Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save henrik242/65d26a7deca30bdb9828e183809690bd to your computer and use it in GitHub Desktop.
Save henrik242/65d26a7deca30bdb9828e183809690bd to your computer and use it in GitHub Desktop.
@henrik242
Copy link
Author

henrik242 commented May 2, 2023

Hi, OP here. This is how I bypassed MDM/DEP on my M2 Macbook Pro with Ventura:

  1. Blocked iprofiles.apple.com, mdmenrollment.apple.com and deviceenrollment.apple.com in my router.
  2. On first install, I could skip internet connection
  3. On first login (still without network), I opened a Terminal and updated my /etc/hosts:
echo 0.0.0.0 iprofiles.apple.com | sudo tee -a /etc/hosts
echo 0.0.0.0 mdmenrollment.apple.com | sudo tee -a /etc/hosts
echo 0.0.0.0 deviceenrollment.apple.com | sudo tee -a /etc/hosts
  1. Removed any lingering profiles just in case:
sudo profiles remove -all

Done. I haven't seen any MDM/DEP requests, even after upgrading to later versions of Ventura.

I have also done some additional stuff, but I don't believe it's necessary:

  • Bought and installed the Little Snitch firewall, and blocked incoming and outcoming network for /usr/libexec/teslad and /usr/libexec/mdmclient, as well as the hosts in pt. 1.
  • Disabled teslad and mdmclient services:
    sudo launchctl disable system/com.apple.devicemanagementclient.teslad
    sudo launchctl disable gui/501/com.apple.mdmclient.agent
    

@Vicki-Olesen
Copy link

Hi, OP here. This is how I bypassed MDM/DEP on my M2 Macbook Pro with Ventura:

  1. Blocked iprofiles.apple.com, mdmenrollment.apple.com and deviceenrollment.apple.com in my router.
  2. On first install, I could skip internet connection
  3. On first login (still without network), I opened a Terminal and updated my /etc/hosts:
echo 0.0.0.0 iprofiles.apple.com | sudo tee -a /etc/hosts
echo 0.0.0.0 mdmenrollment.apple.com | sudo tee -a /etc/hosts
echo 0.0.0.0 deviceenrollment.apple.com | sudo tee -a /etc/hosts
  1. Removed any lingering profiles just in case:
sudo profiles remove -all

Done. I haven't seen any MDM/DEP requests, even after upgrading to later versions of Ventura.

I have also done some additional stuff, but I don't believe it's necessary:

  • Bought and installed the Little Snitch firewall, and blocked incoming and outcoming network for /usr/libexec/teslad and /usr/libexec/mdmclient, as well as the hosts in pt. 1.
  • Disabled teslad and mdmclient services:
    sudo launchctl disable system/com.apple.devicemanagementclient.teslad
    sudo launchctl disable gui/501/com.apple.mdmclient.agent
    

Awesome.. many thanks for the update @henrik242 .. Could you please share the output when you do the below command in Terminal (to verify the DEP status) using your method in M2? Thanks

$ profiles status -type enrollment

@Vicki-Olesen
Copy link

@henrik242 I am doing your steps now .. Could you please advise how you skipped the internet connection on the first install? Many thanks for your kind help and assistance; much appreciated

@maclover696
Copy link

maclover696 commented May 2, 2023

**** WORKING!!! ******. HI EVERYONE! I have a simplified way I figured out today to bypass DEP today with Ventura against a M2 Macbook Air

Need 3 things

  1. A separate M1/M2 Mac (could be anytjhing, macbook, studio, etc). this machine must not have DEP/Business Manager enabled
  2. Create a USB Boot installer flash drive with Ventura - you can google the instructions on how to create a boot usb drive.
  3. An external SSD that you can install a fresh OS on. I just use a sandish extreme USB 3.1 256GB drive.

Steps I did
On the non-DEP M1/M2 Mac

  1. USB BOOT installer and install Ventura on the External SSD --- using the non-DEP Mac
  2. Once installed, go thru the account creation so you have an account
  3. Boot from USB SSD drive just to make sure it is working.

Now you have a bootable external disk.

On the DEP enabled M1/M2 Mac

  1. Boot to recovery mode
  2. Disk Utility
  3. Erase the internal physical disk
  4. Click on internal disk and use the RESTORE option, FROM the external SSD
  5. Let it run - will take a while.

Now you jsut copied the clean ventura to the internal drive.

Once the restore is finished.
Remove the External SSD
Boot from the internal disk

You WILL get an error that it cannot find the OS or some other stupid errors like no owner, or some other silly error... don't worry.

Now you boot again using the USB BOOT Ventura disk.
REINSTALL Ventura again on the internal disk - DO NOT DO ANY DISK FORMATTING this time.

Once USB Installer is done, reboot - you will get to the login prompt of the user you created on the initial fresh install. you will have a working Ventura M1/M2 that just bypassed DEP/Business Manager.

Why this works? Because you first lay down the image on internal disk but due to some apple security, it will never boot unless you "fresh install" it. But the good things about fresh installs, Apple doesn't really wipe the system, it just lays whatever that is necessary for the OS. This means it will fix the ownership of the disks, do whatever it does but won't overwrite local accounts etc. so you will not get prompted for DEP enrollment. I don't know the actual internal details but I just know this works.

Enjoy. took me a while to figure this out after trying many things.

I do not need to do any /etc/hosts hacks, csrutil, etc. nothing. It's pretty simple to do but it does require a double install but it's easier than editing files.

You could in theory transfer a fully working Mac to another Mac now but I don't need to do that so I did the clean Ventura Install.

Now I can use this method to clean/wipe any DEP enabled machine and have myself a "pre-built" machine with certain things like chrome etc already installed. I can just boot from the external SSD periodically to get new updates of OS and software and continue to use it on any new Macs I wipe.

@Vicki-Olesen
Copy link

**** WORKING!!! ******. HI EVERYONE! I have a simplified way I figured out today to bypass DEP today with Ventura against a M2 Macbook Air

Need 3 things

  1. A separate M1/M2 Mac (could be anytjhing, macbook, studio, etc). this machine must not have DEP/Business Manager enabled
  2. Create a USB Boot installer flash drive with Ventura - you can google the instructions on how to create a boot usb drive.
  3. An external SSD that you can install a fresh OS on. I just use a sandish extreme USB 3.1 256GB drive.

Steps I did On the non-DEP M1/M2 Mac

  1. USB BOOT installer and install Ventura on the External SSD --- using the non-DEP Mac
  2. Once installed, go thru the account creation so you have an account
  3. Boot from USB SSD drive just to make sure it is working.

Now you have a bootable external disk.

On the DEP enabled M1/M2 Mac

  1. Boot to recovery mode
  2. Disk Utility
  3. Erase the internal physical disk
  4. Click on internal disk and use the RESTORE option, FROM the external SSD
  5. Let it run - will take a while.

Now you jsut copied the clean ventura to the internal drive.

Once the restore is finished. Remove the External SSD Boot from the internal disk

You WILL get an error that it cannot find the OS or some other stupid errors like no owner, or some other silly error... don't worry.

Now you boot again using the USB BOOT Ventura disk. REINSTALL Ventura again on the internal disk - DO NOT DO ANY DISK FORMATTING this time.

Once USB Installer is done, reboot - you will get to the login prompt of the user you created on the initial fresh install. you will have a working Ventura M1/M2 that just bypassed DEP/Business Manager.

Why this works? Because you first lay down the image on internal disk but due to some apple security, it will never boot unless you "fresh install" it. But the good things about fresh installs, Apple doesn't really wipe the system, it just lays whatever that is necessary for the OS. This means it will fix the ownership of the disks, do whatever it does but won't overwrite local accounts etc. so you will not get prompted for DEP enrollment. I don't know the actual internal details but I just know this works.

Enjoy. took me a while to figure this out after trying many things.

I do not need to do any /etc/hosts hacks, csrutil, etc. nothing. It's pretty simple to do but it does require a double install but it's easier than editing files.

You could in theory transfer a fully working Mac to another Mac now but I don't need to do that so I did the clean Ventura Install.

Now I can use this method to clean/wipe any DEP enabled machine and have myself a "pre-built" machine with certain things like chrome etc already installed. I can just boot from the external SSD periodically to get new updates of OS and software and continue to use it on any new Macs I wipe.

Many thanks @maclover696 for your method... Could you please share the output when you do the below command in Terminal (to verify the DEP status) using your method in M2? Thanks

$ profiles status -type enrollment

@maclover696
Copy link

maclover696 commented May 3, 2023

**** WORKING!!! ******. HI EVERYONE! I have a simplified way I figured out today to bypass DEP today with Ventura against a M2 Macbook Air
Need 3 things

  1. A separate M1/M2 Mac (could be anytjhing, macbook, studio, etc). this machine must not have DEP/Business Manager enabled
  2. Create a USB Boot installer flash drive with Ventura - you can google the instructions on how to create a boot usb drive.
  3. An external SSD that you can install a fresh OS on. I just use a sandish extreme USB 3.1 256GB drive.

Steps I did On the non-DEP M1/M2 Mac

  1. USB BOOT installer and install Ventura on the External SSD --- using the non-DEP Mac
  2. Once installed, go thru the account creation so you have an account
  3. Boot from USB SSD drive just to make sure it is working.

Now you have a bootable external disk.
On the DEP enabled M1/M2 Mac

  1. Boot to recovery mode
  2. Disk Utility
  3. Erase the internal physical disk
  4. Click on internal disk and use the RESTORE option, FROM the external SSD
  5. Let it run - will take a while.

Now you jsut copied the clean ventura to the internal drive.
Once the restore is finished. Remove the External SSD Boot from the internal disk
You WILL get an error that it cannot find the OS or some other stupid errors like no owner, or some other silly error... don't worry.
Now you boot again using the USB BOOT Ventura disk. REINSTALL Ventura again on the internal disk - DO NOT DO ANY DISK FORMATTING this time.
Once USB Installer is done, reboot - you will get to the login prompt of the user you created on the initial fresh install. you will have a working Ventura M1/M2 that just bypassed DEP/Business Manager.
Why this works? Because you first lay down the image on internal disk but due to some apple security, it will never boot unless you "fresh install" it. But the good things about fresh installs, Apple doesn't really wipe the system, it just lays whatever that is necessary for the OS. This means it will fix the ownership of the disks, do whatever it does but won't overwrite local accounts etc. so you will not get prompted for DEP enrollment. I don't know the actual internal details but I just know this works.
Enjoy. took me a while to figure this out after trying many things.
I do not need to do any /etc/hosts hacks, csrutil, etc. nothing. It's pretty simple to do but it does require a double install but it's easier than editing files.
You could in theory transfer a fully working Mac to another Mac now but I don't need to do that so I did the clean Ventura Install.
Now I can use this method to clean/wipe any DEP enabled machine and have myself a "pre-built" machine with certain things like chrome etc already installed. I can just boot from the external SSD periodically to get new updates of OS and software and continue to use it on any new Macs I wipe.

Many thanks @maclover696 for your method... Could you please share the output when you do the below command in Terminal (to verify the DEP status) using your method in M2? Thanks

$ profiles status -type enrollment

here you go

Enrolled via DEP: No
MDM enrollment: No

The screens for MDM enrollment never showed up because I completely bypassed it thru the first computer. Yes, it does require another M1 computer that' Non-DEP but that process is just once to build the External SSD OS once.

I did find some videos about disabling wifi, login, enable wifi, download some software (is that sofware safe? Something about Checkm8) but I don't want to install software - I'm sure it's fine since people are using it but I don't want to run csrutil either, terminal etc.

Anyway, I felt it was too much babysitting the process so I rather just instal lit twice with my method cuz I can just go to sleep after part 1 started and just do part 2 and set it and forget it.

Much easier and requires no real attention to watch it install.

And the benefit of my method is that my external SSD can be updated with latest software so any new Macs I install would have all of the software I normally want on it. Visual Studio code, nodejs, docker etc. It's an "golden image" for my own base build!

Glad I was able to contribute to this new method! I've been using the csrutil editing hosts tricks for many years. Frustrated a long time that I cannot do the same on M1 and Carbon Copy and SuperDuper are all failing also. My method can also help you dupe an working mac completely if you ever say upgrade to a new computer and co not want to reset- everything from scratch. I don't think Migration Assistant will migrate stuff I installed manually via GIT etc in various directories so I rather just copy it all as is in the future.

@hohodyret
Copy link

@maclover696
Thank you for your detailed guide.

I was wondering if this guide works, if i only have a Macbook Pro Late 2017 model or do i need a macbook with the new M1/M2 architecture ?

@yff0216
Copy link

yff0216 commented May 6, 2023

very good,thank you.

@thrashingkitten
Copy link

thrashingkitten commented May 6, 2023

I have a M1 devices that I'm pretty sure I was able to disable the mdm profile off of, I don't see it popping up anymore and I have admin access, I ran the sudo script to see if there was any profiles listed and it said no profiles found. I was able to update to Ventura, will I be good to update in the future?

@yff0216
Copy link

yff0216 commented May 6, 2023 via email

@Vicki-Olesen
Copy link

I have a M1 devices that I'm pretty sure I was able to disable the mdm profile off of, I don't see it popping up anymore and I have admin access, I ran the sudo script to see if there was any profiles listed and it said no profiles found. I was able to update to Ventura, will I be good to update in the future?

Yes

@Simmpa
Copy link

Simmpa commented May 7, 2023 via email

@piranhap
Copy link

piranhap commented May 8, 2023

**** WORKING!!! ******. HI EVERYONE! I have a simplified way I figured out today to bypass DEP today with Ventura against a M2 Macbook Air
Need 3 things

  1. A separate M1/M2 Mac (could be anytjhing, macbook, studio, etc). this machine must not have DEP/Business Manager enabled
  2. Create a USB Boot installer flash drive with Ventura - you can google the instructions on how to create a boot usb drive.
  3. An external SSD that you can install a fresh OS on. I just use a sandish extreme USB 3.1 256GB drive.

Steps I did On the non-DEP M1/M2 Mac

  1. USB BOOT installer and install Ventura on the External SSD --- using the non-DEP Mac
  2. Once installed, go thru the account creation so you have an account
  3. Boot from USB SSD drive just to make sure it is working.

Now you have a bootable external disk.
On the DEP enabled M1/M2 Mac

  1. Boot to recovery mode
  2. Disk Utility
  3. Erase the internal physical disk
  4. Click on internal disk and use the RESTORE option, FROM the external SSD
  5. Let it run - will take a while.

Now you jsut copied the clean ventura to the internal drive.
Once the restore is finished. Remove the External SSD Boot from the internal disk
You WILL get an error that it cannot find the OS or some other stupid errors like no owner, or some other silly error... don't worry.
Now you boot again using the USB BOOT Ventura disk. REINSTALL Ventura again on the internal disk - DO NOT DO ANY DISK FORMATTING this time.
Once USB Installer is done, reboot - you will get to the login prompt of the user you created on the initial fresh install. you will have a working Ventura M1/M2 that just bypassed DEP/Business Manager.
Why this works? Because you first lay down the image on internal disk but due to some apple security, it will never boot unless you "fresh install" it. But the good things about fresh installs, Apple doesn't really wipe the system, it just lays whatever that is necessary for the OS. This means it will fix the ownership of the disks, do whatever it does but won't overwrite local accounts etc. so you will not get prompted for DEP enrollment. I don't know the actual internal details but I just know this works.
Enjoy. took me a while to figure this out after trying many things.
I do not need to do any /etc/hosts hacks, csrutil, etc. nothing. It's pretty simple to do but it does require a double install but it's easier than editing files.
You could in theory transfer a fully working Mac to another Mac now but I don't need to do that so I did the clean Ventura Install.
Now I can use this method to clean/wipe any DEP enabled machine and have myself a "pre-built" machine with certain things like chrome etc already installed. I can just boot from the external SSD periodically to get new updates of OS and software and continue to use it on any new Macs I wipe.

Many thanks @maclover696 for your method... Could you please share the output when you do the below command in Terminal (to verify the DEP status) using your method in M2? Thanks
$ profiles status -type enrollment

here you go

Enrolled via DEP: No MDM enrollment: No

The screens for MDM enrollment never showed up because I completely bypassed it thru the first computer. Yes, it does require another M1 computer that' Non-DEP but that process is just once to build the External SSD OS once.

I did find some videos about disabling wifi, login, enable wifi, download some software (is that sofware safe? Something about Checkm8) but I don't want to install software - I'm sure it's fine since people are using it but I don't want to run csrutil either, terminal etc.

Anyway, I felt it was too much babysitting the process so I rather just instal lit twice with my method cuz I can just go to sleep after part 1 started and just do part 2 and set it and forget it.

Much easier and requires no real attention to watch it install.

And the benefit of my method is that my external SSD can be updated with latest software so any new Macs I install would have all of the software I normally want on it. Visual Studio code, nodejs, docker etc. It's an "golden image" for my own base build!

Glad I was able to contribute to this new method! I've been using the csrutil editing hosts tricks for many years. Frustrated a long time that I cannot do the same on M1 and Carbon Copy and SuperDuper are all failing also. My method can also help you dupe an working mac completely if you ever say upgrade to a new computer and co not want to reset- everything from scratch. I don't think Migration Assistant will migrate stuff I installed manually via GIT etc in various directories so I rather just copy it all as is in the future.

@maclover696 Do you know if this method works on a Mac that is not M1/M2?

@maclover696
Copy link

**** WORKING!!! ******. HI EVERYONE! I have a simplified way I figured out today to bypass DEP today with Ventura against a M2 Macbook Air
Need 3 things

  1. A separate M1/M2 Mac (could be anytjhing, macbook, studio, etc). this machine must not have DEP/Business Manager enabled
  2. Create a USB Boot installer flash drive with Ventura - you can google the instructions on how to create a boot usb drive.
  3. An external SSD that you can install a fresh OS on. I just use a sandish extreme USB 3.1 256GB drive.

Steps I did On the non-DEP M1/M2 Mac

  1. USB BOOT installer and install Ventura on the External SSD --- using the non-DEP Mac
  2. Once installed, go thru the account creation so you have an account
  3. Boot from USB SSD drive just to make sure it is working.

Now you have a bootable external disk.
On the DEP enabled M1/M2 Mac

  1. Boot to recovery mode
  2. Disk Utility
  3. Erase the internal physical disk
  4. Click on internal disk and use the RESTORE option, FROM the external SSD
  5. Let it run - will take a while.

Now you jsut copied the clean ventura to the internal drive.
Once the restore is finished. Remove the External SSD Boot from the internal disk
You WILL get an error that it cannot find the OS or some other stupid errors like no owner, or some other silly error... don't worry.
Now you boot again using the USB BOOT Ventura disk. REINSTALL Ventura again on the internal disk - DO NOT DO ANY DISK FORMATTING this time.
Once USB Installer is done, reboot - you will get to the login prompt of the user you created on the initial fresh install. you will have a working Ventura M1/M2 that just bypassed DEP/Business Manager.
Why this works? Because you first lay down the image on internal disk but due to some apple security, it will never boot unless you "fresh install" it. But the good things about fresh installs, Apple doesn't really wipe the system, it just lays whatever that is necessary for the OS. This means it will fix the ownership of the disks, do whatever it does but won't overwrite local accounts etc. so you will not get prompted for DEP enrollment. I don't know the actual internal details but I just know this works.
Enjoy. took me a while to figure this out after trying many things.
I do not need to do any /etc/hosts hacks, csrutil, etc. nothing. It's pretty simple to do but it does require a double install but it's easier than editing files.
You could in theory transfer a fully working Mac to another Mac now but I don't need to do that so I did the clean Ventura Install.
Now I can use this method to clean/wipe any DEP enabled machine and have myself a "pre-built" machine with certain things like chrome etc already installed. I can just boot from the external SSD periodically to get new updates of OS and software and continue to use it on any new Macs I wipe.

Many thanks @maclover696 for your method... Could you please share the output when you do the below command in Terminal (to verify the DEP status) using your method in M2? Thanks
$ profiles status -type enrollment

here you go
Enrolled via DEP: No MDM enrollment: No
The screens for MDM enrollment never showed up because I completely bypassed it thru the first computer. Yes, it does require another M1 computer that' Non-DEP but that process is just once to build the External SSD OS once.
I did find some videos about disabling wifi, login, enable wifi, download some software (is that sofware safe? Something about Checkm8) but I don't want to install software - I'm sure it's fine since people are using it but I don't want to run csrutil either, terminal etc.
Anyway, I felt it was too much babysitting the process so I rather just instal lit twice with my method cuz I can just go to sleep after part 1 started and just do part 2 and set it and forget it.
Much easier and requires no real attention to watch it install.
And the benefit of my method is that my external SSD can be updated with latest software so any new Macs I install would have all of the software I normally want on it. Visual Studio code, nodejs, docker etc. It's an "golden image" for my own base build!
Glad I was able to contribute to this new method! I've been using the csrutil editing hosts tricks for many years. Frustrated a long time that I cannot do the same on M1 and Carbon Copy and SuperDuper are all failing also. My method can also help you dupe an working mac completely if you ever say upgrade to a new computer and co not want to reset- everything from scratch. I don't think Migration Assistant will migrate stuff I installed manually via GIT etc in various directories so I rather just copy it all as is in the future.

@maclover696 Do you know if this method works on a Mac that is not M1/M2?

Yes, it works. I tried it on couple of Intel x86 Macbooks.

What you do need to do is--- make sure you go into Secure Boot and enable boot from external USBs. That seems to be something that was off by default on couple of my Intel Macbooks and I had to allow it to boot from external drives.

Otherwise it works the same way I did it on the M2 or M1 Macbook Air.

@maclover696
Copy link

Note you have to create a new image off of another Intel x86 macbook first that is Non-DEP Enabled. You cannot use the M1/M2 OS replica on Intel x86. Just want to make sure I clarified that point.

@bagofcig
Copy link

bagofcig commented May 9, 2023

**** WORKING!!! ******. HI EVERYONE! I have a simplified way I figured out today to bypass DEP today with Ventura against a M2 Macbook Air

Need 3 things

  1. A separate M1/M2 Mac (could be anytjhing, macbook, studio, etc). this machine must not have DEP/Business Manager enabled
  2. Create a USB Boot installer flash drive with Ventura - you can google the instructions on how to create a boot usb drive.
  3. An external SSD that you can install a fresh OS on. I just use a sandish extreme USB 3.1 256GB drive.

Steps I did On the non-DEP M1/M2 Mac

  1. USB BOOT installer and install Ventura on the External SSD --- using the non-DEP Mac
  2. Once installed, go thru the account creation so you have an account
  3. Boot from USB SSD drive just to make sure it is working.

Now you have a bootable external disk.

On the DEP enabled M1/M2 Mac

  1. Boot to recovery mode
  2. Disk Utility
  3. Erase the internal physical disk
  4. Click on internal disk and use the RESTORE option, FROM the external SSD
  5. Let it run - will take a while.

Now you jsut copied the clean ventura to the internal drive.

Once the restore is finished. Remove the External SSD Boot from the internal disk

You WILL get an error that it cannot find the OS or some other stupid errors like no owner, or some other silly error... don't worry.

Now you boot again using the USB BOOT Ventura disk. REINSTALL Ventura again on the internal disk - DO NOT DO ANY DISK FORMATTING this time.

Once USB Installer is done, reboot - you will get to the login prompt of the user you created on the initial fresh install. you will have a working Ventura M1/M2 that just bypassed DEP/Business Manager.

Why this works? Because you first lay down the image on internal disk but due to some apple security, it will never boot unless you "fresh install" it. But the good things about fresh installs, Apple doesn't really wipe the system, it just lays whatever that is necessary for the OS. This means it will fix the ownership of the disks, do whatever it does but won't overwrite local accounts etc. so you will not get prompted for DEP enrollment. I don't know the actual internal details but I just know this works.

Enjoy. took me a while to figure this out after trying many things.

I do not need to do any /etc/hosts hacks, csrutil, etc. nothing. It's pretty simple to do but it does require a double install but it's easier than editing files.

You could in theory transfer a fully working Mac to another Mac now but I don't need to do that so I did the clean Ventura Install.

Now I can use this method to clean/wipe any DEP enabled machine and have myself a "pre-built" machine with certain things like chrome etc already installed. I can just boot from the external SSD periodically to get new updates of OS and software and continue to use it on any new Macs I wipe.

Do you know if this method works on macbook Pro M2 max 2023?
And also, do I have to use m1/m2 mac or any older Mac devices? Because I have an older Macbook 2015

@Cobalt-Genie
Copy link

Question for those who have tried to bypass DEP via the "install the OS on a second machine" method that's been detailed above. After the install, has anyone tried to setup (or use their existing) Apple ID on the new machine, if so — where there any issues?

I bought an as-is MBP 16" 2019 model for parts, surprisingly  — I was able to get it back up and running but I'm getting the "The xxx can automatically configure your Mac" popup.

@kblackwall
Copy link

@aviloveN Could you write steps you went through, please? May I contact you somehow?

@mabearce1
Copy link

Question here.....So I have paid for a service prior to seeing these months ago on my wife's laptop and iMac....I cannot do Auto updates I have to download the full OS and run it that way.
I just did another MacBook Air 2020 using the echo "0.0.0.0..." method mentioned and seems to have worked, but again, no MacOS updates OTA...I have to go into the AppStore and download them 100% all 12GB of them. Kind of annoying if ya ask me! Any way to get OTA back up and working?

@maclover696
Copy link

**** WORKING!!! ******. HI EVERYONE! I have a simplified way I figured out today to bypass DEP today with Ventura against a M2 Macbook Air
Need 3 things

  1. A separate M1/M2 Mac (could be anytjhing, macbook, studio, etc). this machine must not have DEP/Business Manager enabled
  2. Create a USB Boot installer flash drive with Ventura - you can google the instructions on how to create a boot usb drive.
  3. An external SSD that you can install a fresh OS on. I just use a sandish extreme USB 3.1 256GB drive.

Steps I did On the non-DEP M1/M2 Mac

  1. USB BOOT installer and install Ventura on the External SSD --- using the non-DEP Mac
  2. Once installed, go thru the account creation so you have an account
  3. Boot from USB SSD drive just to make sure it is working.

Now you have a bootable external disk.
On the DEP enabled M1/M2 Mac

  1. Boot to recovery mode
  2. Disk Utility
  3. Erase the internal physical disk
  4. Click on internal disk and use the RESTORE option, FROM the external SSD
  5. Let it run - will take a while.

Now you jsut copied the clean ventura to the internal drive.
Once the restore is finished. Remove the External SSD Boot from the internal disk
You WILL get an error that it cannot find the OS or some other stupid errors like no owner, or some other silly error... don't worry.
Now you boot again using the USB BOOT Ventura disk. REINSTALL Ventura again on the internal disk - DO NOT DO ANY DISK FORMATTING this time.
Once USB Installer is done, reboot - you will get to the login prompt of the user you created on the initial fresh install. you will have a working Ventura M1/M2 that just bypassed DEP/Business Manager.
Why this works? Because you first lay down the image on internal disk but due to some apple security, it will never boot unless you "fresh install" it. But the good things about fresh installs, Apple doesn't really wipe the system, it just lays whatever that is necessary for the OS. This means it will fix the ownership of the disks, do whatever it does but won't overwrite local accounts etc. so you will not get prompted for DEP enrollment. I don't know the actual internal details but I just know this works.
Enjoy. took me a while to figure this out after trying many things.
I do not need to do any /etc/hosts hacks, csrutil, etc. nothing. It's pretty simple to do but it does require a double install but it's easier than editing files.
You could in theory transfer a fully working Mac to another Mac now but I don't need to do that so I did the clean Ventura Install.
Now I can use this method to clean/wipe any DEP enabled machine and have myself a "pre-built" machine with certain things like chrome etc already installed. I can just boot from the external SSD periodically to get new updates of OS and software and continue to use it on any new Macs I wipe.

Do you know if this method works on macbook Pro M2 max 2023? And also, do I have to use m1/m2 mac or any older Mac devices? Because I have an older Macbook 2015

It should work on M2 Pro Max. I built the image on M1 Pro Max. the deployed it on M2 Air and M1 Pro and M1 Air.

You must use M1/M2 as the first Mac non-DEP in order to get the proper image for Apple Silicon.

Your 2015 Macbook is Intel chipset and will not work.

@maclover696
Copy link

Question here.....So I have paid for a service prior to seeing these months ago on my wife's laptop and iMac....I cannot do Auto updates I have to download the full OS and run it that way. I just did another MacBook Air 2020 using the echo "0.0.0.0..." method mentioned and seems to have worked, but again, no MacOS updates OTA...I have to go into the AppStore and download them 100% all 12GB of them. Kind of annoying if ya ask me! Any way to get OTA back up and working?

no idea since we have no idea what this paid-service did to your computer to bypass DEP. It sounds like some weird method as I was able to run updates in the Intel bypass methods for many years.

@maclover696
Copy link

Question for those who have tried to bypass DEP via the "install the OS on a second machine" method that's been detailed above. After the install, has anyone tried to setup (or use their existing) Apple ID on the new machine, if so — where there any issues?

No issues, I've done this like 4 times already. It will ask you to authenticate again (because I didn't log out when I built the image from the first Apple Silicon non-DEP machine)

I bought an as-is MBP 16" 2019 model for parts, surprisingly  — I was able to get it back up and running but I'm getting the "The xxx can automatically configure your Mac" popup.

You can use the old DEP bypass method on the Intel MBP 16. Or you can do exactly what I did. I replicated the built image from non-DEP then deploy to DEP-enabled machine method using Intel Macs also. It's the same procedure but you do need to make sure the intel Macbook are set to allow external USB boot. It's in recovery mode secure boot utilities.

@mabearce1
Copy link

Question here.....So I have paid for a service prior to seeing these months ago on my wife's laptop and iMac....I cannot do Auto updates I have to download the full OS and run it that way. I just did another MacBook Air 2020 using the echo "0.0.0.0..." method mentioned and seems to have worked, but again, no MacOS updates OTA...I have to go into the AppStore and download them 100% all 12GB of them. Kind of annoying if ya ask me! Any way to get OTA back up and working?

no idea since we have no idea what this paid-service did to your computer to bypass DEP. It sounds like some weird method as I was able to run updates in the Intel bypass methods for many years.

So, this is with the Paid service...and also, using the method at the top of the page and still won't update the MacOS. I might try the method before...However I will say I have bypassed them with installs before and a few days later that popup comes up...wondering if that depends on the MDM?

@r1vered
Copy link

r1vered commented May 13, 2023

Now I can use this method to clean/wipe any DEP enabled machine and have myself a "pre-built" machine with certain things like chrome etc already installed. I can just boot from the external SSD periodically to get new updates of OS and software and continue to use it on any new Macs I wipe.

Are you saying that this method completely rids the Mac of any DEP going forward? So if I wanted to do a clean install a year from now or update to whatever comes after Ventura, I'll no longer have to jump through hoops ever again?

@predragcvetkovski
Copy link

predragcvetkovski commented May 15, 2023

**** WORKING!!! ******. HI EVERYONE! I have a simplified way I figured out today to bypass DEP today with Ventura against a M2 Macbook Air

Need 3 things

  1. A separate M1/M2 Mac (could be anytjhing, macbook, studio, etc). this machine must not have DEP/Business Manager enabled
  2. Create a USB Boot installer flash drive with Ventura - you can google the instructions on how to create a boot usb drive.
  3. An external SSD that you can install a fresh OS on. I just use a sandish extreme USB 3.1 256GB drive.

Steps I did On the non-DEP M1/M2 Mac

  1. USB BOOT installer and install Ventura on the External SSD --- using the non-DEP Mac
  2. Once installed, go thru the account creation so you have an account
  3. Boot from USB SSD drive just to make sure it is working.

Now you have a bootable external disk.

On the DEP enabled M1/M2 Mac

  1. Boot to recovery mode
  2. Disk Utility
  3. Erase the internal physical disk
  4. Click on internal disk and use the RESTORE option, FROM the external SSD
  5. Let it run - will take a while.

Now you jsut copied the clean ventura to the internal drive.

Once the restore is finished. Remove the External SSD Boot from the internal disk

You WILL get an error that it cannot find the OS or some other stupid errors like no owner, or some other silly error... don't worry.

Now you boot again using the USB BOOT Ventura disk. REINSTALL Ventura again on the internal disk - DO NOT DO ANY DISK FORMATTING this time.

Once USB Installer is done, reboot - you will get to the login prompt of the user you created on the initial fresh install. you will have a working Ventura M1/M2 that just bypassed DEP/Business Manager.

Why this works? Because you first lay down the image on internal disk but due to some apple security, it will never boot unless you "fresh install" it. But the good things about fresh installs, Apple doesn't really wipe the system, it just lays whatever that is necessary for the OS. This means it will fix the ownership of the disks, do whatever it does but won't overwrite local accounts etc. so you will not get prompted for DEP enrollment. I don't know the actual internal details but I just know this works.

Enjoy. took me a while to figure this out after trying many things.

I do not need to do any /etc/hosts hacks, csrutil, etc. nothing. It's pretty simple to do but it does require a double install but it's easier than editing files.

You could in theory transfer a fully working Mac to another Mac now but I don't need to do that so I did the clean Ventura Install.

Now I can use this method to clean/wipe any DEP enabled machine and have myself a "pre-built" machine with certain things like chrome etc already installed. I can just boot from the external SSD periodically to get new updates of OS and software and continue to use it on any new Macs I wipe.

How to Bypass Activation Lock on Mac:

5/14/23 - another successful bypass of DEP on M1 2020 MacBook Air with Ventura (credit goes to @maclover696 👏👏👏)

Here is an updated version that works (modified steps to erase internal physical drive, which forces device restart into Activation screen):

Pre-requirements:

  • Mac with Activation Lock
  • Unlocked Mac laptop or desktop (e.g., M1, M2, Pro, Mini, Studio, etc.) - not enrolled in Device Enrollment Program (DEP) / Mobile Device Management (MDM)
  • USB Flash Drive (14GB+ USB3.x/USB-C/Thunderbolt) - To create a USB Boot installer for macOS
  • External SSD (50GB+ USB3.x/USB-C/Thunderbolt) - To install and boot from external drive

Step by step instructions on:

Unlocked Mac

  1. Create a bootable installer with macOS Ventura on USB Flash Drive, see instructions at https://support.apple.com/en-us/HT201372
  2. Restart and boot from USB Flash Drive with macOS Ventura
  3. Install macOS Ventura on the External SSD
  4. Finish installation and create a user account
  5. Boot from External SSD to make sure it is working

Congrats 🎉🎉🎉 now you have a bootable external SSD

Mac with Activation Lock*

  1. Boot into Recovery mode, see instructions at https://support.apple.com/en-us/HT201255
  2. Open Disk Utility > select Internal Drive (or Macintosh HD) > click Restore > select External SSD (this process will fail, nothing to worry about)
  3. Erase Internal Drive (all volumes)
  4. Repeat step 3 above, select Internal Drive (or Macintosh HD) > click Restore > select External SSD. Be patient, the restoration speed varies depending on the type of External SSD and connectivity - some 45-60min on Samsung 980Pro 1TB NVMe in Sabrent USB-C enclosure. (this time the operation will succeed)
  5. Shut down > remove External SSD
  6. Boot from Internal Drive (this process will fail, and it will restart into Recovery mode, nothing to worry about)
  7. Restart and boot from USB Flash Drive with macOS Ventura
  8. Connect to WiFi/LAN, macOS Ventura requires internet connection for installation (no need to block ports on your router or /etc/hosts hacks, csrutil, etc.)
  9. Install macOS Ventura from USB Flash Drive to Internal Drive (this time do not erase internal drive)
  10. Restart after the OS installation is complete and login with the user credentials created on External SSD installation (step 4 from unlocked Mac)

Congrats 🎉🎉🎉 you've just 🔗‍💥 bypassed DEP/Business Manager

*Depending on the state of your Mac, you may need Apple Configurator to revive / restore your Mac to bring it back to life. See instructions at https://support.apple.com/guide/apple-configurator-mac/revive-or-restore-a-mac-with-apple-silicon-apdd5f3c75ad/mac and Apple Silicon M1/M2 macOS IPSW Firmware Restore Files Database https://mrmacintosh.com/apple-silicon-m1-full-macos-restore-ipsw-firmware-files-database/ alternatively Apple Configurator will download automatically the latest version.

@Vicki-Olesen
Copy link

Question here.....So I have paid for a service prior to seeing these months ago on my wife's laptop and iMac....I cannot do Auto updates I have to download the full OS and run it that way. I just did another MacBook Air 2020 using the echo "0.0.0.0..." method mentioned and seems to have worked, but again, no MacOS updates OTA...I have to go into the AppStore and download them 100% all 12GB of them. Kind of annoying if ya ask me! Any way to get OTA back up and working?

no idea since we have no idea what this paid-service did to your computer to bypass DEP. It sounds like some weird method as I was able to run updates in the Intel bypass methods for many years.

So, this is with the Paid service...and also, using the method at the top of the page and still won't update the MacOS. I might try the method before...However I will say I have bypassed them with installs before and a few days later that popup comes up...wondering if that depends on the MDM?

Hi @mabearce1 @maclover696 .. would I be able to do updates normally? Thanks

@mabearce1
Copy link

Question here.....So I have paid for a service prior to seeing these months ago on my wife's laptop and iMac....I cannot do Auto updates I have to download the full OS and run it that way. I just did another MacBook Air 2020 using the echo "0.0.0.0..." method mentioned and seems to have worked, but again, no MacOS updates OTA...I have to go into the AppStore and download them 100% all 12GB of them. Kind of annoying if ya ask me! Any way to get OTA back up and working?

no idea since we have no idea what this paid-service did to your computer to bypass DEP. It sounds like some weird method as I was able to run updates in the Intel bypass methods for many years.

So, this is with the Paid service...and also, using the method at the top of the page and still won't update the MacOS. I might try the method before...However I will say I have bypassed them with installs before and a few days later that popup comes up...wondering if that depends on the MDM?

Hi @mabearce1 @maclover696 .. would I be able to do updates normally? Thanks

I’ve never been able to that was my question

@predragcvetkovski
Copy link

@Vicki-Olesen @mabearce1 updates are working fine, you can login with an Apple ID, access appstore to get, install or update any software, including system updates.

Alternatively, in case you don't want to login, you can always update macOS, and any installed software on your External USB, however you will need to repeat the process above on both devices, as suggested by @maclover696

If you are interested to learn how DEP/MDM works, and what happens to a device without DEP (run profiles status -type enrollment to confirm), these are good links:
Apple Guide
Device with DEP
Using DEP

Things to remember your device hits different Apple servers:

  • during macOS Ventura installation to check DEP status (MDM servers)
  • when you run profiles status -type enrollment (MDM servers)
  • login with Apple ID (Discover Authentication Servers)

Apple device without DEP is like Twitter tweet with Elon's 🔬

@Vicki-Olesen
Copy link

Many thanks @predragcvetkovski for your kind assistance; much appreciated. So can you confirm that you can update your Mac OS normally via General -> Software Update in system settings? No DEP notifications are sent to you after this without blocking hosts written in earlier threads and comments?

One last thing, what does the below command line show when you write it in the terminal?

sudo profiles show -type enrollment

@maclover696 I would highly appreciate it if you can advise as well.

Many thanks again for both of you

@Vicki-Olesen
Copy link

@predragcvetkovski @maclover696 Could you please advise? Many thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment