Closed srkaviani closed 2 years ago
jessepeterson
commented
2 years ago Hello @srkaviani. In order to prevent MDM removal generally you need to have a DEP account and the computer has to be provisioned with the is_mdm_removable set to false for the DEP profile. MicroMDM's has some DEP documentation.
For general questions like this joining the MacAdmins Slack is a good idea; lots of us in the #micromdm channel. :)
zxyzhouxiaoyun
commented
1 year ago is mdm removable false does not take effect.
ben221199
commented
1 year ago I had the same problem. In my case is_mdm_removable is false, but the button for removing the profile is still visible.
korylprince
commented
1 year ago The device must be supervised for is_mdm_removable to take effect.
ben221199
commented
1 year ago I also had is_supervised to true. But I still was able to remove the Remote Management from the iPad.
korylprince
commented
1 year ago Like @jessepeterson said, for general questions like this joining the MacAdmins Slack is a good idea.
While setting is_supervised to true is required (in the DEP profile), you have to also enroll them via DEP/ADE to supervise the device. You can also use Configurator to supervise iOS devices, though I haven't seen a lot of MicroMDM users do it that way.
In general, follow these steps:
ben221199
commented
1 year ago I added the device to ABM with "Manual Configuration" and selected the right MDM server in the portal at https://business.apple.com. (Manual Configuration may be also used to enroll directly, but then you cannot use things like is_mdm_removable).
I created a profile (https://developer.apple.com/documentation/devicemanagement/profile) and assigned the profile to the device. The state changed from empty to assigned. (Enrolling does also work when the state is pushed already.)
I enrolled the device with "Automated Enrollment". Didn't fill in a profile and also no username or password. The device loaded all things using 4G and skipped some steps (including "Remote Management"). I see proof in the NGINX logs that the device has indeed loaded all configurations. The first screen it shows then, it TouchID (because I didn't give up any SkipSteps). I do all the remaining steps and the device indeed shows that it is remotely managed.
When I go to Settings > VPN & Device Management, I am able to remove the management and the profile, like in the following picture:
I don't think that should be possible when is_mdm_removable is false.
Yesterday, also something strange happened, but maybe it makes sense: I used to do "Manual Configuration" with Apple Configurator many times and I also checked the "Shared iPad" thing. However, when configurating manually using Configurator, the iPad never became really shared. However, yesterday, when having added the device manually with Shared iPad enabled, I pressed on the Home Button in some way and perhaps clicked on some items in the menu that appeared (the same menu that has "Start again" to start the setup again) and suddenly the screen changed I was asked which user I wanted (entering some Apple ID or using Guest). It was Shared iPad. Isn't it possible that something similar is happening with is_mdm_removable? That I have to do some "Start again" thing in order to work?
korylprince
commented
1 year ago Please follow the instructions in the last section here to verify the device shows as supervised.
zxyzhouxiaoyun
commented
1 year ago I did the same thing but it just didn't work. is_mdm_removeable
zxyzhouxiaoyun
commented
1 year ago I also had
is_supervisedtotrue. But I still was able to remove the Remote Management from the iPad. Have you solved the problem now
ben221199
commented
1 year ago Not yet.
How i can prevent users to Deleting mdm profile? (UnEnrolling) If DEP Account Needed i will get it. Please help me.