Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save henrik242/65d26a7deca30bdb9828e183809690bd to your computer and use it in GitHub Desktop.
Save henrik242/65d26a7deca30bdb9828e183809690bd to your computer and use it in GitHub Desktop.
@GeorgeDuke1971
Copy link

Hello, this thread was very useful for turning off DEP notifications on a few of my intel macs running Monterey (or earlier), but I am not clear how to do this on an intel mac running Ventura. There are some comments in this thread with M1/M2 macs with Ventura so is the process the same with intel macs? I would prefer no erasing my system internal disk.
Using ikecanvas's post above worked well in Monterey but those instructions don't work for me in Ventura.

@eternalgod
Copy link

@Jbb08 I am sorry it didn't work for you. I guess, the best path going forward is to block the host servers for your case.

@eternalgod
Copy link

@Vicki-Olesen : I found the external SSD restore method to be far more efficient.

For example, for latest MacBook which come with Ventura, an MDM enabled device doesn't have an option to choose "no internet" during setup. This can, however, be bypassed by enabling root user and creating .AppleSetupDone file, and then blocking the host file. But I find this method a bit tedious. Not to mention, in future the host names can always change. Say for example, 13.5 Ventura OS may start polling from a different host server (just saying). So I still believe writing off a MacBook without any client enabled DEP is better than blocking hostnames in host file.

@Vicki-Olesen
Copy link

Many thanks @eternalgod for your kind assistance. I actually thought the opposite that if we did it via the SSD method, we have a greater risk of having it caught by any future update from Apple since hosts are not blocked. I will be doing it on my M2 Ventura Macbook Pro this week and will let you know if it worked.

@eternalgod
Copy link

@GeorgeDuke1971 : It is the same prodcedure for Intel macs running on Ventura. Please follow @predragcvetkovski post where the steps are clearly outlined.

@Cobalt-Genie
Copy link

Has anyone tested the process @predragcvetkovski detailed using a macOS Monterey Setup on an intel mac, or is this just for Ventura?Just curious to know if anyone has had any success with that.

Thanks to everyone here that's been providing info and feedback. I'm working on a MBP 2019 with t2 chip and using a MBP 2015 as my non-DEP/MDM device to create the installers.

@Jbb08
Copy link

Jbb08 commented May 23, 2023

@Jbb08 I am sorry it didn't work for you. I guess, the best path going forward is to block the host servers for your case.

Thanks @eternalgod
I’ve modified the host file to 0.0.0.0 profiles.apple.com
The status returns No for both DEP and MDM, and show returns an error reaching Apple servers I believe, however it’s not the ‘error fetching device enrolment’ one.

do you believe I should do anything else?

@Jbb08
Copy link

Jbb08 commented May 23, 2023

@Vicki-Olesen : I found the external SSD restore method to be far more efficient.

For example, for latest MacBook which come with Ventura, an MDM enabled device doesn't have an option to choose "no internet" during setup. This can, however, be bypassed by enabling root user and creating .AppleSetupDone file, and then blocking the host file. But I find this method a bit tedious. Not to mention, in future the host names can always change. Say for example, 13.5 Ventura OS may start polling from a different host server (just saying). So I still believe writing off a MacBook without any client enabled DEP is better than blocking hostnames in host file.

Also @eternalgod you mention a Mac coming default with Ventura can’t skip internet.
My MDM MacBook Pro is a brand new M2 Max 32gb unified memory 1TB and whilst it does not have DEP confirmed, it does have MDM and as previously mentioned despite all attempts I can’t get it to stop phoning home once I use the ‘show’ enrolment terminal check. So my only option is blocking using the host file. But as you say for how long will that work.

@eternalgod
Copy link

eternalgod commented May 23, 2023

@Jbb08 : For now you are ok with blocking hosts. just make sure you block the following:

iprofiles.apple.com
mdmenrollment.apple.com
deviceenrollment.apple.com
gdmf.apple.com

These should do for now. All the best with the device. There shouldn't be any notifications, afaik.

@GeorgeDuke1971
Copy link

@GeorgeDuke1971 : It is the same prodcedure for Intel macs running on Ventura. Please follow @predragcvetkovski post where the steps are clearly outlined.

Thanks I suppose I can do this but a lot more trouble than just entering some terminal commands like I did in Monterey.
If I do follow @predragcvetkovski post, erase the OS disk, reinstall macOS from external SSD, etc., can I restore from a Time Machine backup (for my intel Macmini8,1) or does that also restore DEP notifications?
In retrospect, it would have been easier to just stay with Monterey.

@eternalgod
Copy link

eternalgod commented May 23, 2023

@GeorgeDuke1971 : There are two options with Ventura based Macs with DEP/MDM enabled.

One: Most of the Macs with Ventura on it don't provide a third option to not connect to internet during setup assistant. This can be easily bypassed by enabling root user using dscl command and creating a file .AppleSetupDone. Please refer to @joshworksit post for more details. Once you bypass the setup assistant, you can block the host file and be done with it. This is less time consuming and a quick hack (you don't even have to erase your internal disk)

Two: A cleaner option is to follow @maclover696 and @predragcvetkovski post. This is more time consuming and needs access to another mac without MDM/DEP enabled, an external SSD and an USB drive etc. So I would try the first option to simply get past.

My preference is the second one as the mac is DEP enabled so it won't fetch any configurations during profiles show -type enrollment command.

Restoring from Time Machine backup will bring back the DEP notifications.

@RourouDuzi688
Copy link

@eternalgod Thank you man for figuring this out, I tried all kinds of methods and none of them seems to work until I stumbled across this post. you are definitely God haha. Follow your steps and it worked like a charm! Did it for the M1 and Intel base and both worked.

@eternalgod
Copy link

@RourouDuzi688, glad you got it worked on both intel based and apple based silicon Macs. Credit goes to @maclover696 @predragcvetkovski and @joshworksit

@eternalgod
Copy link

@RourouDuzi688 : make sure you update here with any differences in method or results that you faced based on the version of MacOS or Mac devices that you used. Its good to update this thread with changes, if any. Did you face any issues with Ventura 13.4?

@Jbb08
Copy link

Jbb08 commented May 24, 2023

I agree with @eternalgod updating specific setup and success helps those like me who have had zero luck.
So far I can’t find another user with MDM only (not DEP) on an M2 which default comes with Ventura.
My USB installer was made of 13.3.1.
And whilst the process worked entirely. There were some key differences to the instructions others have so very kindly posted.
Mainly being.
When I go to wipe the internal drive I need the admin account to unlock it, but also when you erase the internal drive it forces you to connect to the internet to Activate the Mac. Then will automatically reboot to take effect.
This means that you cannot simply restore from the SSD straight away. You have to go back into recovery mode and then restore SSD.
Another one is internet is required for Ventura USB installer override of the ssd restored profile. In adding the internet here I wondered if it did something to call the MDM server who knows.
I wonder if I could block the installation process from calling any enrolment servers who knows..

but that’s been my experience so far. M2 16” with MDM only but no DEP won’t work using the above instructions so I’m left with host file blocking for now :-(

@jwedding
Copy link

I'm in the same boat @Jbb08, no profiles - status, but the occasional prompt to join back up. I've blocked the hosts files, but something still seems to be phoning home.

@Vicki-Olesen
Copy link

IMG_6248

Hi @maclover696 @eternalgod @predragcvetkovski I am getting this error while trying to boot up from the Ventura SSD that I created from non-mdm M2 Macbook Pro.. Anyone have idea why this is happening? Many thanks

Unable to set startup disk: An error occurred while setting “Ventura” as the startup disk: The operation couldn’t be completed. (SDErrorDomain error 108.)

@eternalgod
Copy link

eternalgod commented May 25, 2023 via email

@RourouDuzi688
Copy link

@RourouDuzi688, glad you got it worked on both intel based and apple based silicon Macs. Credit goes to @maclover696 @predragcvetkovski and @joshworksit

@maclover696 @predragcvetkovski @joshworksit Thank you thank you guys!

@RourouDuzi688
Copy link

@RourouDuzi688 : make sure you update here with any differences in method or results that you faced based on the version of MacOS or Mac devices that you used. Its good to update this thread with changes, if any. Did you face any issues with Ventura 13.4?

So far no problem for me. I'm using 13.2 for my M1 restore and 13.4 for my Intel one.

@alucardness
Copy link

Someone already updated to 13.3 or 13.4?
https://support.apple.com/en-us/HT213327

Because they've pumped up the security.

@Vicki-Olesen
Copy link

@alucardness Yes no problem

@x00day
Copy link

x00day commented Jun 6, 2023

**** WORKING!!! ******. HI EVERYONE! I have a simplified way I figured out today to bypass DEP today with Ventura against a M2 Macbook Air

Need 3 things

  1. A separate M1/M2 Mac (could be anytjhing, macbook, studio, etc). this machine must not have DEP/Business Manager enabled
  2. Create a USB Boot installer flash drive with Ventura - you can google the instructions on how to create a boot usb drive.
  3. An external SSD that you can install a fresh OS on. I just use a sandish extreme USB 3.1 256GB drive.

Steps I did On the non-DEP M1/M2 Mac

  1. USB BOOT installer and install Ventura on the External SSD --- using the non-DEP Mac
  2. Once installed, go thru the account creation so you have an account
  3. Boot from USB SSD drive just to make sure it is working.

Now you have a bootable external disk.

On the DEP enabled M1/M2 Mac

  1. Boot to recovery mode
  2. Disk Utility
  3. Erase the internal physical disk
  4. Click on internal disk and use the RESTORE option, FROM the external SSD
  5. Let it run - will take a while.

Now you jsut copied the clean ventura to the internal drive.

Once the restore is finished. Remove the External SSD Boot from the internal disk

You WILL get an error that it cannot find the OS or some other stupid errors like no owner, or some other silly error... don't worry.

Now you boot again using the USB BOOT Ventura disk. REINSTALL Ventura again on the internal disk - DO NOT DO ANY DISK FORMATTING this time.

Once USB Installer is done, reboot - you will get to the login prompt of the user you created on the initial fresh install. you will have a working Ventura M1/M2 that just bypassed DEP/Business Manager.

Why this works? Because you first lay down the image on internal disk but due to some apple security, it will never boot unless you "fresh install" it. But the good things about fresh installs, Apple doesn't really wipe the system, it just lays whatever that is necessary for the OS. This means it will fix the ownership of the disks, do whatever it does but won't overwrite local accounts etc. so you will not get prompted for DEP enrollment. I don't know the actual internal details but I just know this works.

Enjoy. took me a while to figure this out after trying many things.

I do not need to do any /etc/hosts hacks, csrutil, etc. nothing. It's pretty simple to do but it does require a double install but it's easier than editing files.

You could in theory transfer a fully working Mac to another Mac now but I don't need to do that so I did the clean Ventura Install.

Now I can use this method to clean/wipe any DEP enabled machine and have myself a "pre-built" machine with certain things like chrome etc already installed. I can just boot from the external SSD periodically to get new updates of OS and software and continue to use it on any new Macs I wipe.

@maclover696 Thanks a lot for this. It works flawlessly.

I personally tested your procedure using an old MacBook Air mid-2012 (Intel) running the latest version of Monterey 12.6.6 as my non-DEP Mac to bypass the DEP enrollment on a fully updated Mac M1 Pro running Ventura 13.4 and it works like a charm!

The process is pretty much the same except when you restore from the external SSD to the internal partition it works the first time with no error. Then when you reboot from the external Monterey bootable USB it automatically switches to Ventura to install (and upgrade) itself on the internal Monterey partition. When you reboot again on the internal partition it has the account from the non-DEP Mac running the latest version of Ventura instead of Monterey.

Obviously the enrolment status gives me:
Enrolled via DEP: No
MDM enrollment: No

Again, thank you very much!

@wanrain56
Copy link

Hello everyone, Ventura needs an administrator password to execute csrutil disable after installing the system. Does anyone know what the password is? (no user created)

How's it going?

@sonomadep
Copy link

sonomadep commented Jun 7, 2023

Disable annoying Remote Management Pop-Up after upgrading to macOS Sonoma (14)

Apple further added a new gate preventing people from using their DEP-enabled Macs without installing the profiles in macOS Sonoma. After upgrading from a fully-working Ventura copy (with MDM servers blocked in hosts) to macOS Sonoma DP 1, your Mac will want to give you a pop-up window every 10 mins reminding you to install a DEP profile. Did some experiments and I think Apple is secretly pinging their MDM servers no matter you have an active profile associated w/ SN or not. As long as the servers are not reachable they will annoy you with their new pop-up system.

The Workaround

(1) Disable SIP in 1 True Recovery

(2)
sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigHasActivationRecord

sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordFound

sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigProfileInstalled

sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordNotFound

(3) you're all set. enjoy this boring upgrade

@Ran-Xing
Copy link

Ran-Xing commented Jun 7, 2023

@sonomadep 👍

slack.com: join & talk bypass with clean

If you are a developer, please contact me, I will review and invite you to develop automation scripts

@sonomadep
Copy link

@sonomadep 👍

slack.com: join & talk bypass with clean

If you are a developer, please contact me, I will review and invite you to develop automation scripts

a script is ... just not feasible

on ASi os version <12.x you need to enter 1tr and disable SIP. but if you know how to disable SIP you know how to edit hosts.
on ASi os version >13.x (first install) a script is not remotely usable due to forced internet connection.
on x86 opencore booting on top of boot rom that changes SN is more viable and cleaner.
for ASi macs (especially new machines that cannot downgrade) it is really just a matter of time until apple shuts down mdm bypassing. if they want they 100% have the ability to make it a complete activation lock.

@sonomadep
Copy link

sonomadep commented Jun 7, 2023

14.0 Beta(23A5257q)� MDM It seems that the Apple partition must be uninstalled to deal with it. My client upgraded the system, and then the supervision window keeps popping up, which is a full-screen pop-up

/
/usr/libexec/mdmclient
/private/var/db/mds/messages/503/se_SecurityMessages
/private/var/db/timezone/tz/2023c.1.0/icutz/icutz44l.dat
/private/var/db/analyticsd/events.allowlist
/System/Library/CoreServices/ManagedClient.app/Contents/PlugIns/ConfigurationProfilesUI.bundle/Contents/Resources/CloudConfiguration.loctable
/System/Library/CoreServices/SystemVersion.bundle/zh_CN.lproj/SystemVersion.strings
/System/Library/Frameworks/FileProvider.framework/OverrideBundles/FileProviderOverride.bundle/Contents/MacOS/FileProviderOverride
/System/Library/CoreServices/ManagedClient.app/Contents/PlugIns/MCXToolsInterface.bundle/Contents/MacOS/MCXToolsInterface
/System/Library/Frameworks/Foundation.framework/Versions/C/Resources/FoundationErrors.loctable
/System/Library/Frameworks/FileProvider.framework/OverrideBundles/iCloudDriveFileProviderOverride.bundle/Contents/MacOS/iCloudDriveFileProviderOverride
/System/Library/Frameworks/FileProvider.framework/OverrideBundles/FinderSyncCollaborationFileProviderOverride.bundle/Contents/MacOS/FinderSyncCollaborationFileProviderOverride
/Library/Preferences/Logging/.plist-cache.0lOk77Y7
/usr/share/icu/icudt72l.dat
/private/var/folders/ss/vxcjt3_j5nl23pw2sw1_dy700000gq/0/com.apple.LaunchServices.dv/com.apple.LaunchServices-5012-v2.csstore
/dev/null
/dev/null
/dev/null

whoever your client is, they are using a bad solution on their OS. breaking the SSV is a bad idea to block MDM, especially on ASi. It should be avoided in any case. you are definitely doing this the wrong way, period.

there is no need to remove monitor programs such as jamf when you disabled the internet at first and blocked hosts all the way.

for the full screen pop up i have already shared the methods to block it above. please do not advertise it as a paid solution or you may as well discourage others from sharing their attempts to bypass mdm further in this thread. its just so bad for the community.

求求你做个人吧,别把别人刚发出来的东西拿走挣钱,也不要卖给你的“客户”一个残缺的dirty hack。

@Ran-Xing
Copy link

Ran-Xing commented Jun 7, 2023

你不是我,我不是你,你没有资格批评我


You are not me, I am not you, you have no right to criticize me

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment