A little about DEP and MDM
Update: Thanks to @agafon_aga for essential comments:
The situation described here is relevant when using the Apple Device Enrollment Program (DEP). Its meaning is to link devices to a company account to facilitate management, inventory, and more.
Within the system, DEP has the highest priority (after Apple, of course).
Mobile Device Management (MDM) systems are prioritized lower than the AppleID of the device user. The user can easily delete an MDM profile (not DEP). To do this, it is enough to be an administrator in the system.
In total, the priority level is built (from highest to lowest):
Apple - DEP - User AppleID - MDM Profile
DEP (Device Enrollment Program) and MDM (Mobile Device Management) profiles are usually installed by users on devices that have been issued to them by large companies, as well as some schools and universities for use. The profile allows you to automate the configuration of almost all software components of the device. However, it also allows complete control of the device remotely. Control possibilities are limited only by the imagination of the administrator who set it up.
In short, in general for a company it is good, in particular for a specific user - not very good. Sometimes you do not want at all that someone could at any time remotely kick you out of your computer or simply block it.
The corporate profile is set at the factory at the time of ordering a batch for a large customer and cannot be permanently deleted programmatically. As a rule, after a full reset during device activation, the profile is downloaded from the Internet and again tries to deploy itself on the device. The intrusiveness of these attempts can be different, and our task today is to get rid of this.
Mac OS Catalina . Big Sur . . .
, Mac OS Big Sur . MDM - , MDM .
. , MDM , . - 10 . , .
MDM
1. :
-> -> FileVault -
2. :
(Command+R) .
3. :
"" -> ""
4. :
mount
5. , "Macintosh HD". .
"/Volumes/Macintosh HD"
! "/Volumes/Macintosh HD - Data"
dev/disk4s5 - .
! !
6. bak:
umount /Volumes/Macintosh\ HD
mkdir /Volumes/Macintosh\ HD
mount -t apfs -rw /dev/disk2s5 /Volumes/Macintosh\ HD
cd /Volumes/Macintosh\ HD/System/Library/LaunchAgents
mkdir bak
mv com.apple.ManagedClientAgent.* bak/
mv com.apple.mdmclient.* bak/
cd ../LaunchDaemons
mkdir bak
mv com.apple.ManagedClient.* bak/
mv com.apple.mdmclient.* bak/
7. Signed System Volume (SSV):
csrutil authenticated-root disable
8. , :
bless --folder /Volumes/Macintosh\ HD/System/Library/CoreServices --bootefi --create-snapshot
9. .
Done. Profile MDM agents are no longer visible to the system.
Updates will work. If you do a clean reinstall, you will have to repeat the procedure from the beginning. Sometimes the fix flies after installing major updates.
The method has been tested on Mac OS Big Sur up to version 11.1.