Ventura docs for M2 Macs in this comment: https://gist.github.com/henrik242/65d26a7deca30bdb9828e183809690bd?permalink_comment_id=4555340#gistcomment-4555340
Old Monterey docs in this old revision: https://gist.github.com/henrik242/65d26a7deca30bdb9828e183809690bd/32c410e3a1de73539c76fa13ea5486569c4e0c5d
Solution for Sonoma: https://gist.github.com/sghiassy/a3927405cf4ffe81242f4ecb01c382ac
Question here.....So I have paid for a service prior to seeing these months ago on my wife's laptop and iMac....I cannot do Auto updates I have to download the full OS and run it that way. I just did another MacBook Air 2020 using the echo "0.0.0.0..." method mentioned and seems to have worked, but again, no MacOS updates OTA...I have to go into the AppStore and download them 100% all 12GB of them. Kind of annoying if ya ask me! Any way to get OTA back up and working?
no idea since we have no idea what this paid-service did to your computer to bypass DEP. It sounds like some weird method as I was able to run updates in the Intel bypass methods for many years.
So, this is with the Paid service...and also, using the method at the top of the page and still won't update the MacOS. I might try the method before...However I will say I have bypassed them with installs before and a few days later that popup comes up...wondering if that depends on the MDM?
Hi @mabearce1 @maclover696 .. would I be able to do updates normally? Thanks
I’ve never been able to that was my question
@Vicki-Olesen @mabearce1 updates are working fine, you can login with an Apple ID, access appstore to get, install or update any software, including system updates.
Alternatively, in case you don't want to login, you can always update macOS, and any installed software on your External USB, however you will need to repeat the process above on both devices, as suggested by @maclover696
If you are interested to learn how DEP/MDM works, and what happens to a device without DEP (run profiles status -type enrollment to confirm), these are good links:
Apple Guide
Device with DEP
Using DEP
Things to remember your device hits different Apple servers:
profiles status -type enrollment (MDM servers)Apple device without DEP is like Twitter tweet with Elon's 🔬
Many thanks @predragcvetkovski for your kind assistance; much appreciated. So can you confirm that you can update your Mac OS normally via General -> Software Update in system settings? No DEP notifications are sent to you after this without blocking hosts written in earlier threads and comments?
One last thing, what does the below command line show when you write it in the terminal?
sudo profiles show -type enrollment
@maclover696 I would highly appreciate it if you can advise as well.
Many thanks again for both of you
@predragcvetkovski @maclover696 Could you please advise? Many thanks
For Inel based MacBooks (Air and Pro), I was able to validate the method given by @predragcvetkovski and @maclover696
Note, if you connect to internet during the restore process from an external SSD having clean ventura 13.3.1 installed along with a created super user, then it restores quickly without any errors and boots into internal mac also without any errors.
Output of DEP/MDM:
% sudo profiles show -type enrollment
Error fetching Device Enrollment configuration: Client is not DEP enabled.
% sudo profiles status -type enrollment
Enrolled via DEP: No
MDM enrollment: No
Again thanks @predragcvetkovski and @maclover696 for detailing the steps. This is the most easiest and safest method to bypass MDM/DEP on Intel based MacBooks.
OTA updates worrk, I was able to install Ventura macOS Security Response 13.3.1 (a) at the time of this writing without any issues.
Update: Continued testing the external SSD having Venrtura 13.3.1 with super user which was created by non-MDM/non-DEP Intel based MacBook on M1/Apple silicon based MacBook Pro (with MDM/DEP)
And it still works!
Restore option fails but manages to replicate the external SSD onto the internal SSD.
Fails to boot up using intenral SSD and complains that the OS has to be reinstalled
Installed via bootable USB having Ventura OS (this was also created by non-MDM/non-DEP Intel Macbook)
Took a long time to repair and install.
Finally booted into user prmpt which was created on external SSD.
Output of DEP/MDM:
% sudo profiles show -type enrollment
Error fetching Device Enrollment configuration: Client is not DEP enabled.
% sudo profiles status -type enrollment
Enrolled via DEP: No
MDM enrollment: No
Kudos to @predragcvetkovski and @maclover696 for the base method of restoring internal HD with external HD :)
Update: Resetting the mac/erase all settings - brings back the DEP/MDM/Activation so please refrain from doing so.
**** WORKING!!! ******. HI EVERYONE! I have a simplified way I figured out today to bypass DEP today with Ventura against a M2 Macbook Air
Need 3 things
- A separate M1/M2 Mac (could be anytjhing, macbook, studio, etc). this machine must not have DEP/Business Manager enabled
- Create a USB Boot installer flash drive with Ventura - you can google the instructions on how to create a boot usb drive.
- An external SSD that you can install a fresh OS on. I just use a sandish extreme USB 3.1 256GB drive.
Steps I did On the non-DEP M1/M2 Mac
- USB BOOT installer and install Ventura on the External SSD --- using the non-DEP Mac
- Once installed, go thru the account creation so you have an account
- Boot from USB SSD drive just to make sure it is working.
Now you have a bootable external disk.
On the DEP enabled M1/M2 Mac
- Boot to recovery mode
- Disk Utility
- Erase the internal physical disk
- Click on internal disk and use the RESTORE option, FROM the external SSD
- Let it run - will take a while.
Now you jsut copied the clean ventura to the internal drive.
Once the restore is finished. Remove the External SSD Boot from the internal disk
You WILL get an error that it cannot find the OS or some other stupid errors like no owner, or some other silly error... don't worry.
Now you boot again using the USB BOOT Ventura disk. REINSTALL Ventura again on the internal disk - DO NOT DO ANY DISK FORMATTING this time.
Once USB Installer is done, reboot - you will get to the login prompt of the user you created on the initial fresh install. you will have a working Ventura M1/M2 that just bypassed DEP/Business Manager.
Why this works? Because you first lay down the image on internal disk but due to some apple security, it will never boot unless you "fresh install" it. But the good things about fresh installs, Apple doesn't really wipe the system, it just lays whatever that is necessary for the OS. This means it will fix the ownership of the disks, do whatever it does but won't overwrite local accounts etc. so you will not get prompted for DEP enrollment. I don't know the actual internal details but I just know this works.
Enjoy. took me a while to figure this out after trying many things.
I do not need to do any /etc/hosts hacks, csrutil, etc. nothing. It's pretty simple to do but it does require a double install but it's easier than editing files.
You could in theory transfer a fully working Mac to another Mac now but I don't need to do that so I did the clean Ventura Install.
Now I can use this method to clean/wipe any DEP enabled machine and have myself a "pre-built" machine with certain things like chrome etc already installed. I can just boot from the external SSD periodically to get new updates of OS and software and continue to use it on any new Macs I wipe.
Is it possible to upload the image file for download at all? for others that don't have access to another M1 Mac? is that at all possible?
I am very new to all of this, updated to Ventura and then wiped Mac without reading anything, so having to learn pretty fast ... ha!
@dutton241-9 : Image is over 12GB, Its better you ask someone in your networking circle to install macOS on an external SSD.
Awesome @eternalgod
So I have an M2 MacBook Pro that has DEP removed. But it is still linked to MDM.
I was waiting for another M1/M2 MacBook before trying @maclover696 method.
Then I saw that you used a non MDM/DEP Intel Mac to create the Ventura SSD to use to restore from.
So I tried that.
Created the Ventura SSD, booted into recovery (held power button) used disk utility to wipe internal drive, however in doing so it asked me to Activate the Mac which needed an internet connection (not seen that on here) I did that.
It restarted but of course the internal drive was empty.
Went back into recovery and got back to disk utility to carry on with the restoring from SSD to the internal drive.
This took like 5 mins, it was super quick as my drive was 9gb installed.
It rebooted. Then the issue with authorisation of the User. So it rebooted back into recovery. This time added the USB Ventura Installer, and booted from that for installing Ventura over the top of the internal disk.
This took about 35 mins. However installed Ventura requires the internet, so again I turned Wi-Fi on (as it failed this first time because I had it off) once finished it then booted from the internal disk to my user prompt perfectly.
All seemed fine until terminal checks returned the following-
sudo profiles status -type enrollment
Enrolled via DEP: No
MDM enrollment: No
all good right?
but
sudo profiles show -type enrollment
Returns the MDM company details and Apple pushes a message asking if I want to enrol the MacBook to that MDM…
does this mean I am going to get those messages periodically now?
Why does status say NO to both, but show brings up the MDM?
have I done something wrong?
@Jbb08 : You did all the steps correctly. Can you please confirm if the external ventura SSD was created indeed from a non-mdm mac?
Is it possible for you to use the previous non-mdm mac and reboot from the external ventura ssd. Log into the admin account and run the same sudo profiles command to make sure you get "Error fetching Device Enrollment configuration: Client is not DEP enabled"?
I rechecked on the MDM enabled M1 Mac at my end and I am still getting the above correct message with sudo profiles show command. I also pigned iprofiles.apple.com, mdmenrollment.apple.com, deviceenrollment.apple.com, gdmf.apple.com and I was able to ping all the servers with DNS correctly providing their ip addresses back. Rechecked again with the command with the same correct response.
I am not sure what went wrong at your end but I strongly suspect the external ventura SSD you created. Both bootable usb ventura installer and external ventura installed ssd should be done with non-mdm/non-dep Mac.
At no point I had turned off the internet when I was restoring. Could you please redo all the steps without turning off internet?
Thanks @eternalgod
So I did discover my USB Ventura Installer was created on an Intel DEP/MDM MBP.
So I recreated it on the non DEP/MDM Intel MBP
At the same time also wiped the SSD and installed Ventura onto it from the Intel non DEP/MDM Intel MBP.
Started whole process again, all with internet fully on.
All went smoothly.
Profiles - status = DEP No , MDM No
Profiles - show = Full company MDM info.
I’m thinking that this computer must call home when ever I sent the request for showing of enrolment detail, and again the mac pushes me to allow it to install the MDM profile of course I don’t.
My last attempt will be to create a Ventura USB installer and SSD installed build on my mates personal M1 MBP which is guaranteed not to have had DEP or MDM on it. Otherwise I have no clue why it’s not working.
also when I tested the SSD Ventura on the non dep/MdM Intel MBP to make sure my admin profile worked, both status and show came back as you describe so that build is free of anything.
Restoring that build then overwriting the build with a fresh install seems to be where it’s going wrong OR
It’s phoning home in the ‘show’ call who knows.
any further thoughts?
@Jbb08 : I honestly don't know why your computer is homing when called for showing of enrollment details. Let us know how the external SSD from M1 non-MDM goes.
Another note: After using Intel based Mac's generated external SSD on a M1 Mac (which worked on my end), the external SSD boots no more and cannot be used to flash any other Macs (both Intel and Apple silicon). So I think its best to create an Intel's external SSD AND Apple silicon's external SSD. Appropriately storing the contents in a separate HD (backup) for future references or copies. It takes a while to build these SSDs especially with custom software etc.
@eternalgod I wonder if you think the external hard drive method is more reliable/convenient over the long term or the host blocking method? Thanks
Thanks @eternalgod
So M1 non dep/mdm machine, created new Ventura USB, then used that usb to create a Ventura ssd with admin profile. Tested working.
completed all steps again with M1 produced ssd restore then usb installer over top.
Rebooted and admin profile appeared.
Status - No Dep and No MDM
Show - full company MDM details…
I have no clue why when it calls iprofiles.apple.com that is must use the serial number and phone the Apple database. I know it’s not DEP enabled but the MDM side is live and these steps don’t work for me I am afraid
Not even @maclover696 method works for me on M2 MBP :(
Hello, this thread was very useful for turning off DEP notifications on a few of my intel macs running Monterey (or earlier), but I am not clear how to do this on an intel mac running Ventura. There are some comments in this thread with M1/M2 macs with Ventura so is the process the same with intel macs? I would prefer no erasing my system internal disk.
Using ikecanvas's post above worked well in Monterey but those instructions don't work for me in Ventura.
@Jbb08 I am sorry it didn't work for you. I guess, the best path going forward is to block the host servers for your case.
@Vicki-Olesen : I found the external SSD restore method to be far more efficient.
For example, for latest MacBook which come with Ventura, an MDM enabled device doesn't have an option to choose "no internet" during setup. This can, however, be bypassed by enabling root user and creating .AppleSetupDone file, and then blocking the host file. But I find this method a bit tedious. Not to mention, in future the host names can always change. Say for example, 13.5 Ventura OS may start polling from a different host server (just saying). So I still believe writing off a MacBook without any client enabled DEP is better than blocking hostnames in host file.
Many thanks @eternalgod for your kind assistance. I actually thought the opposite that if we did it via the SSD method, we have a greater risk of having it caught by any future update from Apple since hosts are not blocked. I will be doing it on my M2 Ventura Macbook Pro this week and will let you know if it worked.
@GeorgeDuke1971 : It is the same prodcedure for Intel macs running on Ventura. Please follow @predragcvetkovski post where the steps are clearly outlined.
Has anyone tested the process @predragcvetkovski detailed using a macOS Monterey Setup on an intel mac, or is this just for Ventura?Just curious to know if anyone has had any success with that.
Thanks to everyone here that's been providing info and feedback. I'm working on a MBP 2019 with t2 chip and using a MBP 2015 as my non-DEP/MDM device to create the installers.
@Jbb08 I am sorry it didn't work for you. I guess, the best path going forward is to block the host servers for your case.
Thanks @eternalgod
I’ve modified the host file to 0.0.0.0 profiles.apple.com
The status returns No for both DEP and MDM, and show returns an error reaching Apple servers I believe, however it’s not the ‘error fetching device enrolment’ one.
do you believe I should do anything else?
@Vicki-Olesen : I found the external SSD restore method to be far more efficient.
For example, for latest MacBook which come with Ventura, an MDM enabled device doesn't have an option to choose "no internet" during setup. This can, however, be bypassed by enabling root user and creating .AppleSetupDone file, and then blocking the host file. But I find this method a bit tedious. Not to mention, in future the host names can always change. Say for example, 13.5 Ventura OS may start polling from a different host server (just saying). So I still believe writing off a MacBook without any client enabled DEP is better than blocking hostnames in host file.
Also @eternalgod you mention a Mac coming default with Ventura can’t skip internet.
My MDM MacBook Pro is a brand new M2 Max 32gb unified memory 1TB and whilst it does not have DEP confirmed, it does have MDM and as previously mentioned despite all attempts I can’t get it to stop phoning home once I use the ‘show’ enrolment terminal check. So my only option is blocking using the host file. But as you say for how long will that work.
@Jbb08 : For now you are ok with blocking hosts. just make sure you block the following:
iprofiles.apple.com
mdmenrollment.apple.com
deviceenrollment.apple.com
gdmf.apple.com
These should do for now. All the best with the device. There shouldn't be any notifications, afaik.
@GeorgeDuke1971 : It is the same prodcedure for Intel macs running on Ventura. Please follow @predragcvetkovski post where the steps are clearly outlined.
Thanks I suppose I can do this but a lot more trouble than just entering some terminal commands like I did in Monterey.
If I do follow @predragcvetkovski post, erase the OS disk, reinstall macOS from external SSD, etc., can I restore from a Time Machine backup (for my intel Macmini8,1) or does that also restore DEP notifications?
In retrospect, it would have been easier to just stay with Monterey.
@GeorgeDuke1971 : There are two options with Ventura based Macs with DEP/MDM enabled.
One: Most of the Macs with Ventura on it don't provide a third option to not connect to internet during setup assistant. This can be easily bypassed by enabling root user using dscl command and creating a file .AppleSetupDone. Please refer to @joshworksit post for more details. Once you bypass the setup assistant, you can block the host file and be done with it. This is less time consuming and a quick hack (you don't even have to erase your internal disk)
Two: A cleaner option is to follow @maclover696 and @predragcvetkovski post. This is more time consuming and needs access to another mac without MDM/DEP enabled, an external SSD and an USB drive etc. So I would try the first option to simply get past.
My preference is the second one as the mac is DEP enabled so it won't fetch any configurations during profiles show -type enrollment command.
Restoring from Time Machine backup will bring back the DEP notifications.
@eternalgod Thank you man for figuring this out, I tried all kinds of methods and none of them seems to work until I stumbled across this post. you are definitely God haha. Follow your steps and it worked like a charm! Did it for the M1 and Intel base and both worked.
@RourouDuzi688, glad you got it worked on both intel based and apple based silicon Macs. Credit goes to @maclover696 @predragcvetkovski and @joshworksit
@RourouDuzi688 : make sure you update here with any differences in method or results that you faced based on the version of MacOS or Mac devices that you used. Its good to update this thread with changes, if any. Did you face any issues with Ventura 13.4?
Hi @mabearce1 @maclover696 .. would I be able to do updates normally? Thanks