removing device enrollment from OS X devices


Rendering Error in layout Widget/Social: Call to a member function exists() on null. Please enable debug mode for more information.
More
3 years 2 weeks ago #4663 by reverendalc
so i've heard of apple DEP before... Device Enrollment Program.
i've never encountered it... until now

for those who don't know, apple device enrollment is a network based settings/profile deployment system provided by apple for corporate entities etc.

supposedly, once a device (including iPads etc) is enrolled, it can be managed remotely, and can automatically assume configurations even after system restore. the only way to remove this device from DEP, according to apple, is to remove it from your DEP database, which is a web service offered and managed by apple.

the problem:
macbook air continuously prompts "Falcon School District 49 can configure this MacBook for you...."



super annoying, and pops up like every hour. i'm unsure what allowing this does, but...

complete erase of ssd, zapping NVRAM, and reinstalling OS X from fresh USB media, and it still pops up as soon as internet is connected.
completing setup without wifi, you will never see the message. further research has indicated that apple is pushing this...

/System/Library/LaunchAgents/com.apple.ManagedClientAgent.enrollagent.plist
/System/Library/LaunchDaemons/com.apple.ManagedClient.enroll.plist

these appear to be the culprit. i disabled these as well as any plist with ManagedClient in it, but i can only assume that after a system restore, the messages will resurface.

to be clear, i created /Library/LaunchAgentsDisabled and /Library/LaunchDaemonsDisabled and placed the plists in their respective folders.

perhaps changing the serial number could mitigate this.

has anybody else battled with DEP?
Attachments:
The following user(s) said Thank You: mtronmeta

Please Log in or Create an account to join the conversation.

More
3 years 2 weeks ago #4667 by therealjayvi
I know there's hella paranoia and wary surrounding this app, but I think it may be beneficial for you to install Little Snitch and see just exactly which ports the connection is coming through from and then which service it is using to maybe help identify what/where/how it is able to still overcome a fresh install. Sounds like it could be stored in the EFI possibly since its persistent across formatting/install. Try booting to an external OS X installation (not install usb) and see if it still pops up upon internet connectivity. If not, then we know its tied to either the RAM, SSD, or EFI (or somewhere I have no idea haha).

Please Log in or Create an account to join the conversation.

More
3 years 2 weeks ago #4671 by reverendalc
yes yes. i didn't use little snitch, but i did identify the agents and daemons responsible.

clearly, some (if not all) of this information is stored in the EFI, not just NVRAM, as it's persisted the most thorough "wipe" i can give this mac.

i'm sure somebody out there knows more about removing DEP, and can chime in about exactly where this identifying information is stored.

perhaps i'll attempt to open a DEP account, but i think it's only available to certain parties.

Please Log in or Create an account to join the conversation.

More
2 years 10 months ago #5356 by Aw3sum
I came across one in early 2016, once I completely wiped the drive and re partitioned it and set a EFI password, then installed OSX, and removed EFI password.. It stopped pushing the DEP profile. I'm pretty sure its stored in the recovery drive. I may be wrong. There's very little info on this other than IT marketing whitesheets and presentations. If it is true that all 2012 and newer models bought by corporations or schools in bulk can be added to DEP system by entering order # and serial # in the DEP web portal ANYTIME, all the used Apple resellers who buy from asset recovery/recycle and flip them on ebay will be screwed as you'll never know its on DEP until you load OS and go on wifi.. and no way to remove from DEP servers. Apple really wants to eliminate the used reseller market.

Please Log in or Create an account to join the conversation.

More
2 years 10 months ago #5358 by reverendalc
I was never able to defeat the DEP through conventional means. I do not believe that the profile is stored in the recovery partition as I'd done a complete system wipe (and I mean complete) and the prompt still arose.

Please Log in or Create an account to join the conversation.

More
2 years 10 months ago #5359 by Aw3sum
Yeah I was worried it would pop up at some point, but it wasn't mine, so I never heard that it ever popped up again. my guess is if it is not on the SSD, it's tied to the serial # in the EFI. It's pretty much corporate grade iCloud tracking.

Please Log in or Create an account to join the conversation.

More
2 years 10 months ago #5363 by reverendalc
Agreed.

It is linked to the serial and all OS X installations 10.6+ have the DEP agents installed and activated by default. There is more than the serial in the EFI that identifies the mac though. Changing the serial alone won't do.

It can be defeated by the method I laid out above, but that will not survive an OS X reinstall. The only guaranteed way to disable DEP is to have the original entity disassociate the serial through the web service.

I can't imagine that conversation going well (-:

Please Log in or Create an account to join the conversation.

More
2 years 10 months ago - 2 years 10 months ago #5748 by speedy

reverendalc wrote: Agreed.
It can be defeated by the method I laid out above, but that will not survive an OS X reinstall. The only guaranteed way to disable DEP is to have the original entity disassociate the serial through the web service.


I come across a macbook pro early 2015 with this same problem. Maybe in the mean time you managed to get rid of DEP once and for all. It really annoys me.
Last edit: 2 years 10 months ago by speedy.

Please Log in or Create an account to join the conversation.

More
2 years 10 months ago #5753 by reverendalc
once and for all? that requires the registrar removing them (-;

i see from your edit, that you may have sorted it out?

you need to show hidden files to see agents and daemons, and you'll likely have to create the "disabled" folders before you can move to them

are you all set?

Please Log in or Create an account to join the conversation.

More
2 years 10 months ago #5755 by speedy
Yeah, I managed to do it after all. In sierra I needed one more step for the system folder to show up.

As for "once and for all" I am thinking there is a possibility to reset the EFI chip. If I find out something I will post here.

Please Log in or Create an account to join the conversation.

More
2 years 10 months ago #5763 by reverendalc
You will have to convince the MacBook (and Apple servers) that it's a different mac. I have tried changing serial and board serial in EFI rom, but iCloud still tracks.

Please Log in or Create an account to join the conversation.

More
2 years 5 months ago #6987 by zazu
hey Aw3sum

you said you sat an EFI password then made a new system then removed EFI password, and you stopped seeing it

my question is

when you do

sudo /usr/libexec/mdmclient dep nag

what reply in the terminal do you see? in other words do you see it's an empty array or some random data?

thanks

Please Log in or Create an account to join the conversation.

More
2 years 4 months ago #7017 by digles
Hi There!

Is there a more described approach on how to exactly do this?

I am able to instal the firmware password (EFI), instal OS Siera via bootable USB with alt. However, thereafter it remains a mistery haha!

Would be great, if one of you can give some more guidelines. MB Pro 2015 retina is the one i use.

Still assume this is the best solution to work with right? And besides that, that if the DEP not pops up, no possible connection could be made between the DEP server and the macbook? I have the luck, to bypass location services and more during instalation, hope that that helps a bit...

Thanks!

Please Log in or Create an account to join the conversation.

More
2 years 4 months ago #7018 by zazu
where is the DEP stored ?

NVRAM
SSD
CPU
Motherboard
...
?

if i install linux only on the mac, will it still be tied to DEP/MDM ?
I'm planning to install linux only into the mac, then install virtualbox of mac on it, what do you think?

Please Log in or Create an account to join the conversation.

More
2 years 4 months ago #7027 by digles
How can I create a new folder in my systems library:

/Library/LaunchAgentsDisabled and /Library/LaunchDaemonsDisabled

and how to place/ move above mentioned plists in these respective folders.

Do i need a special programme? or is it possible trough terminal?

Would be of great help!

Please Log in or Create an account to join the conversation.

More
1 year 10 months ago #8839 by minhle
I have a issue same here . Could you help me remove or whats solution make pop-up to delete. I buy it in Việt Nam from a seller. Help me.

Please Log in or Create an account to join the conversation.

More
1 year 10 months ago #8944 by KingBonecrusher
Has anybody tried to change the Hardware UUID?

Please Log in or Create an account to join the conversation.

More
1 year 3 months ago #10116 by jan
someone found a solution?
need this!

do someone know if company can track you and the device if you NEVER click "allow"?

Please Log in or Create an account to join the conversation.

More
1 year 3 months ago - 1 year 3 months ago #10132 by KingBonecrusher
Solution was found 7 months ago, 1 post above your`s. Simply change uuid, sn and full clean nvram to get rid of personal infos and fmm stuff. Shred the ssd (if possible do secure erase) and reinstall osx. Do not shred with the osx setup, use linux.

*you need a working sn, not something randomly generated!
Last edit: 1 year 3 months ago by KingBonecrusher.

Please Log in or Create an account to join the conversation.

More
1 year 2 months ago #10142 by jan
thanks. an how to change uuid?

Please Log in or Create an account to join the conversation.

Who's Online

We have 252 guests and no members online

N00BZ

  • carlos862
  • afallenhobo
  • JDSL
  • minh_digital
  • TheRealAK

Cookies