Skip to content

Instantly share code, notes, and snippets.

Star You must be signed in to star a gist
Save sghiassy/a3927405cf4ffe81242f4ecb01c382ac to your computer and use it in GitHub Desktop.

Disable Device Enrollment Notification on Mac.md

Restart the Mac in Recovery Mode by holding Comment-R during restart

Open Terminal in the recovery screen and type

csrutil disable

Restart computer

Edit com.apple.ManagedClient.enroll.plist

In the terminal, type

sudo open /Applications/TextEdit.app /System/Library/LaunchDaemons/com.apple.ManagedClient.enroll.plist

change

<key>com.apple.ManagedClient.enroll</key>
        <true/>

to

<key>com.apple.ManagedClient.enroll</key>
        <false/>

Restart Computer again

So that the changes take effect

@DarkMoron
Copy link

Factually incorrect. Im on Sonoma and have been since October, got the mdm popup a few days after updating and was getting the full screen notification popup that was locking me out of my computer only a few minutes after rebooting.

Came here and did research and read all of the comments and its been working flawlessly since. No notifications whatsoever, currently on 14.1.1

Screenshot 2023-12-27 at 3 36 30 PM

can you please to the specific comment solution which worked for you? Was it any of the MDM bypass scripts that worked for you?

@philipp-winterle
Copy link

For all those people telling wrong facts:

I updated to 14.2.1 for about 1h and got the MDM Registration menu point in settings and I realized it reseted my "hack". So reboot > csrutil disable > reboot >deleting the configs folder > creating Settings and the 2 files in it > reboot > csrutil enable > no MDM anymore

.. I mean until next big update.So @Signore74 stop talking bullshit.

@Mktulio
Copy link

Mktulio commented Jan 12, 2024

Para todas aquelas pessoas que estão contando fatos errados: > > Atualizei para 14.2.1 por cerca de 1h e consegui o ponto de menu de Registro MDM nas configurações e percebi que ele redefiniu meu "hack". Então reinicie > csrutil desativar > reiniciar > excluindo a pasta de configurações > criando Configurações e os 2 arquivos nela > reiniciar > csrutil habilitar > não há mais MDM > > .. Quero dizer, até a próxima grande atualização. Então@Signore74pare de falar besteira. // Que bom @philipp-winterle, farei hoje a noite é retorno aqui com meu resultado.

@varsh8th
Copy link

For all those people telling wrong facts:

I updated to 14.2.1 for about 1h and got the MDM Registration menu point in settings and I realized it reseted my "hack". So reboot > csrutil disable > reboot >deleting the configs folder > creating Settings and the 2 files in it > reboot > csrutil enable > no MDM anymore

.. I mean until next big update.So @Signore74 stop talking bullshit.

Yeah I'm on 14.1.1 and there's no issues on sonoma since a month at least, don't get all the fear mongering on updates.

Also @philipp-winterle , just to confirm when you update to 14.2.1, there's no data loss ? Just do mdm bypass steps and all your data is in tact ?

I updated to sonoma by fresh install w skipmdm method, so wanted to check how the process was without fresh install. I don't plan on updating anytime soon but wanted to know in case of any future updates, that without fresh install if the skip mdm still works :)

@superkwn
Copy link

Does the script from skipMDM still work? I got error message saying "could not find disk for disk1". It seems that the script could not find the disk.
$_12

@superkwn
Copy link

@HAndresM, have you found a solution with skipMDM? I have the same issue as yours.

@ParkerPerry
Copy link

@HAndresM, have you found a solution with skipMDM? I have the same issue as yours.

@superkwn This problem has been documented and explained above. I get it the thread is long but its because your disc drive isnt named "Macintosh HD" I believe.

Someone explained that the skipMDM code is written kinda shitty and doesnt work dynamically as it should and fails if your hard disk isnt the default name. Someone commented on how they changed the skipmdm code to fix this oversight

@superkwn
Copy link

@HAndresM, have you found a solution with skipMDM? I have the same issue as yours.

@superkwn This problem has been documented and explained above. I get it the thread is long but its because your disc drive isnt named "Macintosh HD" I believe.

Someone explained that the skipMDM code is written kinda shitty and doesnt work dynamically as it should and fails if your hard disk isnt the default name. Someone commented on how they changed the skipmdm code to fix this oversight

@ParkerPerry, I need to look into it. But I did the restore using Apple Configurator. I thought the disc drive should be named as "Macintosh HD" in the restore process.

@ParkerPerry
Copy link

I am now getting this error while running the script IMG_2891 I have also run the csrdisable command Anyone seen this?

The script is buggy. It does not recognize the volume where your Mac OS has been installed. It assumes you have a default installation with volumes mounted with their default names, such as "Volumes/Macintosh HD". I have seen installations where the "Macintosh HD" is NOT the name of the volume. Thus, this script would fail miserably. The author would tell you to wipe all your data and reinstall the OS instead of making the script smarter... bad bad.

Here is a command that will tell you the name of your boot volume:

diskutil info -plist "$(bless --getBoot)" |
  plutil -extract VolumeName raw -- -

If this command returns anything other than "Macitonsh HD" then the script is likely going to throw errors.

PM me if you need help getting this MDM check disabled.

@donkelonio Was the one who made the post I remembered seeing. Hope it helps

@superkwn
Copy link

Here is what happened after running script from skipMDM
IMG_8409

@ParkerPerry
Copy link

Here is what happened after running script from skipMDM IMG_8409

What exactly is not working? It seems like it worked imo

@superkwn
Copy link

Here is what happened after running script from skipMDM IMG_8409

What exactly is not working? It seems like it worked imo

The script did not find the correct directory. After reboot, the system is still at the setup page.

@philipp-winterle
Copy link

Also @philipp-winterle , just to confirm when you update to 14.2.1, there's no data loss ? Just do mdm bypass steps and all your data is in tact ?

Can confirm. Your user folders ain't touched

@rcarlosnyc
Copy link

Para todas aquelas pessoas que estão contando fatos errados: > > Atualizei para 14.2.1 por cerca de 1h e consegui o ponto de menu de Registro MDM nas configurações e percebi que ele redefiniu meu "hack". Então reinicie > csrutil desativar > reiniciar > excluindo a pasta de configurações > criando Configurações e os 2 arquivos nela > reiniciar > csrutil habilitar > não há mais MDM > > .. Quero dizer, até a próxima grande atualização. Então@Signore74pare de falar besteira. // Que bom @philipp-winterle, farei hoje a noite é retorno aqui com meu resultado.

Tudo bem?

Seu Mac está funcionando? Você conseguiu pular a página do MDM após atualizando para Sonoma?

@Mktulio
Copy link

Mktulio commented Jan 23, 2024

Para todas aquelas pessoas que estão contando fatos errados: > > Atualizei para 14.2.1 por cerca de 1h e consegui o ponto de menu de Registro MDM nas configurações e percebi que ele redefiniu meu "hack". Então reinicie > csrutil desativar > reiniciar > excluindo a pasta de configurações > criando Configurações e os 2 arquivos nela > reiniciar > csrutil habilitar > não há mais MDM > > .. Quero dizer, até a próxima grande atualização. Então@Signore74pare de falar besteira. // Que bom@philipp-winterle, faria hoje a noite é retorno aqui com meu resultado. > > Tudo bem? > > Seu Mac está funcionando? Você conseguiu pular a página do MDM após atualizando para Sonoma? // Sim! O meu esta rodando há duas semanas, não vi mais a mdm. Sonoma 14.2.1

@Mktulio
Copy link

Mktulio commented Jan 25, 2024

Bom dia!

Alguém atualizou para esta?

image

@ehsan58
Copy link

ehsan58 commented Jan 25, 2024

Bom dia!

Alguém atualizou para esta?

image

my question too. i am waiting to confirm by others if they did direct upgrade

@zorkal1992
Copy link

I am now getting this error while running the script
IMG_2891
I have also run the csrdisable command
Anyone seen this?

I’m getting the same errors appearing and I haven’t clicked on enrol when the pop up appears, is this why?

IMG_2891 Getting these errors when I run the above skipmdm.com script... Anyone seen this one? And I have also done the csrdisable command.

Got this same output.
@sonomadep @dawonderboy do we have to click enrol before trying this work around?

Just messaged the guy who made the mdmskip.com, on telegram he said restore your Mac and then try again. I was getting the same error so I’m currently restoring then I’ll run it again.

I have restored it and ran the skipmdm.com code and it worked.

Very easy rename (Data to Macintosh HD - Data )from disk utility

@EthanWarrick
Copy link

EthanWarrick commented Feb 1, 2024

Hello!

I was struggling with this Remote Management issue.

I own a 2019 Macbook Pro with an Intel CPU that I purchased used from my old college. I upgraded the OS from Ventura to Sonoma 14.3 and received an unavoidable/non-closable popup prompting me to enroll in Remote Management.

I fixed my issues using this thread and wanted to provide the steps that worked. Mainly, I want to provide an alternative to running the script(s) floating around. I was uncomfortable running any script as root in recovery mode. I was uncomfortable both due to security concerns and as I had valuable data on my hard drive that I didn't want to mess up. Also, I haven't read the entire thread so other things might have been addressed above that I am not addressing here.

Here are the steps that worked for me:

  1. Restart/Power computer holding cmd+r to enter recovery mode.
  2. Open the terminal.
  3. Run the following commands
launchctl disable system/com.apple.ManagedClient.enroll

rm -rf /var/db/ConfigurationProfiles/Settings/.cloudConfigHasActivationRecord
rm -rf /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordFound
touch /var/db/ConfigurationProfiles/Settings/.cloudConfigProfileInstalled
touch /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordNotFound

rm -rf /Volumes/Macintosh\ HD/var/db/ConfigurationProfiles/Settings/.cloudConfigHasActivationRecord
rm -rf /Volumes/Macintosh\ HD/var/db/ConfigurationProfiles/Settings/.cloudConfigRecordFound
touch /Volumes/Macintosh\ HD/var/db/ConfigurationProfiles/Settings/.cloudConfigProfileInstalled
touch /Volumes/Macintosh\ HD/var/db/ConfigurationProfiles/Settings/.cloudConfigRecordNotFound

For me removing the above files under /var/db/ did not work because they were not present. I included the commands because some people seemed to have luck with them. I still added (touched) the two files under /var/db just to be thorough.

  1. Type reboot to restart your computer and let it boot normally.
  2. Login and hopefully the popup doesn't appear.
  3. Edit the /etc/hosts file using your favorite editor: sudo vim /etc/hosts
  4. Add the following to the file:
    This hopefully stops your computer from accessing these domains on the internet - where the mdm information is stored on Apple's servers.
#block mdm connect
0.0.0.0 iprofiles.apple.com
0.0.0.0 mdmenrollment.apple.com
0.0.0.0 deviceenrollment.apple.com
0.0.0.0 gdmf.apple.com
0.0.0.0 acmdm.apple.com
0.0.0.0 albert.apple.com

It is also worth mentioning that I had my internet turned off for the duration of this process. Even if you can get your WiFi turned off before the popup blocks you, that isn't good enough. It is still possible for your Macbook to auto connect to a known WiFi network at boot - even if you have turned that network off. I've heard people say that it can still connect even if you've forgotten the network as well. To be thorough I blacklisted my macbook from accessing the internet from my router's configuration. If your router doesn't have that functionality or you don't want to figure out how to do that, just unplugging your router for the duration of the process would work as well. Again, I'm not sure if completely staying of the internet was necessary but I did it to be safe.

Thank you to all above that contributed, you really saved my butt!

@rcarlosnyc
Copy link

Bom dia!

Alguém atualizou para esta?

image

Sim. Já. Consegui atualizar sem problemas.

@HOTEMOTICON
Copy link

HOTEMOTICON commented Feb 10, 2024

Hello!

I was struggling with this Remote Management issue.

I own a 2019 Macbook Pro with an Intel CPU that I purchased used from my old college. I upgraded the OS from Ventura to Sonoma 14.3 and received an unavoidable/non-closable popup prompting me to enroll in Remote Management.

I fixed my issues using this thread and wanted to provide the steps that worked. Mainly, I want to provide an alternative to running the script(s) floating around. I was uncomfortable running any script as root in recovery mode. I was uncomfortable both due to security concerns and as I had valuable data on my hard drive that I didn't want to mess up. Also, I haven't read the entire thread so other things might have been addressed above that I am not addressing here.

Here are the steps that worked for me:

  1. Restart/Power computer holding cmd+r to enter recovery mode.
  2. Open the terminal.
  3. Run the following commands
launchctl disable system/com.apple.ManagedClient.enroll

rm -rf /var/db/ConfigurationProfiles/Settings/.cloudConfigHasActivationRecord
rm -rf /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordFound
touch /var/db/ConfigurationProfiles/Settings/.cloudConfigProfileInstalled
touch /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordNotFound

rm -rf /Volumes/Macintosh\ HD/var/db/ConfigurationProfiles/Settings/.cloudConfigHasActivationRecord
rm -rf /Volumes/Macintosh\ HD/var/db/ConfigurationProfiles/Settings/.cloudConfigRecordFound
touch /Volumes/Macintosh\ HD/var/db/ConfigurationProfiles/Settings/.cloudConfigProfileInstalled
touch /Volumes/Macintosh\ HD/var/db/ConfigurationProfiles/Settings/.cloudConfigRecordNotFound

For me removing the above files under /var/db/ did not work because they were not present. I included the commands because some people seemed to have luck with them. I still added (touched) the two files under /var/db just to be thorough.

  1. Type reboot to restart your computer and let it boot normally.
  2. Login and hopefully the popup doesn't appear.
  3. Edit the /etc/hosts file using your favorite editor: sudo vim /etc/hosts
  4. Add the following to the file:
    This hopefully stops your computer from accessing these domains on the internet - where the mdm information is stored on Apple's servers.
#block mdm connect
0.0.0.0 iprofiles.apple.com
0.0.0.0 mdmenrollment.apple.com
0.0.0.0 deviceenrollment.apple.com
0.0.0.0 gdmf.apple.com
0.0.0.0 acmdm.apple.com
0.0.0.0 albert.apple.com

It is also worth mentioning that I had my internet turned off for the duration of this process. Even if you can get your WiFi turned off before the popup blocks you, that isn't good enough. It is still possible for your Macbook to auto connect to a known WiFi network at boot - even if you have turned that network off. I've heard people say that it can still connect even if you've forgotten the network as well. To be thorough I blacklisted my macbook from accessing the internet from my router's configuration. If your router doesn't have that functionality or you don't want to figure out how to do that, just unplugging your router for the duration of the process would work as well. Again, I'm not sure if completely staying of the internet was necessary but I did it to be safe.

Thank you to all above that contributed, you really saved my butt!

Using this workaround it is safe to upgrade directly to 14.3.1 from 14.2.1?

@amylee-codes
Copy link

amylee-codes commented Feb 18, 2024

Hope this comment is now visible - it got hidden due to a problem with my account.

(Cross post to https://gist.github.com/henrik242/65d26a7deca30bdb9828e183809690bd?permalink_comment_id=4912658#gistcomment-4912658).

I managed getting rid of spyware and worse w/ Sonoma (14.3.1). So any statement that's not possible at all is wrong.

System Info (redacted, personal information filtered)

>sudo sysinfo
Software:

    System Software Overview:

      System Version: macOS 14.3.1 (23D60)
      Kernel Version: Darwin 23.3.0
      Boot Volume: Macintosh HD
      Boot Mode: Normal
      Computer Name: <>
      User Name: System Administrator (root)
      Secure Virtual Memory: Enabled
      System Integrity Protection: Enabled
      Time since boot: <>

Hardware:

    Hardware Overview:

      Model Name: MacBook Pro
      Model Identifier: Mac15,9
      Model Number: <>
      Chip: Apple M3 Max
      Total Number of Cores: 16 (12 performance and 4 efficiency)
      Memory: 128 GB
      System Firmware Version: 10151.81.1
      OS Loader Version: 10151.81.1
      Serial Number (system): <>
      Hardware UUID: <>
      Provisioning UDID: <>
      Activation Lock Status: Disabled
>sudo profiles list
There are no configuration profiles installed in the system domain

>sudo profiles show -type enrollment
Error fetching Device Enrollment configuration: We can't determine if this machine is DEP enabled.  Try again later.

Approach: Clean Wipe, Router Filter, skipmdm.com Script

This approach assumes you are able to create a bootable installer and wipe your system disk (be sure to have a backup in place!).

Prerequisites

Block Apple URLs

Before starting at all, make sure you block the following URLs in the internet router. I used a Fritz!Box and here the ("Blocked websites" filter) to block these URLs:

iprofiles.apple.com
mdmenrollment.apple.com
deviceenrollment.apple.com
gdmf.apple.com
acmdm.apple.com
albert.apple.com

Make sure the blocker works (i.e. ping from another device)!

Clean Install

In recovery mode, wipe the hard disk and start a clean install with the bootable installer.

Activate the system

Connect to the internet once to activate the system (I could not proceed without). As the installer fails to connect to the enrollment servers, an error message will be displayed indicating that the status of the enrollment could not be verified.

Run the Script

In recovery mode, open Terminal and e.g. try to delete /var/db/ConfigurationProfiles/Settings - you should get a prompt for the installation user (starting w/ "_m...") - which is a good sign (no other users set up so far)!

Now just run the script from the USB stick. Hint: directly enter the username you'd like to use later (instead going w/ Apple:1234 - saves some time). The script should run without any errors (despite the long previous discussions).

Postwork

Block URLs in /etc/hosts

Before you proceed with the installation, reboot in recovery mode and change /etc/hosts by adding:

0.0.0.0 iprofiles.apple.com
0.0.0.0 mdmenrollment.apple.com
0.0.0.0 deviceenrollment.apple.com
0.0.0.0 gdmf..apple.com
0.0.0.0 acmdm.apple.com
0.0.0.0 albert.apple.com

Disable agents

>sudo launchctl disable system/com.apple.ManagedClientAgent.enrollagent
>sudo launchctl disable system/com.apple.mdmclient.daemon
>sudo launchctl disable system/com.apple.devicemanagementclient.teslad
# You might check other services and disable them - know what you do!
>sudo launchctl print system | sort | grep enabled

Little Snitch

Finally a firewall comes in handy to possibly add even more security: I blocked

/usr/libexec/teslad
/usr/libexec/mdmclient

(for both user + system).

This works well for me and shows that it's possible to stop companies from installing spyware on their employees' devices - even on M3. B.t.w. - in many countries these practices are unlawful, so I see following this approach justified as a way of self-defense.

@ehsan58
Copy link

ehsan58 commented Feb 22, 2024

Hello!

I was struggling with this Remote Management issue.
I own a 2019 Macbook Pro with an Intel CPU that I purchased used from my old college. I upgraded the OS from Ventura to Sonoma 14.3 and received an unavoidable/non-closable popup prompting me to enroll in Remote Management.
I fixed my issues using this thread and wanted to provide the steps that worked. Mainly, I want to provide an alternative to running the script(s) floating around. I was uncomfortable running any script as root in recovery mode. I was uncomfortable both due to security concerns and as I had valuable data on my hard drive that I didn't want to mess up. Also, I haven't read the entire thread so other things might have been addressed above that I am not addressing here.

Here are the steps that worked for me:

  1. Restart/Power computer holding cmd+r to enter recovery mode.
  2. Open the terminal.
  3. Run the following commands
launchctl disable system/com.apple.ManagedClient.enroll

rm -rf /var/db/ConfigurationProfiles/Settings/.cloudConfigHasActivationRecord
rm -rf /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordFound
touch /var/db/ConfigurationProfiles/Settings/.cloudConfigProfileInstalled
touch /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordNotFound

rm -rf /Volumes/Macintosh\ HD/var/db/ConfigurationProfiles/Settings/.cloudConfigHasActivationRecord
rm -rf /Volumes/Macintosh\ HD/var/db/ConfigurationProfiles/Settings/.cloudConfigRecordFound
touch /Volumes/Macintosh\ HD/var/db/ConfigurationProfiles/Settings/.cloudConfigProfileInstalled
touch /Volumes/Macintosh\ HD/var/db/ConfigurationProfiles/Settings/.cloudConfigRecordNotFound

For me removing the above files under /var/db/ did not work because they were not present. I included the commands because some people seemed to have luck with them. I still added (touched) the two files under /var/db just to be thorough.

  1. Type reboot to restart your computer and let it boot normally.
  2. Login and hopefully the popup doesn't appear.
  3. Edit the /etc/hosts file using your favorite editor: sudo vim /etc/hosts
  4. Add the following to the file:
    This hopefully stops your computer from accessing these domains on the internet - where the mdm information is stored on Apple's servers.
#block mdm connect
0.0.0.0 iprofiles.apple.com
0.0.0.0 mdmenrollment.apple.com
0.0.0.0 deviceenrollment.apple.com
0.0.0.0 gdmf.apple.com
0.0.0.0 acmdm.apple.com
0.0.0.0 albert.apple.com

It is also worth mentioning that I had my internet turned off for the duration of this process. Even if you can get your WiFi turned off before the popup blocks you, that isn't good enough. It is still possible for your Macbook to auto connect to a known WiFi network at boot - even if you have turned that network off. I've heard people say that it can still connect even if you've forgotten the network as well. To be thorough I blacklisted my macbook from accessing the internet from my router's configuration. If your router doesn't have that functionality or you don't want to figure out how to do that, just unplugging your router for the duration of the process would work as well. Again, I'm not sure if completely staying of the internet was necessary but I did it to be safe.

Thank you to all above that contributed, you really saved my butt!

Using this workaround it is safe to upgrade directly to 14.3.1 from 14.2.1?

it's mine question too :( no any update on this

@TomRider22
Copy link

Updated to 14.3.1, works for me, remove gdmf.apple.com from hosts before updating(in another way it wouldn't find updates). After updating finished, back it to hosts. Nothing special is needed if you are on 14.1.* - 14.2.* you can update your OS via UI (Software Update).
image

@TomRider22
Copy link

Just for info, for who had disk errors during the script run, it is updated with a fixed disk naming issue
https://github.com/skipmdm-phoenixbot/skipmdm.com/blob/main/Autobypass-mdm.sh

@RomanKoshkin
Copy link

The pinned guide didn't work for me (Sonoma 14.3, MBP M3). I couldn't edit the .plist files as instructed (the file is read-only and sudo didn't help). What worked for me though was this very simple guide.

  • in recovery mode csrutil disable and reboot in normal mode
  • while in normal mode do:
sudo su
cd /var/db/ConfigurationProfiles
rm -rf *
mkdir Settings
touch Settings/.profilesAreInstalled
  • reboot to recovery mode again and when in recovery mode csrutil enable. Reboot to normal mode. You shouldn't see the unremovable profiles again in System Preferences/Profiles

@PaxVobiscuit
Copy link

PaxVobiscuit commented Mar 4, 2024

Hope this comment is now visible - it got hidden due to a problem with my account.

(Cross post to https://gist.github.com/henrik242/65d26a7deca30bdb9828e183809690bd?permalink_comment_id=4912658#gistcomment-4912658).

I managed getting rid of spyware and worse w/ Sonoma (14.3.1). So any statement that's not possible at all is wrong.

System Info (redacted, personal information filtered)

>sudo sysinfo
Software:

    System Software Overview:

      System Version: macOS 14.3.1 (23D60)
      Kernel Version: Darwin 23.3.0
      Boot Volume: Macintosh HD
      Boot Mode: Normal
      Computer Name: <>
      User Name: System Administrator (root)
      Secure Virtual Memory: Enabled
      System Integrity Protection: Enabled
      Time since boot: <>

Hardware:

    Hardware Overview:

      Model Name: MacBook Pro
      Model Identifier: Mac15,9
      Model Number: <>
      Chip: Apple M3 Max
      Total Number of Cores: 16 (12 performance and 4 efficiency)
      Memory: 128 GB
      System Firmware Version: 10151.81.1
      OS Loader Version: 10151.81.1
      Serial Number (system): <>
      Hardware UUID: <>
      Provisioning UDID: <>
      Activation Lock Status: Disabled
>sudo profiles list
There are no configuration profiles installed in the system domain

>sudo profiles show -type enrollment
Error fetching Device Enrollment configuration: We can't determine if this machine is DEP enabled.  Try again later.

Approach: Clean Wipe, Router Filter, skipmdm.com Script

This approach assumes you are able to create a bootable installer and wipe your system disk (be sure to have a backup in place!).

Prerequisites

Block Apple URLs

Before starting at all, make sure you block the following URLs in the internet router. I used a Fritz!Box and here the ("Blocked websites" filter) to block these URLs:

iprofiles.apple.com
mdmenrollment.apple.com
deviceenrollment.apple.com
gdmf.apple.com
acmdm.apple.com
albert.apple.com

Make sure the blocker works (i.e. ping from another device)!

Clean Install

In recovery mode, wipe the hard disk and start a clean install with the bootable installer.

Activate the system

Connect to the internet once to activate the system (I could not proceed without). As the installer fails to connect to the enrollment servers, an error message will be displayed indicating that the status of the enrollment could not be verified.

Run the Script

In recovery mode, open Terminal and e.g. try to delete /var/db/ConfigurationProfiles/Settings - you should get a prompt for the installation user (starting w/ "_m...") - which is a good sign (no other users set up so far)!

Now just run the script from the USB stick. Hint: directly enter the username you'd like to use later (instead going w/ Apple:1234 - saves some time). The script should run without any errors (despite the long previous discussions).

Postwork

Block URLs in /etc/hosts

Before you proceed with the installation, reboot in recovery mode and change /etc/hosts by adding:

0.0.0.0 iprofiles.apple.com
0.0.0.0 mdmenrollment.apple.com
0.0.0.0 deviceenrollment.apple.com
0.0.0.0 gdmf..apple.com
0.0.0.0 acmdm.apple.com
0.0.0.0 albert.apple.com

Disable agents

>sudo launchctl disable system/com.apple.ManagedClientAgent.enrollagent
>sudo launchctl disable system/com.apple.mdmclient.daemon
>sudo launchctl disable system/com.apple.devicemanagementclient.teslad
# You might check other services and disable them - know what you do!
>sudo launchctl print system | sort | grep enabled

Little Snitch

Finally a firewall comes in handy to possibly add even more security: I blocked

/usr/libexec/teslad
/usr/libexec/mdmclient

(for both user + system).

This works well for me and shows that it's possible to stop companies from installing spyware on their employees' devices - even on M3. B.t.w. - in many countries these practices are unlawful, so I see following this approach justified as a way of self-defense.

FWIW, this worked for me. Some of the steps might need to be more prescriptive for folks not very familiar with Macs, but I got it working in one pass. If you want a different drive name than "Macintosh HD" you will need to edit the global constant lines of Autobypass-mdm.sh to reflect the drive name you want.

I did have to connect to the internet to activate as well, but as soon as I hit the "This device is owned by an organization" page, I hit COMMAND-Q, booted in to Recovery Mode, then picked up the instructions from there and ran the script.

@PaxVobiscuit
Copy link

PaxVobiscuit commented Mar 7, 2024

After using the method above to get to 14.3.1, how should I proceed to get to 14.4 or future 14.x updates?

Edit-

After no responses, I decided to try using the System Settings Software Updater, that seems to have worked as expected, and so far no enrollment screens after a couple days.

@reabo
Copy link

reabo commented Mar 16, 2024

Disable annoying Remote Management Pop-Up after upgrading to macOS Sonoma (14)

Apple further added a new gate preventing people from using their DEP-enabled Macs without installing the profiles in macOS Sonoma. After upgrading from a fully-working Ventura copy (with MDM servers blocked in hosts) to macOS Sonoma DP 1, your Mac will want to give you a pop-up window every 10 mins reminding you to install a DEP profile. Did some experiments and I think Apple is secretly pinging their MDM servers no matter you have an active profile associated w/ SN or not. As long as the servers are not reachable they will annoy you with their new pop-up system.

The Workaround

(1) Disable SIP in 1 True Recovery

(2) sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigHasActivationRecord

sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordFound

sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigProfileInstalled

sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordNotFound

(3) you're all set. enjoy this boring upgrade

Can’t believe it but I think it worked! Thank you so much!

@joshlac
Copy link

joshlac commented Mar 16, 2024

After using the method above to get to 14.3.1, how should I proceed to get to 14.4 or future 14.x updates?

Edit-

After no responses, I decided to try using the System Settings Software Updater, that seems to have worked as expected, and so far no enrollment screens after a couple days.

How did you manage to see the update in System Settings? Mine just says "your Mac is up to date"....

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment