Skip to content

Instantly share code, notes, and snippets.

@ibressler

ibressler/MDM Profiles on macOS.md

Last active December 4, 2023 14:27
Show Gist options
  • Save ibressler/fa27f78f7bd6f4e612e7cbf6382ebd8e to your computer and use it in GitHub Desktop.
Save ibressler/fa27f78f7bd6f4e612e7cbf6382ebd8e to your computer and use it in GitHub Desktop.
Download ZIP
MDM Profiles on macOS
Raw
MDM Profiles on macOS.md

MDM Profiles on macOS

Notes: From Zeno Popovici with edits & tested on a M1 macbook with Ventura (macOS 13).

In macOS you can check the MDM status with the following command in a Terminal:

profiles status -type enrollment

Non-removable MDM profiles cannot officially removed without doing a full system wipe (even then they will be restored by Apple remotely and possibly also during OS upgrades). This is a problem when you restore a system from Time Machine after you enrolled it into the MDM, as the MDM will break, leaving you unable to re-enroll the machine.

Here's how to remove a non-removable MDM profile (keep the PC offline until noted otherwise):

  1. Boot the Mac into Recovery Mode (hold down command+R during startup).
  2. Go to the Utilities menu and open Terminal and type: csrutil disable. This will disable SIP (System Integrity Protection).
  3. Reboot into the OS.
  4. Open the integrated terminal and type: 
    cd /var/db/ConfigurationProfiles
sudo rm -rf *
mkdir Settings
touch Settings/.profilesAreInstalled
touch Settings/.cloudConfigProfileInstalled  # for Sonoma (macOS 14)
touch Settings/.cloudConfigRecordNotFound    # for Sonoma (macOS 14)
    (The last lines recommended in https://gist.github.com/sghiassy/a3927405cf4ffe81242f4ecb01c382ac?permalink_comment_id=4591775#gistcomment-4591775)
  5. Reboot.
  6. Boot the Mac into Recovery Mode again (hold down command + R during startup).
  7. Go to the Utilities menu, open a Terminal and type: csrutil enable. This will re-enable SIP.
    • This step might not work while offline, possibly. It complains then about requiring internet access to succeed. This might be an indicator that it looks up the enrollment status on Apples servers. However, before going online again, it's wise to block the respective servers (source): Adjust the system /etc/hosts (for regular OS) and that of the Recovery Mode. Search for it (while still in Recovery Mode): 
      find / -name hosts
    • Apply the following to any etc/hosts file found (some in subdirs): 
      echo 0.0.0.0 iprofiles.apple.com | sudo tee -a <hosts-filepath>
echo 0.0.0.0 mdmenrollment.apple.com | sudo tee -a <hosts-filepath>
echo 0.0.0.0 deviceenrollment.apple.com | sudo tee -a <hosts-filepath>
echo 0.0.0.0 gdmf.apple.com | sudo tee -a <hosts-filepath>
      OR all-in-one command: 
      for dn in iprofiles.apple.com \
          mdmenrollment.apple.com \
          deviceenrollment.apple.com \
          gdmf.apple.com; do
    echo 0.0.0.0 $dn;
done | sudo tee -a <hosts-filepath>
      This disables name resolution for the respective addresses. Blocking them on the Internet router will work as well but only as long as the PC stays in that network (e.g. not during travels).
    • Boot to Recovery Mode again and run csrutil enable
  8. Reboot into the OS & done. Check with:
profiles status -type enrollment

The profile will be now removed and you will be able to re-enroll the Mac to your MDM.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment