Ventura docs for M2 Macs in this comment: https://gist.github.com/henrik242/65d26a7deca30bdb9828e183809690bd?permalink_comment_id=4555340#gistcomment-4555340
Old Monterey docs in this old revision: https://gist.github.com/henrik242/65d26a7deca30bdb9828e183809690bd/32c410e3a1de73539c76fa13ea5486569c4e0c5d
Solution for Sonoma: https://gist.github.com/sghiassy/a3927405cf4ffe81242f4ecb01c382ac
Apple further added a new gate preventing people from using their DEP-enabled Macs without installing the profiles in macOS Sonoma. After upgrading from a fully-working Ventura copy (with MDM servers blocked in hosts) to macOS Sonoma DP 1, your Mac will want to give you a pop-up window every 10 mins reminding you to install a DEP profile. Did some experiments and I think Apple is secretly pinging their MDM servers no matter you have an active profile associated w/ SN or not. As long as the servers are not reachable they will annoy you with their new pop-up system.
(1) Disable SIP in 1 True Recovery
(2)
sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigHasActivationRecord
sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordFound
sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigProfileInstalled
sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordNotFound
(3) you're all set. enjoy this boring upgrade
slack.com: join & talk bypass with clean
If you are a developer, please contact me, I will review and invite you to develop automation scripts
slack.com: join & talk bypass with clean
If you are a developer, please contact me, I will review and invite you to develop automation scripts
a script is ... just not feasible
on ASi os version <12.x you need to enter 1tr and disable SIP. but if you know how to disable SIP you know how to edit hosts.
on ASi os version >13.x (first install) a script is not remotely usable due to forced internet connection.
on x86 opencore booting on top of boot rom that changes SN is more viable and cleaner.
for ASi macs (especially new machines that cannot downgrade) it is really just a matter of time until apple shuts down mdm bypassing. if they want they 100% have the ability to make it a complete activation lock.
14.0 Beta(23A5257q)� MDM It seems that the Apple partition must be uninstalled to deal with it. My client upgraded the system, and then the supervision window keeps popping up, which is a full-screen pop-up
/ /usr/libexec/mdmclient /private/var/db/mds/messages/503/se_SecurityMessages /private/var/db/timezone/tz/2023c.1.0/icutz/icutz44l.dat /private/var/db/analyticsd/events.allowlist /System/Library/CoreServices/ManagedClient.app/Contents/PlugIns/ConfigurationProfilesUI.bundle/Contents/Resources/CloudConfiguration.loctable /System/Library/CoreServices/SystemVersion.bundle/zh_CN.lproj/SystemVersion.strings /System/Library/Frameworks/FileProvider.framework/OverrideBundles/FileProviderOverride.bundle/Contents/MacOS/FileProviderOverride /System/Library/CoreServices/ManagedClient.app/Contents/PlugIns/MCXToolsInterface.bundle/Contents/MacOS/MCXToolsInterface /System/Library/Frameworks/Foundation.framework/Versions/C/Resources/FoundationErrors.loctable /System/Library/Frameworks/FileProvider.framework/OverrideBundles/iCloudDriveFileProviderOverride.bundle/Contents/MacOS/iCloudDriveFileProviderOverride /System/Library/Frameworks/FileProvider.framework/OverrideBundles/FinderSyncCollaborationFileProviderOverride.bundle/Contents/MacOS/FinderSyncCollaborationFileProviderOverride /Library/Preferences/Logging/.plist-cache.0lOk77Y7 /usr/share/icu/icudt72l.dat /private/var/folders/ss/vxcjt3_j5nl23pw2sw1_dy700000gq/0/com.apple.LaunchServices.dv/com.apple.LaunchServices-5012-v2.csstore /dev/null /dev/null /dev/null
whoever your client is, they are using a bad solution on their OS. breaking the SSV is a bad idea to block MDM, especially on ASi. It should be avoided in any case. you are definitely doing this the wrong way, period.
there is no need to remove monitor programs such as jamf when you disabled the internet at first and blocked hosts all the way.
for the full screen pop up i have already shared the methods to block it above. please do not advertise it as a paid solution or you may as well discourage others from sharing their attempts to bypass mdm further in this thread. its just so bad for the community.
你不是我,我不是你,你没有资格批评我
You are not me, I am not you, you have no right to criticize me
Disable annoying Remote Management Pop-Up after upgrading to macOS Sonoma (14)
Apple further added a new gate preventing people from using their DEP-enabled Macs without installing the profiles in macOS Sonoma. After upgrading from a fully-working Ventura copy (with MDM servers blocked in hosts) to macOS Sonoma DP 1, your Mac will want to give you a pop-up window every 10 mins reminding you to install a DEP profile. Did some experiments and I think Apple is secretly pinging their MDM servers no matter you have an active profile associated w/ SN or not. As long as the servers are not reachable they will annoy you with their new pop-up system.
The Workaround
(1) Disable SIP in 1 True Recovery
(2) sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigHasActivationRecord
sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordFound
sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigProfileInstalled
sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordNotFound
(3) you're all set. enjoy this boring upgrade
Would you advise re-enabling SIP after this? Would it undo the changes?
Disable annoying Remote Management Pop-Up after upgrading to macOS Sonoma (14)
Apple further added a new gate preventing people from using their DEP-enabled Macs without installing the profiles in macOS Sonoma. After upgrading from a fully-working Ventura copy (with MDM servers blocked in hosts) to macOS Sonoma DP 1, your Mac will want to give you a pop-up window every 10 mins reminding you to install a DEP profile. Did some experiments and I think Apple is secretly pinging their MDM servers no matter you have an active profile associated w/ SN or not. As long as the servers are not reachable they will annoy you with their new pop-up system.
The Workaround
(1) Disable SIP in 1 True Recovery
(2) sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigHasActivationRecord
sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordFound
sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigProfileInstalled
sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordNotFound
(3) you're all set. enjoy this boring upgradeWould you advise re-enabling SIP after this? Would it undo the changes?
You're safe to reenable SIP.
i'm having trouble with these 2 steps
Create a USB Boot installer flash drive with Ventura - you can google the instructions on how to create a boot usb drive.
An external SSD that you can install a fresh OS on. I just use a sandish extreme USB 3.1 256GB drive.
i cant get it to work. it keeps saying something about needing to upadate
I'm starting to think that after 14, the 15th will force us to use profiles and that would be the end.
@sonomadep Does this method work with M1Pro 14 on Sonoma (14 beta)? Through profiles, status -type enrollment shows that "no"Disable SIP in recovery and already on a running system (not in recovery) delete and add the lines specified in your instructions and then enable SIP, right? Do I need internet for this? After that, the hosts do not need to be blocked?
i deleted the internal drive and now it wants to activate mac but failes to active device. I have a dud now that i can do anything with. How do i fix this? M2 Mac Pro
i finally got it to work. I seem to encounter problems every step of the way. It's weird.
I have a 16" Intel MBP that I installed 12.0.1 using the original host file blocking method. I recently realized that I wasn't getting any updates and the only way to update is to download the OS from the app store.
I was wondering, what would be the best method for me to update my system?
@sonomadep do you know if we would have to re-run the profiles every-time we do a update? Thanks in advance.
I have a 16" Intel MBP that I installed 12.0.1 using the original host file blocking method. I recently realized that I wasn't getting any updates and the only way to update is to download the OS from the app store.
I was wondering, what would be the best method for me to update my system?
Don't block this domain: gdmf.apple.com . OTA updates need it.
**** WORKING!!! ******. HI EVERYONE! I have a simplified way I figured out today to bypass DEP today with Ventura against a M2 Macbook Air
Need 3 things
1. A separate M1/M2 Mac (could be anytjhing, macbook, studio, etc). this machine must not have DEP/Business Manager enabled 2. Create a USB Boot installer flash drive with Ventura - you can google the instructions on how to create a boot usb drive. 3. An external SSD that you can install a fresh OS on. I just use a sandish extreme USB 3.1 256GB drive.Steps I did On the non-DEP M1/M2 Mac
1. USB BOOT installer and install Ventura on the External SSD --- using the non-DEP Mac 2. Once installed, go thru the account creation so you have an account 3. Boot from USB SSD drive just to make sure it is working.Now you have a bootable external disk.
On the DEP enabled M1/M2 Mac
1. Boot to recovery mode 2. Disk Utility 3. Erase the internal physical disk 4. Click on internal disk and use the RESTORE option, FROM the external SSD 5. Let it run - will take a while.Now you jsut copied the clean ventura to the internal drive.
Once the restore is finished. Remove the External SSD Boot from the internal disk
You WILL get an error that it cannot find the OS or some other stupid errors like no owner, or some other silly error... don't worry.
Now you boot again using the USB BOOT Ventura disk. REINSTALL Ventura again on the internal disk - DO NOT DO ANY DISK FORMATTING this time.
Once USB Installer is done, reboot - you will get to the login prompt of the user you created on the initial fresh install. you will have a working Ventura M1/M2 that just bypassed DEP/Business Manager.
Why this works? Because you first lay down the image on internal disk but due to some apple security, it will never boot unless you "fresh install" it. But the good things about fresh installs, Apple doesn't really wipe the system, it just lays whatever that is necessary for the OS. This means it will fix the ownership of the disks, do whatever it does but won't overwrite local accounts etc. so you will not get prompted for DEP enrollment. I don't know the actual internal details but I just know this works.
Enjoy. took me a while to figure this out after trying many things.
I do not need to do any /etc/hosts hacks, csrutil, etc. nothing. It's pretty simple to do but it does require a double install but it's easier than editing files.
You could in theory transfer a fully working Mac to another Mac now but I don't need to do that so I did the clean Ventura Install.
Now I can use this method to clean/wipe any DEP enabled machine and have myself a "pre-built" machine with certain things like chrome etc already installed. I can just boot from the external SSD periodically to get new updates of OS and software and continue to use it on any new Macs I wipe.
I hit this error and couldn't find a way around when attempting to use the external SSD as a Startup Disk:
SDErrorDomian error 108: Unable to boot from external SSD
Even if I didn't have the previous error, I hit another one when restoring my internal SSD from the external SSD preinstall (tried with internet and without):
Failed. Couldn't personalise volume at /Volumes/Macintosh HD (OSStatus error 51)
Then if I proceed even after the above two errors, I find that 95% of the used storage was copied to the internal disk but after attempting to install macOS on the internal disk, I get this error about halfway through:
Failed. Couldn't personalise the startup partition at /Volumes/Macintosh HD
Tried both macOS 12.6 and macOS 13.4. Both have identical outcomes. External SSD install performed via non-DEP M1 MacBook Air.
TL;DR: Seems your method simply doesn't work since there's too many blessing or sealing mechanisms macOS performs.
Just wondering, if I use this method on a Ventura mac, would I be able to trade my mac in at Apple Store?
Hi @maclover696 @eternalgod @predragcvetkovski I am getting this error while trying to boot up from the Ventura SSD that I created from non-mdm M2 Macbook Pro.. Anyone have idea why this is happening? Many thanks
Unable to set startup disk: An error occurred while setting “Ventura” as the startup disk: The operation couldn’t be completed. (SDErrorDomain error 108.)
Same issue here. Did you find a solution?
Just wondering, if I use this method on a Ventura mac, would I be able to trade my mac in at Apple Store?
Let me know if you try this! I'm very much thinking of doing the same. Verified the computer didn't have iCloud lock or Activation Lock. No Profiles either. However once I performed a full erase I was alerted to MDM and required to provide an email address connected to some random company. Apple really needs to make it explicitly easy to tell if a computer is stolen, MDM-locked, iCloud-locked, or otherwise Activation Locked.
I really wish they'd just have an About This Mac --> Check activation status --> "All good" or "Not good, MDM-locked" etc. Total bull$#!%
@x00day could you tell me please.....was it possible to disable sip? thank u!
Just wondering, if I use this method on a Ventura mac, would I be able to trade my mac in at Apple Store?
Let me know if you try this! I'm very much thinking of doing the same. Verified the computer didn't have iCloud lock or Activation Lock. No Profiles either. However once I performed a full erase I was alerted to MDM and required to provide an email address connected to some random company. Apple really needs to make it explicitly easy to tell if a computer is stolen, MDM-locked, iCloud-locked, or otherwise Activation Locked.
I really wish they'd just have an About This Mac --> Check activation status --> "All good" or "Not good, MDM-locked" etc. Total bull$#!%
The thing is, I did the whole process when formatted the drive but I know that as long as we don't connect to wifi while setting up, it would be ok, but I'm not sure if they gonna check that in the apple store, since I will be wiping the drive and do a fresh install of ventura anyways
Hello, just upgraded to 14 Beta and I get the annoying MDM even if my personal mac is not related to MDM, what is this all about? Thanks
@badbanii Good now I know i'm not the only one, solution is above scroll up
@Acelogic Hello, yeah, it's fixed but I panicked a little. It's fine if others have the same problem, there was no way my Mac was MDM locked.
@sonomadep Have you gotten macOS 14 beta 2 to install through Software update at all? It appears after applying the fix, my Mac says it's up to date and not seeing the new build. However in terminal it is showing the new 14.0 beta. Any ideas on how to get it to force the update without a restore?
If you have gdmf.apple.com blocked, you won't be able to get updates. Comment out gdmf.apple.com in /etc/hosts and check updates again. From https://support.apple.com/en-us/HT210060 gdmf.apple.com is the software update catalog and I found that there is no need to block it for this fix to work
Thanks, that got the update to show up. Can I proceed with updating as normal, or is there something else I have to do? Currently it's showing me that 13.4.1 is available as an update.
How's it going?