Skip to content

Instantly share code, notes, and snippets.

@sghiassy
Last active December 3, 2024 21:51
Show Gist options
  • Save sghiassy/a3927405cf4ffe81242f4ecb01c382ac to your computer and use it in GitHub Desktop.
Save sghiassy/a3927405cf4ffe81242f4ecb01c382ac to your computer and use it in GitHub Desktop.

Disable Device Enrollment Notification on Mac.md

Restart the Mac in Recovery Mode by holding Comment-R during restart

Open Terminal in the recovery screen and type

csrutil disable

Restart computer

Edit com.apple.ManagedClient.enroll.plist

In the terminal, type

sudo open /Applications/TextEdit.app /System/Library/LaunchDaemons/com.apple.ManagedClient.enroll.plist

change

<key>com.apple.ManagedClient.enroll</key>
        <true/>

to

<key>com.apple.ManagedClient.enroll</key>
        <false/>

Restart Computer again

So that the changes take effect

@ehsan58
Copy link

ehsan58 commented Feb 22, 2024

Hello!

I was struggling with this Remote Management issue.
I own a 2019 Macbook Pro with an Intel CPU that I purchased used from my old college. I upgraded the OS from Ventura to Sonoma 14.3 and received an unavoidable/non-closable popup prompting me to enroll in Remote Management.
I fixed my issues using this thread and wanted to provide the steps that worked. Mainly, I want to provide an alternative to running the script(s) floating around. I was uncomfortable running any script as root in recovery mode. I was uncomfortable both due to security concerns and as I had valuable data on my hard drive that I didn't want to mess up. Also, I haven't read the entire thread so other things might have been addressed above that I am not addressing here.

Here are the steps that worked for me:

  1. Restart/Power computer holding cmd+r to enter recovery mode.
  2. Open the terminal.
  3. Run the following commands
launchctl disable system/com.apple.ManagedClient.enroll

rm -rf /var/db/ConfigurationProfiles/Settings/.cloudConfigHasActivationRecord
rm -rf /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordFound
touch /var/db/ConfigurationProfiles/Settings/.cloudConfigProfileInstalled
touch /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordNotFound

rm -rf /Volumes/Macintosh\ HD/var/db/ConfigurationProfiles/Settings/.cloudConfigHasActivationRecord
rm -rf /Volumes/Macintosh\ HD/var/db/ConfigurationProfiles/Settings/.cloudConfigRecordFound
touch /Volumes/Macintosh\ HD/var/db/ConfigurationProfiles/Settings/.cloudConfigProfileInstalled
touch /Volumes/Macintosh\ HD/var/db/ConfigurationProfiles/Settings/.cloudConfigRecordNotFound

For me removing the above files under /var/db/ did not work because they were not present. I included the commands because some people seemed to have luck with them. I still added (touched) the two files under /var/db just to be thorough.

  1. Type reboot to restart your computer and let it boot normally.
  2. Login and hopefully the popup doesn't appear.
  3. Edit the /etc/hosts file using your favorite editor: sudo vim /etc/hosts
  4. Add the following to the file:
    This hopefully stops your computer from accessing these domains on the internet - where the mdm information is stored on Apple's servers.
#block mdm connect
0.0.0.0 iprofiles.apple.com
0.0.0.0 mdmenrollment.apple.com
0.0.0.0 deviceenrollment.apple.com
0.0.0.0 gdmf.apple.com
0.0.0.0 acmdm.apple.com
0.0.0.0 albert.apple.com

It is also worth mentioning that I had my internet turned off for the duration of this process. Even if you can get your WiFi turned off before the popup blocks you, that isn't good enough. It is still possible for your Macbook to auto connect to a known WiFi network at boot - even if you have turned that network off. I've heard people say that it can still connect even if you've forgotten the network as well. To be thorough I blacklisted my macbook from accessing the internet from my router's configuration. If your router doesn't have that functionality or you don't want to figure out how to do that, just unplugging your router for the duration of the process would work as well. Again, I'm not sure if completely staying of the internet was necessary but I did it to be safe.

Thank you to all above that contributed, you really saved my butt!

Using this workaround it is safe to upgrade directly to 14.3.1 from 14.2.1?

it's mine question too :( no any update on this

@TomRider22
Copy link

Updated to 14.3.1, works for me, remove gdmf.apple.com from hosts before updating(in another way it wouldn't find updates). After updating finished, back it to hosts. Nothing special is needed if you are on 14.1.* - 14.2.* you can update your OS via UI (Software Update).
image

@TomRider22
Copy link

Just for info, for who had disk errors during the script run, it is updated with a fixed disk naming issue
https://github.com/skipmdm-phoenixbot/skipmdm.com/blob/main/Autobypass-mdm.sh

@RomanKoshkin
Copy link

The pinned guide didn't work for me (Sonoma 14.3, MBP M3). I couldn't edit the .plist files as instructed (the file is read-only and sudo didn't help). What worked for me though was this very simple guide.

  • in recovery mode csrutil disable and reboot in normal mode
  • while in normal mode do:
sudo su
cd /var/db/ConfigurationProfiles
rm -rf *
mkdir Settings
touch Settings/.profilesAreInstalled
  • reboot to recovery mode again and when in recovery mode csrutil enable. Reboot to normal mode. You shouldn't see the unremovable profiles again in System Preferences/Profiles

@PaxVobiscuit
Copy link

PaxVobiscuit commented Mar 4, 2024

Hope this comment is now visible - it got hidden due to a problem with my account.

(Cross post to https://gist.github.com/henrik242/65d26a7deca30bdb9828e183809690bd?permalink_comment_id=4912658#gistcomment-4912658).

I managed getting rid of spyware and worse w/ Sonoma (14.3.1). So any statement that's not possible at all is wrong.

System Info (redacted, personal information filtered)

>sudo sysinfo
Software:

    System Software Overview:

      System Version: macOS 14.3.1 (23D60)
      Kernel Version: Darwin 23.3.0
      Boot Volume: Macintosh HD
      Boot Mode: Normal
      Computer Name: <>
      User Name: System Administrator (root)
      Secure Virtual Memory: Enabled
      System Integrity Protection: Enabled
      Time since boot: <>

Hardware:

    Hardware Overview:

      Model Name: MacBook Pro
      Model Identifier: Mac15,9
      Model Number: <>
      Chip: Apple M3 Max
      Total Number of Cores: 16 (12 performance and 4 efficiency)
      Memory: 128 GB
      System Firmware Version: 10151.81.1
      OS Loader Version: 10151.81.1
      Serial Number (system): <>
      Hardware UUID: <>
      Provisioning UDID: <>
      Activation Lock Status: Disabled
>sudo profiles list
There are no configuration profiles installed in the system domain

>sudo profiles show -type enrollment
Error fetching Device Enrollment configuration: We can't determine if this machine is DEP enabled.  Try again later.

Approach: Clean Wipe, Router Filter, skipmdm.com Script

This approach assumes you are able to create a bootable installer and wipe your system disk (be sure to have a backup in place!).

Prerequisites

Block Apple URLs

Before starting at all, make sure you block the following URLs in the internet router. I used a Fritz!Box and here the ("Blocked websites" filter) to block these URLs:

iprofiles.apple.com
mdmenrollment.apple.com
deviceenrollment.apple.com
gdmf.apple.com
acmdm.apple.com
albert.apple.com

Make sure the blocker works (i.e. ping from another device)!

Clean Install

In recovery mode, wipe the hard disk and start a clean install with the bootable installer.

Activate the system

Connect to the internet once to activate the system (I could not proceed without). As the installer fails to connect to the enrollment servers, an error message will be displayed indicating that the status of the enrollment could not be verified.

Run the Script

In recovery mode, open Terminal and e.g. try to delete /var/db/ConfigurationProfiles/Settings - you should get a prompt for the installation user (starting w/ "_m...") - which is a good sign (no other users set up so far)!

Now just run the script from the USB stick. Hint: directly enter the username you'd like to use later (instead going w/ Apple:1234 - saves some time). The script should run without any errors (despite the long previous discussions).

Postwork

Block URLs in /etc/hosts

Before you proceed with the installation, reboot in recovery mode and change /etc/hosts by adding:

0.0.0.0 iprofiles.apple.com
0.0.0.0 mdmenrollment.apple.com
0.0.0.0 deviceenrollment.apple.com
0.0.0.0 gdmf..apple.com
0.0.0.0 acmdm.apple.com
0.0.0.0 albert.apple.com

Disable agents

>sudo launchctl disable system/com.apple.ManagedClientAgent.enrollagent
>sudo launchctl disable system/com.apple.mdmclient.daemon
>sudo launchctl disable system/com.apple.devicemanagementclient.teslad
# You might check other services and disable them - know what you do!
>sudo launchctl print system | sort | grep enabled

Little Snitch

Finally a firewall comes in handy to possibly add even more security: I blocked

/usr/libexec/teslad
/usr/libexec/mdmclient

(for both user + system).

This works well for me and shows that it's possible to stop companies from installing spyware on their employees' devices - even on M3. B.t.w. - in many countries these practices are unlawful, so I see following this approach justified as a way of self-defense.

FWIW, this worked for me. Some of the steps might need to be more prescriptive for folks not very familiar with Macs, but I got it working in one pass. If you want a different drive name than "Macintosh HD" you will need to edit the global constant lines of Autobypass-mdm.sh to reflect the drive name you want.

I did have to connect to the internet to activate as well, but as soon as I hit the "This device is owned by an organization" page, I hit COMMAND-Q, booted in to Recovery Mode, then picked up the instructions from there and ran the script.

@PaxVobiscuit
Copy link

PaxVobiscuit commented Mar 7, 2024

After using the method above to get to 14.3.1, how should I proceed to get to 14.4 or future 14.x updates?

Edit-

After no responses, I decided to try using the System Settings Software Updater, that seems to have worked as expected, and so far no enrollment screens after a couple days.

@reabo
Copy link

reabo commented Mar 16, 2024

Disable annoying Remote Management Pop-Up after upgrading to macOS Sonoma (14)

Apple further added a new gate preventing people from using their DEP-enabled Macs without installing the profiles in macOS Sonoma. After upgrading from a fully-working Ventura copy (with MDM servers blocked in hosts) to macOS Sonoma DP 1, your Mac will want to give you a pop-up window every 10 mins reminding you to install a DEP profile. Did some experiments and I think Apple is secretly pinging their MDM servers no matter you have an active profile associated w/ SN or not. As long as the servers are not reachable they will annoy you with their new pop-up system.

The Workaround

(1) Disable SIP in 1 True Recovery

(2) sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigHasActivationRecord

sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordFound

sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigProfileInstalled

sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordNotFound

(3) you're all set. enjoy this boring upgrade

Can’t believe it but I think it worked! Thank you so much!

@joshlac
Copy link

joshlac commented Mar 16, 2024

After using the method above to get to 14.3.1, how should I proceed to get to 14.4 or future 14.x updates?

Edit-

After no responses, I decided to try using the System Settings Software Updater, that seems to have worked as expected, and so far no enrollment screens after a couple days.

How did you manage to see the update in System Settings? Mine just says "your Mac is up to date"....

@haohanw
Copy link

haohanw commented Mar 20, 2024

/etc/hosts
Check your host file and deblock "gdmf.apple.com"

@joshlac
Copy link

joshlac commented Mar 21, 2024

/etc/hosts
Check your host file and deblock "gdmf.apple.com"

It worked, I can see the update to 14.4 now. Can this be left unlocked for the future updates?

@PaxVobiscuit
Copy link

PaxVobiscuit commented Mar 22, 2024

FWIW, I had the following FQDNs blocked at the router:

iprofiles.apple.com
mdmenrollment.apple.com
deviceenrollment.apple.com
gdmf.apple.com
acmdm.apple.com
albert.apple.com

I had them blocked in /etc/hosts as well. Still was able to update. Based on a quick search, gdmf.apple.com is specifically for MDM-managed devices.

Here is a list of all the FQDNs for the various services Apple devices might use

I have an unmanaged iMac and a used-to-be-managed Macbook Pro on my home network. My employer sends out alerts when there are major MacOS updates, critical updates, & patches. When the 14.4 notice came out, I went in to Software Update on both systems, and the 14.4 update showed up automagically as expected. No unblocking on my part.

If you truly do HAVE to unblock gdmf.apple.com to get updates, your machine may actually still be enrolled, but some other step in one of the techniques here suppresses the nag messages.

To check that, open Terminal and enter the following command:

profiles status -type enrollment

Your results should be :

Enrolled via DEP: No
MDM enrollment: No

@joshlac
Copy link

joshlac commented Mar 29, 2024

To check that, open Terminal and enter the following command:
profiles status -type enrollment

I run the command and I see "No" to all...

@HAndresM
Copy link

Greetings, Do you know if there is a way to log in with this Macbook Air 2020 with Intel, it has remote administration with Jamf, it asks me to log in with a Microsoft business account when using a personal account it does not allow it and when giving local login it asks me for a password but I do not have it.

If there is any option?

WhatsApp Image 2024-03-29 at 17 01 54
WhatsApp Image 2024-03-29 at 17 02 03

@ohbrandon
Copy link

FWIW, this worked for me. Some of the steps might need to be more prescriptive for folks not very familiar with Macs, but I got it working in one pass. If you want a different drive name than "Macintosh HD" you will need to edit the global constant lines of Autobypass-mdm.sh to reflect the drive name you want.

I did have to connect to the internet to activate as well, but as soon as I hit the "This device is owned by an organization" page, I hit COMMAND-Q, booted in to Recovery Mode, then picked up the instructions from there and ran the script.

Just adding that this post in reply to the above method is what got me sorted out. Clean install (didn't have to use USB), reboot to recovery at the MDM screen, run bypass script and reboot. Dead simple.

@Omrtx999
Copy link

Omrtx999 commented Apr 11, 2024

what’s supposed to be done ?

@Mktulio
Copy link

Mktulio commented Apr 27, 2024

Anyone using Sonoma 14.4.1, after processing the post?

@ehsan58
Copy link

ehsan58 commented Apr 28, 2024

Anyone using Sonoma 14.4.1, after processing the post?

yes it's working normaly

@samcoinhope
Copy link

hello
please i want to ask about mdm
i have M2 ventura 13 working and the apple asked me to update to sonoma
can i update it safely
and if i did , do i need to do something else to stop mdm
thank you

@DNLS55
Copy link

DNLS55 commented May 15, 2024

How to Upgrade to Sonoma Without Risking Activating DEP/MP?

There is some conflicting information here (and on YT), and I am not a pro user... Could someone kindly explain or point me to the current recommended process to upgrade from Ventura to Sonoma without risking my Mac being enrolled into DEP/MDM?

Originally, when I acquired this Mac, DEP/MDM was circumvented by blocking IPs on my router, installing from USB (clean install), and then editing hosts files. However, now I would like to upgrade a running system and Sonoma seems to have additional tricks to enroll us. Hope someone could help me run the upgrade to Sonoma without risking DEP/MDM (this is why I have not upgraded until now, but I have to do it now as a tool I use needs Sonoma now).

P.S. This means I am not DEP/MDM enrolled, correct?

Last login: Wed May 15 16:59:55 on console
admin@D-MBP-16-2021 ~ % sudo profiles show -type enrollment
Password:
Error fetching Device Enrollment configuration: (34000) Error Domain=MCCloudConfigurationErrorDomain Code=34000 "The device failed to request configuration from the cloud." UserInfo={NSLocalizedDescription=The device failed to request configuration from the cloud., CloudConfigurationErrorType=CloudConfigurationFatalError}
admin@D-MBP-16-2021 ~ %

@maxdinky
Copy link

maxdinky commented May 28, 2024

Hi everyone. I updated to Sonoma 14.5 From Monterey yesterday and after installing I got a pop up saying remote management but just hit skip now and worked fine after. Today I tried using it and now the same pop up comes up taking over my whole screen without a “skip now” button. I tried everything on here but nothing has allowed me to use the Sudo codes in terminal in regular mode because the pop up comes up within 10 seconds of booting up Everytime. I don’t want to erase the MacBook because I have a lot of data on it I need.

Any help would be great. I am able to go into recovery mode find but that’s about it. Thank you!

@sam09h
Copy link

sam09h commented May 29, 2024

Hi everyone. I updated to Sonoma 14.5 From Monterey yesterday and after installing I got a pop up saying remote management but just hit skip now and worked fine after. Today I tried using it and now the same pop up comes up taking over my whole screen without a “skip now” button. I tried everything on here but nothing has allowed me to use the Sudo codes in terminal in regular mode because the pop up comes up within 10 seconds of booting up Everytime. I don’t want to erase the MacBook because I have a lot of data on it I need.

Any help would be great. I am able to go into recovery mode find but that’s about it. Thank you!

try turning off ur wifi if the pop up still comes, delete all the wifi passwords saved on ur mac. this should allow you to put the command lines.After several tries it worked for me

@maxdinky
Copy link

Hi everyone. I updated to Sonoma 14.5 From Monterey yesterday and after installing I got a pop up saying remote management but just hit skip now and worked fine after. Today I tried using it and now the same pop up comes up taking over my whole screen without a “skip now” button. I tried everything on here but nothing has allowed me to use the Sudo codes in terminal in regular mode because the pop up comes up within 10 seconds of booting up Everytime. I don’t want to erase the MacBook because I have a lot of data on it I need.
Any help would be great. I am able to go into recovery mode find but that’s about it. Thank you!

try turning off ur wifi if the pop up still comes. delete all the wifi passwords saved on ur mac. After several tries it worked for me

which codes did you put into terminal? what exact steps did you follow. i appreciate your help

@sqig
Copy link

sqig commented Jun 2, 2024

Hi, I have been using my Intel 2019 MBP since 2020 with the host blocked. Im still on ventura.
I recently ran a script to see if my Mac was still under MDM. I got the results that it was not on a MDM server. I thought that maybe this was because I had the hosts blocked, I removed the host entry and ran the test again with the same result. I have now had the Mac running 24 hours without the hosts blocked and not received any pop up messages. Is it possible that my Mac has been released from MDM? How can I tell for sure before updating to Sonoma ? Thank you script. https://github.com/rtrouton/rtrouton_scripts/tree/main/rtrouton_scripts/check_mdm_enrollment

@Ran-Xing
Copy link

Ran-Xing commented Jun 4, 2024

sudo profiles show -type enrollment
sudo profiles status -type enrollment
sudo profiles renew -type enrollment

@sqig try

@Mktulio
Copy link

Mktulio commented Jun 8, 2024

shell > perfis sudo mostram inscrição -type > status dos perfis sudo - tipo de inscrição > perfis sudo renovam a inscrição do tipo > > > @sqigtente Does this code check?

@spoved-aws
Copy link

Hi, I have been using my Intel 2019 MBP since 2020 with the host blocked. Im still on ventura. I recently ran a script to see if my Mac was still under MDM. I got the results that it was not on a MDM server. I thought that maybe this was because I had the hosts blocked, I removed the host entry and ran the test again with the same result. I have now had the Mac running 24 hours without the hosts blocked and not received any pop up messages. Is it possible that my Mac has been released from MDM? How can I tell for sure before updating to Sonoma ? Thank you script. https://github.com/rtrouton/rtrouton_scripts/tree/main/rtrouton_scripts/check_mdm_enrollment

No, the script is only checking on the local system if the mdm profile is installed or not.

@sqig
Copy link

sqig commented Jun 8, 2024

I have used a paid online MDM check and my Mac is still enrolled.
Model: MacBook Pro (15-inch, 2018) Space Gray Wi-Fi [A1989] [MacBookPro15,1]
Serial Number: C02XXXXXXX
MDM Lock: ON
Thank you

@Ran-Xing
Copy link

Ran-Xing commented Jun 8, 2024

@sqig I can provide technical support for a fee.

@charlvin
Copy link

Install Sequoia developer Beta, risking DEP

I am thinking if I should install Sequoia directly through Sonoma. It works perfectly now without DEP notification.

`charlvin@LCWMacBook-Pro ~ % sudo profiles status -type enrollment

Enrolled via DEP: No
MDM enrollment: No`

@hoorrus
Copy link

hoorrus commented Jun 11, 2024

FWIW, I had the following FQDNs blocked at the router:

iprofiles.apple.com mdmenrollment.apple.com deviceenrollment.apple.com gdmf.apple.com acmdm.apple.com albert.apple.com

I had them blocked in /etc/hosts as well. Still was able to update. Based on a quick search, gdmf.apple.com is specifically for MDM-managed devices.

Here is a list of all the FQDNs for the various services Apple devices might use

I have an unmanaged iMac and a used-to-be-managed Macbook Pro on my home network. My employer sends out alerts when there are major MacOS updates, critical updates, & patches. When the 14.4 notice came out, I went in to Software Update on both systems, and the 14.4 update showed up automagically as expected. No unblocking on my part.

If you truly do HAVE to unblock gdmf.apple.com to get updates, your machine may actually still be enrolled, but some other step in one of the techniques here suppresses the nag messages.

To check that, open Terminal and enter the following command:

profiles status -type enrollment

Your results should be :

Enrolled via DEP: No
MDM enrollment: No

@PaxVobiscuit, Hi, have you or anyone else had issues updating OS after this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment