Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: SimmZ2008
SimmZ2008 Author
User level: Level 1
10 points

Corporate computer keep enrolling to unknown MDM profile, even after format/reinstall

I am IT manager of a company owning several Apple computers and I have a specific MacBook Pro 2018 that were provided to an employee who left the company a few months ago and then when I get back our corporate laptop to clean it and provide it to a new employee, I noticed an unknown MDM profile installed into our corporate computer that isn't our MDM. I just formatted the computer then re-install MacOS Catalina from scratch (from USB thumb) and immediately after the install complete, before even creating any user account, I have a prompt that tells me that "XXXXX can now remotely manage my computer".


I just hang the phone with the AppleCare technical support line and they never hear of this behavior (??!!) and my call has even be elevated to a senior supervisor.


It looks like something is "pushing" data to our corporate computer without our agreement. So what are the options?

Posted on Feb 4, 2021 11:51 AM

Reply
Question marked as Best reply
User profile for user: SimmZ2008
SimmZ2008 Author
User level: Level 1
10 points

Posted on Feb 8, 2021 8:27 AM

CONCLUSION/SOLUTION :


While searching for the original invoice of the computer to contact Apple, I finally discovered that this Apple laptop was sold brand new but with an "customer return" mention (and rebate) from our corporate authorized Apple reseller. So this computer has been enrolled by the prior customer on his MDM using the SN# since the box itself were still factory sealled (what misled me). Finally our corporate reseller were able to contact Apple on their own side to request the computer to be un-enrolled from the other company account!


Moral of the story : be carefully when you purchase "open box" of any Apple products... it definitely not "safe" as with a Windows PC because Windows 10 can be remotely deployed/managed using Azure AD, but if you format the HDD, it wont re-enroll itself!

View in context

Similar questions

5 replies
Question marked as Best reply
User profile for user: SimmZ2008
SimmZ2008 Author
User level: Level 1
10 points

Feb 8, 2021 8:27 AM in response to SimmZ2008

CONCLUSION/SOLUTION :


While searching for the original invoice of the computer to contact Apple, I finally discovered that this Apple laptop was sold brand new but with an "customer return" mention (and rebate) from our corporate authorized Apple reseller. So this computer has been enrolled by the prior customer on his MDM using the SN# since the box itself were still factory sealled (what misled me). Finally our corporate reseller were able to contact Apple on their own side to request the computer to be un-enrolled from the other company account!


Moral of the story : be carefully when you purchase "open box" of any Apple products... it definitely not "safe" as with a Windows PC because Windows 10 can be remotely deployed/managed using Azure AD, but if you format the HDD, it wont re-enroll itself!

Reply
User profile for user: SimmZ2008
SimmZ2008 Author
User level: Level 1
10 points

Feb 5, 2021 5:25 AM in response to Barney-15E

Barney-15E wrote:

There are several similar posts. My assumption is that company mistyped the serial number into their DEP and the profile is pushed by Apple when it sees the serial number contact the install server.
But, that is merely a guess.


Absolutely sound possible! The thing is this employee never had a administrator account in our corporate computer, so it's 100% impossible that she installed (accidentally or not) an MDM profile by herself! You know how it works... when you "bind" a computer to an MDM server, you have to install several profiles and agree to several thing that requires administrative rights to the computer, except if it's pushed by Apple at the very first "hardware level" of the computer when I reinstalled MacOS.


Now, since Apple are responsible for managing the push of the profiles to theirs computers, they should be able to help me removing my SN# from the infrastructure somewhere!? I have the proof of purchase of this compter in my hand, so it's super easy for me to prove that we are the only legitimate owner of this computer and that we are not related to this unknown company MDM.


So what do you suggest? Trying to reopen my ticket again and try to elevate it to someone else at Apple who really know what he/she is doing?

Reply
User profile for user: Barney-15E
Barney-15E
User level: Level 10
112,560 points

Feb 5, 2021 5:40 AM in response to SimmZ2008

Absolutely sound possible! The thing is this employee never had a administrator account in our corporate computer, so it's 100% impossible that she installed (accidentally or not) an MDM profile by herself! You know how it works... when you "bind" a computer to an MDM server, you have to install several profiles and agree to several thing that requires administrative rights to the computer, except if it's pushed by Apple at the very first "hardware level" of the computer when I reinstalled MacOS.

I don't think it requires installing a profile. If the serial number is enrolled in a DEP, when you attempt to reinstall, the serial number is passed to Apple who sees it as belonging to a DEP and the Mac is handed off to the "owner" for custom installation.

So what do you suggest? Trying to reopen my ticket again and try to elevate it to someone else at Apple who really know what he/she is doing?

Yes. And, try to contact the company to which it is now "enrolled." See if they have mistakenly entered the wrong serial number.

I don't know if Apple has a special MDM/DEP support center, but that is who you would need to talk to.


Most of the other similar posts are individuals who have little to no power talking to the company it says it is owned by, but if you have a legal department, you may be able to get somewhere via that lane as that company is denying you use of your equipment.

Reply
User profile for user: SimmZ2008
SimmZ2008 Author
User level: Level 1
10 points

Feb 5, 2021 6:26 AM in response to Barney-15E

I can't really contact the company where our computer is enrolled because I only see like a weird company name during the initial enrollment process that didn't link to any known company. I also tried to find the domain name from the MDM profile but it's lead to a foreign company in another country who have no website where I can't find any contact information. It's like a needle in a haystack...


We surely have a legal team, however it doesn't make sense to me to "sue" the company who wrongfully enrolled my corporate computer. This is definitely a security/design flaw in the MDM by Apple... I mean, why should I spend money for my lawyers for something that I am the legitimate and proven owner and where I don't have a tiny little liability into the situation.


Apple should definitively be able to do something on their side, not me having to "fight" with the other company who illegitimately "own" the management my computer...


I'll try to contact Apple again now to try elevating my ticket to a higher department.

Reply

Corporate computer keep enrolling to unknown MDM profile, even after format/reinstall

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up