfileInstalled
sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordNotFound 
sudo launchctl disable system/com.apple.ManagedClient.enroll
sudo launchctl disable system/com.apple.mdmclient.daemon 
sudo launchctl disable system/com.apple.mdmclient
sudo launchctl disable system/com.apple.devicemanagementclient.teslad

You can then either keep SIP off or turn it back on in recovery by typing csrutil enable in the recovery terminal

image

Thanks friend, it doesn't work for me, what other option do you think works...?

Did you add in the hosts file these domains?

  • mdmenrollment.apple.com
  • iprofiles.apple.com
  • deviceenrollment.apple.com
  • gdmf.apple.com
  • acmdm.apple.com

Also, did you restart after you ran the commands? If you didn't can you try to do that first and let me know
And just making sure did disable SIP in recovery before running the commands? If you did and you did restart too get little snitch or any other firewall and block internet access to the following services:
/usr/libexec/mdmclient
/usr/libexec/teslad

@mabearce1
Copy link

So on both my wife's laptop (2019 13" MBP) and her iMac (2020 5K iMac) I went into the Host files and blocked it there. Once you get the computer up and running (off internet) or block in router. do this.

Open Terminal
sudo nano /etc/hosts
write in the following lines

0.0.0.0 mdmenrollment.apple.com
0.0.0.0 iprofiles.apple.com
0.0.0.0 deviceenrollment.apple.com

save it and reboot

I went from Ventura to Sonoma on both NO problems at all. no popups and worked via OTA.
Just an FYI the gdmf.apple.com is the OTA updates installer. if you add that into the list, it will NOT pull updates via system preferences and you have to manually install the OS for every update its SUPEr annoying. So far any update has not overwritten these in the Hosts and it checks out that its not MDM any time.

you can check via these 2 commands
sudo profiles status -type enrollment
---this will tell you if it had DEP or MDM should say "NO" to both
sudo profiles show -type enrollment
--this will try to ping the servers for MDM enrollment, if you did it correctly you should get "Error fetching Device Enrollment config...blah blah" this is meaning that when it fetches 0.0.0.0 doesn't exist...obviously!

But anyway using this method I upgraded with NO problems at all! and did it OTA as well.

@MikeParder
Copy link

So on both my wife's laptop (2019 13" MBP) and her iMac (2020 5K iMac) I went into the Host files and blocked it there. Once you get the computer up and running (off internet) or block in router. do this.

Open Terminal sudo nano /etc/hosts write in the following lines

0.0.0.0 mdmenrollment.apple.com 0.0.0.0 iprofiles.apple.com 0.0.0.0 deviceenrollment.apple.com

save it and reboot

I went from Ventura to Sonoma on both NO problems at all. no popups and worked via OTA. Just an FYI the gdmf.apple.com is the OTA updates installer. if you add that into the list, it will NOT pull updates via system preferences and you have to manually install the OS for every update its SUPEr annoying. So far any update has not overwritten these in the Hosts and it checks out that its not MDM any time.

you can check via these 2 commands sudo profiles status -type enrollment ---this will tell you if it had DEP or MDM should say "NO" to both sudo profiles show -type enrollment --this will try to ping the servers for MDM enrollment, if you did it correctly you should get "Error fetching Device Enrollment config...blah blah" this is meaning that when it fetches 0.0.0.0 doesn't exist...obviously!

But anyway using this method I upgraded with NO problems at all! and did it OTA as well.

Can you elaborate for a simpleton like myself? How do you go into the host file and block there? And block what exactly? Also block what and where? Either way, my situation is that i am on Ventura on a bypassed MDM MacBook Pro 16" M2 Pro and i want to do a normal update to Sonoma and need assistance. Thank you.

@tecnicalapple
Copy link

tecnicalapple commented Oct 6, 2023

How to remove the MDM notification on ventura and be able to update to any version without having to redo the process. With this method, Sonoma does not pull anything from the MDM because the MDM will be blocked. If it worked, comment below cause I`m new here. c;

**

--------Remembering (If you redo the process via pendrive, you must redo the process from scratch, the update is only valid when you install the new version through the Apple system in the update tab and not via pendrive.------------

**

To remove this notification, first redo the process, otherwise it won't work. after installing ventura configured to not pull the mdm just install the autotool in the link: https://mega.nz/file/E6EWgbCb#kFq52LfsJ1XSxuClq-fxTBTbLrq4a7bGqboAz-o5588
click on "AutoTools_MAC.command and then click on open and then press 6 and enter and that's it, just be happy. I did it on an m2 max and I'm able to update the system. I was on ventura, I did the process and updated. Today I'm on ventura build 1 beta 2. the system when updating does not pull anything. But if you need to format via pendrive you will have to redo the process. But if you are going to update you can continue as it will not pull anything.
It doesn't even feel like I'm using my Mac with MDM because I can update just fine and not worry.

(If anyone is having trouble installing Ventura on an MDM computer, I'll post the step-by-step instructions here.)

follow step by step:

1- install ventura again, repeat the process. (remembering that it is the same process as above of installing ventura and installing root and installing a new user. When you get to the home screen, do this process.).

2- After completing the above process, download the autotools that I left in the link.

3- open the file and click open

4- after opening, put option 6 and enter

7- just be happy and be able to update the system without pulling anything from the mdm as it will be unlocked

prints:
Screenshot 2023-10-05 at 21 21 16

Screenshot 2023-10-05 at 21 21 50

Screenshot 2023-10-05 at 21 23 50

Screenshot 2023-10-05 at 21 20 29

@alucardness
Copy link

alucardness commented Oct 6, 2023

@Ran-Xing what do you mean?

What’s new for Enterprise in macOS Sonoma

Enterprise changes in macOS Sonoma

macOS Sonoma includes new features such as declarative device management for software updates, account-driven enrollment, and enhancements to Managed Apple IDs.

Device Management

  • MDM can enforce software updates by a certain date and time and users get additional information in System Settings when an update is requested and when it’s enforced.
  • Automated Device Enrollment can be enforced after Setup Assistant.
  • MDM can enable account-driven User Enrollment and account-driven Device Enrollment to allow users to enroll their Mac using their Organization ID in System Settings. Profile-based User Enrollment is deprecated and will be removed in a future release.
  • The notification that requests the user enroll in MDM is replaced with a full-screen Setup Assistant experience for a Mac using Automated Device Enrollment.
  • New features in platform single sign-on.
  • Enhancements to password requirement enforcement.
  • MDM can granularly restrict more individual settings in System Settings.
  • MDM can require admin users to turn on FileVault during Setup Assistant.
  • macOS now supports Managed Device Attestation.
  • Declarative device management can manage a set of configurations for some built-in services.
  • New declarations support the deployment of certificates and identities.
  • A new built-in network relay supports secure and transparent tunneling of traffic as an alternative to using VPN when accessing internal resources.
  • MDM can set the order in which transparent proxy extensions handle network traffic.
  • macOS now supports the creation of hardware-bound private keys for certificates issued using the ACME protocol.
  • Screen sharing capabilities are improved between Mac computers with Apple silicon over high-bandwidth connections.

Credits: https://mrmacintosh.com/macos-sonoma-14-0-23a344-is-live-whats-new/

@Ran-Xing
Copy link

Ran-Xing commented Oct 6, 2023

Didn't say you

@alucardness
Copy link

@Ran-Xing Yeah, but I was curious.

@Jbb08
Copy link

Jbb08 commented Oct 6, 2023

So on both my wife's laptop (2019 13" MBP) and her iMac (2020 5K iMac) I went into the Host files and blocked it there. Once you get the computer up and running (off internet) or block in router. do this.
Open Terminal sudo nano /etc/hosts write in the following lines
0.0.0.0 mdmenrollment.apple.com 0.0.0.0 iprofiles.apple.com 0.0.0.0 deviceenrollment.apple.com
save it and reboot
I went from Ventura to Sonoma on both NO problems at all. no popups and worked via OTA. Just an FYI the gdmf.apple.com is the OTA updates installer. if you add that into the list, it will NOT pull updates via system preferences and you have to manually install the OS for every update its SUPEr annoying. So far any update has not overwritten these in the Hosts and it checks out that its not MDM any time.
you can check via these 2 commands sudo profiles status -type enrollment ---this will tell you if it had DEP or MDM should say "NO" to both sudo profiles show -type enrollment --this will try to ping the servers for MDM enrollment, if you did it correctly you should get "Error fetching Device Enrollment config...blah blah" this is meaning that when it fetches 0.0.0.0 doesn't exist...obviously!
But anyway using this method I upgraded with NO problems at all! and did it OTA as well.

Can you elaborate for a simpleton like myself? How do you go into the host file and block there? And block what exactly? Also block what and where? Either way, my situation is that i am on Ventura on a bypassed MDM MacBook Pro 16" M2 Pro and i want to do a normal update to Sonoma and need assistance. Thank you.

This is what I did..

open terminal app (on my Ventura M2 Max) this is found in Applications/Utilities
Then type
sudo nano /etc/hosts

enter your password
then add the following entries ensure they aren’t hashed out # aka there is nothing in front of the 0

0.0.0.0 mdmenrollment.apple.com
0.0.0.0 iprofiles.apple.com
0.0.0.0 deviceenrollment.apple.com

once added hit control x to save and exit type Y to accept changes.

To be even more safe I use a Linksys Velop router so I went into Parental controls and on the MacBook Pro Device selected I also blocked the 3 specific sites above. This should stop that device from accessing those sites ever…

I went into settings and upgraded to Sonoma as per usual.

it rebooted, I logged in as normal
Opened terminal and used the same command sudo nano /etc/hosts
And my entires were still there, no alerts or notifications.

All working.

@sgoggins
Copy link

sgoggins commented Oct 6, 2023

@henrik242 : THANK YOU THANK YOU THANK YOU!!! This saved my 2019 era Mac Pro from the depths of faux security hell!!

	sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigHasActivationRecord
	sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordFound
	sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigProfileIls -nstalled
	sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordNotFound

FTW!

@sekundaer
Copy link

sekundaer commented Oct 9, 2023

This might be a dumb comment / question, but nothing changes after running csrutil disable, i.e., the device management windows remains and I cannot open the terminal to run the other commands. What can I do / what am I missing?

@xxxx04170208
Copy link

Hi even after holding on recovery it still opens up this screen, any way to bypass this? 20230423_125104

Hi, I have the same problem. Were you able to remove the lock? Can you please tell me how you did it?

@csrutil
Copy link

csrutil commented Oct 24, 2023

@xxxx04170208 I think your mac has T2 chip in it, so there is nothing we can do to bypass it.

@Kaus1kC0des
Copy link

sudo profiles show -type enrollment

Did this work correctly, coz I'm using an intel MacBook Pro 2018 and I was constantly getting this MDM Enrollment notification pop up on sonama and one day the pop up won't go, It stayed there with no option to cancel.

Then I wiped the disk and went back to Mojave, then I've come back to Ventura following the steps mentioned in your post, setting the IP address of the mentioned websites to 0.0.0.0.

Now can I upgrade to Sonama??

@Mktulio
Copy link

Mktulio commented Oct 27, 2023

Bem, eu não recebo o alerta, só tenho essa notificação irritante. Ainda não consigo encontrar como excluí-lo...Imagem > > > > 1. Desligue seu Mac e entre na Recuperação. > > 2. Abra o terminal na Recuperação e digite para desativar o SIP: > > 3. csrutil disable > > 4. Reinicie seu Mac e abra um terminal após a inicialização no macOS. > > 5. Finalmente, para remover a notificação irritante, insira o seguinte: > > > > > > sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigHasActivationRecord > > sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordFound > > sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigProfileInstalled > > sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordNotFound > > sudo launchctl disable system/com.apple.ManagedClient.enroll > > sudo launchctl disable system/com.apple.mdmclient.daemon > > sudo launchctl disable system/com.apple.mdmclient > > sudo launchctl disable system/com.apple.devicemanagementclient.teslad > > > > > > > > Você pode então manter o SIP desligado ou ativá-lo novamente na recuperação digitando csrutil enable no terminal de recuperação > > Funcionou como um encanto! Obrigado por compartilhar isso :) sP.>>>>>> Pessoal, boa noite! posso atualizar numa boa? No meu funcionou, segundo dia sem o pups chato. Posso atualizar para o Sonoma 14.1?

sSeteP

@MikeParder
Copy link

might be a stupid question and off topic, but would apple accept one of these bypassed M2 Pro Macbook Pro's for a trade in?

@alucardness
Copy link

might be a stupid question and off topic, but would apple accept one of these bypassed M2 Pro Macbook Pro's for a trade in?

They will accept it, but you won't get any benefits 😔

@TomRider22
Copy link

Hello all,
Does anybody know is the file ".deviceConfigurationBits" is needed or can be removed? If I'm doing cat of it I can see parameter "DeviceConfigurationFlags" with value 9. I have changed it to 0. Tried to find info regarding this parameter and value but seems it is not a lot info regarding it.
https://github.com/mosen/macdocs/blob/master/source/DEP/ios-activation.rst?plain=1#L143

photo_2023-11-06_16-56-24

@BXYMartin
Copy link

**** WORKING!!! ******. HI EVERYONE! I have a simplified way I figured out today to bypass DEP today with Ventura against a M2 Macbook Air

Need 3 things

  1. A separate M1/M2 Mac (could be anytjhing, macbook, studio, etc). this machine must not have DEP/Business Manager enabled
  2. Create a USB Boot installer flash drive with Ventura - you can google the instructions on how to create a boot usb drive.
  3. An external SSD that you can install a fresh OS on. I just use a sandish extreme USB 3.1 256GB drive.

Steps I did On the non-DEP M1/M2 Mac

  1. USB BOOT installer and install Ventura on the External SSD --- using the non-DEP Mac
  2. Once installed, go thru the account creation so you have an account
  3. Boot from USB SSD drive just to make sure it is working.

Now you have a bootable external disk.

On the DEP enabled M1/M2 Mac

  1. Boot to recovery mode
  2. Disk Utility
  3. Erase the internal physical disk
  4. Click on internal disk and use the RESTORE option, FROM the external SSD
  5. Let it run - will take a while.

Now you jsut copied the clean ventura to the internal drive.

Once the restore is finished. Remove the External SSD Boot from the internal disk

You WILL get an error that it cannot find the OS or some other stupid errors like no owner, or some other silly error... don't worry.

Now you boot again using the USB BOOT Ventura disk. REINSTALL Ventura again on the internal disk - DO NOT DO ANY DISK FORMATTING this time.

Once USB Installer is done, reboot - you will get to the login prompt of the user you created on the initial fresh install. you will have a working Ventura M1/M2 that just bypassed DEP/Business Manager.

Why this works? Because you first lay down the image on internal disk but due to some apple security, it will never boot unless you "fresh install" it. But the good things about fresh installs, Apple doesn't really wipe the system, it just lays whatever that is necessary for the OS. This means it will fix the ownership of the disks, do whatever it does but won't overwrite local accounts etc. so you will not get prompted for DEP enrollment. I don't know the actual internal details but I just know this works.

Enjoy. took me a while to figure this out after trying many things.

I do not need to do any /etc/hosts hacks, csrutil, etc. nothing. It's pretty simple to do but it does require a double install but it's easier than editing files.

You could in theory transfer a fully working Mac to another Mac now but I don't need to do that so I did the clean Ventura Install.

Now I can use this method to clean/wipe any DEP enabled machine and have myself a "pre-built" machine with certain things like chrome etc already installed. I can just boot from the external SSD periodically to get new updates of OS and software and continue to use it on any new Macs I wipe.

Thanks a lot for your detailed guide, I just tried to remove MDM for M2 MacBook with Ventura 13.6.1 and it works like a charm after some trial and errors. The caveat is to make sure that you wiped your internal disk before restoring the external one to the internal one. Some steps are failing for me for the first time so just reboot your computer when it doesn’t work and try it again. The first time when all the steps were completed, I got an error saying the macOS does not match the one Apple provides, so I just tried everything from scratch again. When trying to restore the disk, I often get the seal broken error and can to be fixed by actually booting into the system. For the last step when we do a “fresh” install and overwrite the disk, you can directly do it via the recovery menu, it doesn’t have to be installed from the external drive if the macOS version matches.

Thanks again for the nice guide and hope this comment is helpful for other people as well on this.

@anthumchris
Copy link

anthumchris commented Nov 11, 2023

Tested with macOS Ventura 13.6.1, Nov 2023. I used this alternative, because the services kept starting after re-activating SIP.

Boot into Recovery Mode from any csrutil status and run:

VOL="/Volumes/Macintosh HD"                                                       # Your HD name
mount -uw $VOL                                                                    # Bypass read-only
cd $VOL/System/Library

mkdir -p LaunchAgents-inactive LaunchDaemons-inactive                             # Remove service configs
mv -v LaunchAgents/com.apple.{ManagedClient,mdmclient}* LaunchAgents-inactive
mv -v LaunchDaemons/com.apple.{ManagedClient,mdmclient}* LaunchDaemons-inactive

bless --mount $VOL --create-snapshot --bootefi                                    # Create bootable, unsigned snapshot
csrutil authenticated-root disable                                                # Boot from unsigned snapshots
reboot

Confirm the services are disabled and show your new bootable snapshot:

diskutil apfs listSnapshots /
sudo launchctl list | egrep -i 'ManagedClient|mdmclient'

@fmodesto30
Copy link

fmodesto30 commented Nov 19, 2023

Hello everyone!

I could resolve it using macOs Ventura 13.6.1. I followed 2 posts. November 2023.

One to get ride of DEP screen and another to get ride of that annoying message every minute.

1 - Many thanks @joshworksit! It worked with macOS Ventura 13.6.1. Amazing stuff you shared it took me 5 minutes. I would be very glad to donate anything. Thanks again.

2 - @pritpalspall I could get ride of that message for good. Thank you so much!

You guys rock.

@BuckLearnsCode
Copy link

Uhh... where is @joshworksit 's post @fmodesto30 ?

@gordi415
Copy link

gordi415 commented Nov 26, 2023 via email

@visionguy55
Copy link

**** WORKING!!! ******. HI EVERYONE! I have a simplified way I figured out today to bypass DEP today with Ventura against a M2 Macbook Air
Need 3 things

  1. A separate M1/M2 Mac (could be anytjhing, macbook, studio, etc). this machine must not have DEP/Business Manager enabled
  2. Create a USB Boot installer flash drive with Ventura - you can google the instructions on how to create a boot usb drive.
  3. An external SSD that you can install a fresh OS on. I just use a sandish extreme USB 3.1 256GB drive.

Steps I did On the non-DEP M1/M2 Mac

  1. USB BOOT installer and install Ventura on the External SSD --- using the non-DEP Mac
  2. Once installed, go thru the account creation so you have an account
  3. Boot from USB SSD drive just to make sure it is working.

Now you have a bootable external disk.
On the DEP enabled M1/M2 Mac

  1. Boot to recovery mode
  2. Disk Utility
  3. Erase the internal physical disk
  4. Click on internal disk and use the RESTORE option, FROM the external SSD
  5. Let it run - will take a while.

Now you jsut copied the clean ventura to the internal drive.
Once the restore is finished. Remove the External SSD Boot from the internal disk
You WILL get an error that it cannot find the OS or some other stupid errors like no owner, or some other silly error... don't worry.
Now you boot again using the USB BOOT Ventura disk. REINSTALL Ventura again on the internal disk - DO NOT DO ANY DISK FORMATTING this time.
Once USB Installer is done, reboot - you will get to the login prompt of the user you created on the initial fresh install. you will have a working Ventura M1/M2 that just bypassed DEP/Business Manager.
Why this works? Because you first lay down the image on internal disk but due to some apple security, it will never boot unless you "fresh install" it. But the good things about fresh installs, Apple doesn't really wipe the system, it just lays whatever that is necessary for the OS. This means it will fix the ownership of the disks, do whatever it does but won't overwrite local accounts etc. so you will not get prompted for DEP enrollment. I don't know the actual internal details but I just know this works.
Enjoy. took me a while to figure this out after trying many things.
I do not need to do any /etc/hosts hacks, csrutil, etc. nothing. It's pretty simple to do but it does require a double install but it's easier than editing files.
You could in theory transfer a fully working Mac to another Mac now but I don't need to do that so I did the clean Ventura Install.
Now I can use this method to clean/wipe any DEP enabled machine and have myself a "pre-built" machine with certain things like chrome etc already installed. I can just boot from the external SSD periodically to get new updates of OS and software and continue to use it on any new Macs I wipe.

Thanks a lot for your detailed guide, I just tried to remove MDM for M2 MacBook with Ventura 13.6.1 and it works like a charm after some trial and errors. The caveat is to make sure that you wiped your internal disk before restoring the external one to the internal one. Some steps are failing for me for the first time so just reboot your computer when it doesn’t work and try it again. The first time when all the steps were completed, I got an error saying the macOS does not match the one Apple provides, so I just tried everything from scratch again. When trying to restore the disk, I often get the seal broken error and can to be fixed by actually booting into the system. For the last step when we do a “fresh” install and overwrite the disk, you can directly do it via the recovery menu, it doesn’t have to be installed from the external drive if the macOS version matches.

Thanks again for the nice guide and hope this comment is helpful for other people as well on this.

Hi guys,
I followed this and managed to bypass my MacBook (needed to repeat some steps a few times but finally worked)! Thank you for the great instruction!
I have two questions:
1- Would updating from Ventura to Sonoma void the bypass?
2- I keep getting a pop up message suggesting to enroll again to the original organization. I can press "cancel" and pass it, but I was wondering if there is a way to prevent those occasional pop-ups.

@TomRider22
Copy link

@visionguy55 If you see such a notification, you have not fully bypassed mdm. If you upgrade your OS to Sonoma you will be blocked after reboot or some short time after it.

@fmodesto30
Copy link

**** WORKING!!! ******. HI EVERYONE! I have a simplified way I figured out today to bypass DEP today with Ventura against a M2 Macbook Air
Need 3 things

  1. A separate M1/M2 Mac (could be anytjhing, macbook, studio, etc). this machine must not have DEP/Business Manager enabled
  2. Create a USB Boot installer flash drive with Ventura - you can google the instructions on how to create a boot usb drive.
  3. An external SSD that you can install a fresh OS on. I just use a sandish extreme USB 3.1 256GB drive.

Steps I did On the non-DEP M1/M2 Mac

  1. USB BOOT installer and install Ventura on the External SSD --- using the non-DEP Mac
  2. Once installed, go thru the account creation so you have an account
  3. Boot from USB SSD drive just to make sure it is working.

Now you have a bootable external disk.
On the DEP enabled M1/M2 Mac

  1. Boot to recovery mode
  2. Disk Utility
  3. Erase the internal physical disk
  4. Click on internal disk and use the RESTORE option, FROM the external SSD
  5. Let it run - will take a while.

Now you jsut copied the clean ventura to the internal drive.
Once the restore is finished. Remove the External SSD Boot from the internal disk
You WILL get an error that it cannot find the OS or some other stupid errors like no owner, or some other silly error... don't worry.
Now you boot again using the USB BOOT Ventura disk. REINSTALL Ventura again on the internal disk - DO NOT DO ANY DISK FORMATTING this time.
Once USB Installer is done, reboot - you will get to the login prompt of the user you created on the initial fresh install. you will have a working Ventura M1/M2 that just bypassed DEP/Business Manager.
Why this works? Because you first lay down the image on internal disk but due to some apple security, it will never boot unless you "fresh install" it. But the good things about fresh installs, Apple doesn't really wipe the system, it just lays whatever that is necessary for the OS. This means it will fix the ownership of the disks, do whatever it does but won't overwrite local accounts etc. so you will not get prompted for DEP enrollment. I don't know the actual internal details but I just know this works.
Enjoy. took me a while to figure this out after trying many things.
I do not need to do any /etc/hosts hacks, csrutil, etc. nothing. It's pretty simple to do but it does require a double install but it's easier than editing files.
You could in theory transfer a fully working Mac to another Mac now but I don't need to do that so I did the clean Ventura Install.
Now I can use this method to clean/wipe any DEP enabled machine and have myself a "pre-built" machine with certain things like chrome etc already installed. I can just boot from the external SSD periodically to get new updates of OS and software and continue to use it on any new Macs I wipe.

Thanks a lot for your detailed guide, I just tried to remove MDM for M2 MacBook with Ventura 13.6.1 and it works like a charm after some trial and errors. The caveat is to make sure that you wiped your internal disk before restoring the external one to the internal one. Some steps are failing for me for the first time so just reboot your computer when it doesn’t work and try it again. The first time when all the steps were completed, I got an error saying the macOS does not match the one Apple provides, so I just tried everything from scratch again. When trying to restore the disk, I often get the seal broken error and can to be fixed by actually booting into the system. For the last step when we do a “fresh” install and overwrite the disk, you can directly do it via the recovery menu, it doesn’t have to be installed from the external drive if the macOS version matches.
Thanks again for the nice guide and hope this comment is helpful for other people as well on this.

Hi guys, I followed this and managed to bypass my MacBook (needed to repeat some steps a few times but finally worked)! Thank you for the great instruction! I have two questions: 1- Would updating from Ventura to Sonoma void the bypass? 2- I keep getting a pop up message suggesting to enroll again to the original organization. I can press "cancel" and pass it, but I was wondering if there is a way to prevent those occasional pop-ups.

You still have to disable MDM notifications: https://gist.github.com/henrik242/65d26a7deca30bdb9828e183809690bd?permalink_comment_id=4553175#gistcomment-4553175

@visionguy55
Copy link

Thank you @TomRider22 and @fmodesto30 for your replies. Please see mine below:

@visionguy55 If you see such a notification, you have not fully bypassed mdm. If you upgrade your OS to Sonoma you will be blocked after reboot or some short time after it.

@TomRider22 Does it really mean that I have not bypassed mdm? Because I have full control over the machine and there is no other signs other than this advisory message:

Screenshot at Dec 04 09-28-20 copy

Could I be getting this message because I setup my MS Outlook with the same organization account?

BTW, this popping up message seems to be gone after following @fmodesto30 's comment.

@TomRider22
Copy link

@visionguy55 This message about device enrollment is triggered by mdm mechanism, and the only reason for it is that it(mdm) was not disabled. Showing this type of message is a part of mdm and unfortunately, it is not connected with the MS Outlook account. The main idea of the DEP - Device Enrollment Program is that the company enrolls their laptops or laptops of their contractors to the Apple business manager. In the Apple business manager laptops are enrolled by their serial numbers. Macos has a default mechanism of checking Apple mdm servers which the Apple business manager is part of. And if the serial number of the laptop is found in the database first of all it will send and hardcode setting to the laptop that it belongs to some organization and is a part of DEP. Then depending on the OS version it will notify you that you need to enroll your device or if it's Sonoma it will block the screen with an enrolment message so you can't postpone or escape from it. It's a good mechanism to prevent corporate laptops from being stolen but in the case of it being a personal laptop enrolled to some company's mdm and then not unenrolled properly creates a bunch of problems for second market users.

@visionguy55
Copy link

@TomRider22 Thank you for the comprehensive explanation of the MDM mechanism. It appears that my attempt to bypass the MDM was not entirely successful. However, in line with @fmodesto30 's suggestion, the pop-up notification prompting enrollment with DEP has disappeared for now. I just hope that it won't reappear after any future system updates!

@BXYMartin Thanks again for sharing the instruction to bypass the MDM. I believed I exactly followed the instruction, however, it looks like my MDM bypassing was not fully successful. Do you have any comments or suggestions?

@OMeryCoN
Copy link

OMeryCoN commented Dec 5, 2023

I'm running Sonoma 14.1 from a fresh installation. I've bypassed the MDM and added entries to the hosts file.

Is it possible to update it to Sonoma 14.1.2?

@fmodesto30
Copy link

@OMeryCoN Probably.

@followthemoney1
Copy link

In case someone also interested:

  1. Ive go to login to laptop in safe mode(on startup hold Shift)
  2. Login as a normal used account
  3. Create a new admin account in a settings
  4. Delete old one time account created with MDM

@ehsan58
Copy link

ehsan58 commented Dec 13, 2023

greeting i am on sonoma 14 and don't have any mdm notification
can i direct update to 14.2? is it safe? anyone did that direct?

@jeanswiegers
Copy link

greeting i am on sonoma 14 and don't have any mdm notification can i direct update to 14.2? is it safe? anyone did that direct?

i did, and it still works fine.

@ehsan58
Copy link

ehsan58 commented Dec 16, 2023

greeting i am on sonoma 14 and don't have any mdm notification can i direct update to 14.2? is it safe? anyone did that direct?

i did, and it still works fine.

Is there anything need to do before the upgrade? Or just the skipmdm bypass done before?

@nerykell
Copy link

Hi! I've been struggling with MDM quite a lot and found the easiest, but a little long solution to the problem, but you won't get mdm blocking and profile upload notifications. I have described as much detail as possible for different cases, so find your own and follow the instructions.
I'll tell you the pros and cons at the very end, and now let's move on to the beginning:

Preparatory Stages:

  1. If you are on macOS Ventura or Monterey and you have no problems with MDM, then download this utility https://checkm8.info/bypass-mac-mdm-lock and make a Bypass (this is a precautionary measure, without doing this, I cannot guarantee you a successful system update), if you have already done this before, then immediately proceed to the main stages.

  2. If you are on macOS Ventura or Monterey or Sonoma and you did not turn off the Internet during installation, then the MacBook will download the corporate profile and be blocked. In this case, there are 2 possible scenarios ->

Scenario 1: If your data is not on the computer, then feel free to format the disk and install Monterey/Ventura without the Internet, as soon as you have created a user and configured a MacBook, you can connect to the Internet and bypass MDM using this utility https://checkm8.info/bypass-mac-mdm-lock once you have bypassed MDM with this utility, you can proceed to the main stages.
Scenario 2: If you had Monterey/Ventura and received a lock after upgrading to Sonoma, then the data can still be saved if there was still +-100gb of free space on the disk or if you have an external hard drive

If you still have disk space and you need to restore data from a system blocked by your corporate profile, then follow these steps:

  1. Turn off your MacBook
  2. Reboot into recovery mode by pressing the touch id button
  3. Go to Settings
  4. Disk utility
  5. Divide your disk into 2 independent containers, it is important to note that we do not add a VOLUME for the disk, namely a CONTAINER
  6. Install Monterey/Ventura without internet in a new, empty container and bypass MDM using this utility https://checkm8.info/bypass-mac-mdm-lock
  7. Now in the Finder, find your other user from another container and transfer all the files of interest from the old disk container to the new one
  8. You can proceed to the main stages

If you have an external hard drive and you need to recover data from a locked corporate system profile, then follow these steps:

  1. Install Monterey/Ventura without internet and bypass MDM using this utility https://checkm8.info/bypass-mac-mdm-lock
  2. Now find your other user in the Finder and transfer all the files of interest from the internal drive to the external hard drive
  3. You can proceed to the main stages

The main steps:

  1. So, in order to upgrade to Sonoma without problems, we need an external SSD or HDD (we will save our backup copy of all data via time machine to it)
  2. Using the disk utility, format the external hard drive in APFS and in the settings in the main section select Time Machine, and in it select your external hard drive and then create a backup copy of all data
  3. As soon as the backup is created (you don't have to worry about data security, time machine saves literally everything you can), turn off your MacBook
  4. Enter recovery mode by pressing the touch id button.
  5. Disk utility
  6. Format your internal drive
  7. (Pre-create a bootable USB flash drive with macOS Sonoma) Start installing Sonoma without the Internet, configure your MacBook until you are prompted to transfer data from a time machine backup, select this item
  8. Restore all data from the backup and then complete the installation
  9. That's it, you don't need to do anything else, successful bypass!

The advantages of my method:

  1. Personally tested by me on a macbook pro 13" m1 and has been tested without any problems for a week now
  2. An easy way to bypass the regular macos methods
  3. Do you need more advantages besides reliability and simplicity? :)
    Minuses:
  4. Quite a long time

@amylee-codes
Copy link

amylee-codes commented Feb 18, 2024

(This article got hidden because of a problem with my account, so I try again):

I managed getting rid of spyware and worse w/ Sonoma (14.3.1).

System Info (redacted, personal information filtered)

>sudo sysinfo
Software:

    System Software Overview:

      System Version: macOS 14.3.1 (23D60)
      Kernel Version: Darwin 23.3.0
      Boot Volume: Macintosh HD
      Boot Mode: Normal
      Computer Name: <>
      User Name: System Administrator (root)
      Secure Virtual Memory: Enabled
      System Integrity Protection: Enabled
      Time since boot: <>

Hardware:

    Hardware Overview:

      Model Name: MacBook Pro
      Model Identifier: Mac15,9
      Model Number: <>
      Chip: Apple M3 Max
      Total Number of Cores: 16 (12 performance and 4 efficiency)
      Memory: 128 GB
      System Firmware Version: 10151.81.1
      OS Loader Version: 10151.81.1
      Serial Number (system): <>
      Hardware UUID: <>
      Provisioning UDID: <>
      Activation Lock Status: Disabled
>sudo profiles list
There are no configuration profiles installed in the system domain

>sudo profiles show -type enrollment
Error fetching Device Enrollment configuration: We can't determine if this machine is DEP enabled.  Try again later.

Approach: Clean Wipe, Router Filter, skipmdm.com Script

This approach assumes you are able to create a bootable installer and wipe your system disk (be sure to have a backup in place!).

Prerequisites

Block Apple URLs

Before starting at all, make sure you block the following URLs in the internet router. I used a Fritz!Box and here the ("Blocked websites" filter) to block these URLs:

iprofiles.apple.com
mdmenrollment.apple.com
deviceenrollment.apple.com
gdmf.apple.com
acmdm.apple.com
albert.apple.com

Make sure the blocker works (i.e. ping from another device)!

Clean Install

In recovery mode, wipe the hard disk and start a clean install with the bootable installer.

Activate the system

Connect to the internet once to activate the system (I could not proceed without). As the installer fails to connect to the enrollment servers, an error message will be displayed indicating that the status of the enrollment could not be verified.

Run the Script

In recovery mode, open Terminal and e.g. try to delete /var/db/ConfigurationProfiles/Settings - you should get a prompt for the installation user (starting w/ "_m...") - which is a good sign (no other users set up so far)!

Now just run the script from the USB stick. Hint: directly enter the username you'd like to use later (instead going w/ Apple:1234 - saves some time). The script should run without any errors (despite the long previous discussions).

Postwork

Block URLs in /etc/hosts

Before you proceed with the installation, reboot in recovery mode and change /etc/hosts by adding:

0.0.0.0 iprofiles.apple.com
0.0.0.0 mdmenrollment.apple.com
0.0.0.0 deviceenrollment.apple.com
0.0.0.0 gdmf..apple.com
0.0.0.0 acmdm.apple.com
0.0.0.0 albert.apple.com

Disable agents

>sudo launchctl disable system/com.apple.ManagedClientAgent.enrollagent
>sudo launchctl disable system/com.apple.mdmclient.daemon
>sudo launchctl disable system/com.apple.devicemanagementclient.teslad
# You might check other services and disable them - know what you do!
>sudo launchctl print system | sort | grep enabled

Little Snitch

Finally a firewall comes in handy to possibly add even more security: I blocked

/usr/libexec/teslad
/usr/libexec/mdmclient

(for both user + system).

This works well for me and shows that it's possible to stop companies from installing spyware on their employees' devices - even on M3. B.t.w. - in many countries these practices are unlawful, so I see following this approach justified as a way of self-defense.

@icarus2712
Copy link

icarus2712 commented Mar 9, 2024

can any brother here guide me for amazon locked mac book pro 2017 non touch model inel model When i bought it used it was working perfectly, i even upgraded it to ventura, however when i formatted it for selling, it now asks for amaon remote. please help step by step.

@ooduck
Copy link

ooduck commented Mar 16, 2024

Hi even after holding on recovery it still opens up this screen, any way to bypass this? 20230423_125104

I have the same issue. I can't boot to recovery mode because of this. Do you have recommendations to go through this?
I have Macbook Pro M1 2021 14"
@aviloveN @predragcvetkovski @Jbb08 @eternalgod @maclover696 @mikevic18

@haohanw
Copy link

haohanw commented Mar 18, 2024

Hi even after holding on recovery it still opens up this screen, any way to bypass this? 20230423_125104

I have the same issue. I can't boot to recovery mode because of this. Do you have recommendations to go through this? I have Macbook Pro M1 2021 14" @aviloveN @predragcvetkovski @Jbb08 @eternalgod @maclover696 @mikevic18

Seems like it has been locked by administrator after being enrolled in the MDM. you need another device with T2 chip to reinstall this one via DFU mode.
Try this:https://www.youtube.com/watch?v=S8r9w4dduEw

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment