csrutil disable
Restart computer
In the terminal, type
sudo open /Applications/TextEdit.app /System/Library/LaunchDaemons/com.apple.ManagedClient.enroll.plist
change
<key>com.apple.ManagedClient.enroll</key>
<true/>
to
<key>com.apple.ManagedClient.enroll</key>
<false/>
So that the changes take effect
Hope this comment is now visible - it got hidden due to a problem with my account.
(Cross post to https://gist.github.com/henrik242/65d26a7deca30bdb9828e183809690bd?permalink_comment_id=4912658#gistcomment-4912658).
I managed getting rid of spyware and worse w/ Sonoma (14.3.1). So any statement that's not possible at all is wrong.
System Info (redacted, personal information filtered)
Approach: Clean Wipe, Router Filter, skipmdm.com Script
This approach assumes you are able to create a bootable installer and wipe your system disk (be sure to have a backup in place!).
Prerequisites
Block Apple URLs
Before starting at all, make sure you block the following URLs in the internet router. I used a Fritz!Box and here the ("Blocked websites" filter) to block these URLs:
Make sure the blocker works (i.e. ping from another device)!
Clean Install
In recovery mode, wipe the hard disk and start a clean install with the bootable installer.
Activate the system
Connect to the internet once to activate the system (I could not proceed without). As the installer fails to connect to the enrollment servers, an error message will be displayed indicating that the status of the enrollment could not be verified.
Run the Script
In recovery mode, open Terminal and e.g. try to delete /var/db/ConfigurationProfiles/Settings - you should get a prompt for the installation user (starting w/ "_m...") - which is a good sign (no other users set up so far)!
Now just run the script from the USB stick. Hint: directly enter the username you'd like to use later (instead going w/ Apple:1234 - saves some time). The script should run without any errors (despite the long previous discussions).
Postwork
Block URLs in /etc/hosts
Before you proceed with the installation, reboot in recovery mode and change /etc/hosts by adding:
Disable agents
Little Snitch
Finally a firewall comes in handy to possibly add even more security: I blocked
(for both user + system).
This works well for me and shows that it's possible to stop companies from installing spyware on their employees' devices - even on M3. B.t.w. - in many countries these practices are unlawful, so I see following this approach justified as a way of self-defense.