User profile for user: kamelotnsk
kamelotnsk Author
User level: Level 1
4 points

Automated Device Enrollment + SSO (Microsoft Entra)

Hello,


All three Apple devices (2 iMacs and 1 MacBook) are personally owned by me and were purchased new directly (not second-hand). They are registered under my personal Apple ID.


However, after signing in with my Apple ID, **every device** eventually displays a mandatory Microsoft Entra ID (formerly Azure AD) sign-in prompt. In recent macOS versions, this prompt appears immediately after user login and blocks all further interaction until completed.


I suspect the devices — despite being bought new and registered to me — were inadvertently enrolled into an external organization’s Apple Business Manager (ABM) and are now subject to Automated Device Enrollment (ADE) with SSO configured via Microsoft Entra ID.


My questions:

— How can I check which ABM organization a device is assigned to (via serial number, UDID, or locally on the device)?

— How can I remove a device from ABM/ADE if I have no access to that organization and am the sole legal owner of the hardware?

— Is there an official, non-destructive way to clear the forced enrollment policy without full device erasure (e.g., DFU restore)?


As a temporary workaround, I’ve added the following entries to `/etc/hosts`: 


0.0.0.0 deviceenrollment.apple.com
0.0.0.0 mdmenrollment.apple.com
0.0.0.0 ipprofiles.apple.com
0.0.0.0 iprofiles.apple.com

This suppresses the enrollment prompts but also breaks legitimate MDM and configuration profile functionality.


Thank you for your support.


MacBook Pro 16″, macOS 15.7

Posted on Dec 24, 2025 7:40 AM

Reply
9 replies
User profile for user: Owl-53
Owl-53
User level: Level 10
107,227 points

Dec 24, 2025 7:51 AM in response to kamelotnsk

Return the devices to whom they were purchased from


Ask for a Full Refund


Once the Serial Numbers of each of the devices has been Registered and Held in the MDM Service database


The only True way to resolve the issue


Would for the Serial Numbers to be Removed from the MDM


even if you were able to identify which MDM the trouble you would to go through to possible get the serial number removed could be fruitless and time consuming



Reply
User profile for user: Bigwaff
Bigwaff
User level: Level 1
107 points

Dec 24, 2025 9:54 AM in response to kamelotnsk

kamelotnsk wrote:

I don't understand how all the computers came to belong to one company, and what to do in such a situation? Maybe my icloud account was hijacked?

Perhaps to get the serial number of the devices... but to what end? Have you received ransom request? eBay has really strong buyer protections. Initiate return process w/ eBay. As for a "commission store"... I have no idea what that is, but if you made purchase w/out return policy, that's on you.

Reply
User profile for user: steve626
steve626
User level: Level 6
15,819 points

Dec 24, 2025 10:50 AM in response to kamelotnsk

kamelotnsk wrote:

I bought two iMacs from ebay and a laptop from a commission store, initially a problem arose on one of them. I have one account on all devices, and this problem appeared on all devices. All devices belong to the same company. I now live in another country and there is no apple support in our country.

This is a huge problem and risk with buying used Macs. As for how the problem occurs of Macs obtained from different sources -- I can only speculate but a collection of such improperly obtained computers could have been released for sale through multiple outlets. They are not necessarily stolen (but might be) -- if a school or business that had MDM for a number of (many) such Macs released them for sale through multiple outlets without properly unlocking them from MDM, then all of them could have this problem. By the way, the MDM issue does not always present itself immediately, some have reported it popping up years after normal unimpeded use.


My employer has thousands of Macs in use, all under MDM (device enrollment), and when we turn in the Macs, they are (1) unenrolled from MDM, and then (2) completely wiped, erased, and formatted, and then (3) disposed of through used computer outlets or donated to local schools.


It is POSSIBLE that when you have multiple Macs linked through the same Apple ID and iCloud account, the MDM is "shared" or "synchronized" between them. Personally, I don't understand how that could work but it might be a possibility.


Also: please clarify. You originally posted that "All three Apple devices (2 iMacs and 1 MacBook) are personally owned by me and were purchased new directly (not second-hand)." But you also say that the two iMacs were purchased from eBay and the laptop from a commission store. So "eBay and a commission store" sound like sellers of used, NOT NEW, computers.


I don't think your three computers were purchased "new" (even if the seller said they were "new") by you and thus were obtained in previously used condition with still active MDM enrollment by the earlier owner. If you truly have the brand new bill of sale (receipt) from Apple or an Apple Authorized Service Provider, an Apple Store can help you remove the MDM. If not, I don't think there is a reliable way to remove it and you should pursue refunds, as others here have already suggested.

Reply
User profile for user: steve626
steve626
User level: Level 6
15,819 points

Dec 24, 2025 10:56 AM in response to kamelotnsk

By the way, using a computer with MDM (e.g. Microsoft Entra Automated Device Enrollment + SSO) will create big problems later on if not already. Many forms of MDM constrain what updates the user can apply and the MDM owner can even remotely lock or even erase the device. It is also a major security risk for a PERSONAL computer because all files are accessible remotely by the MDM owner. All your banking and password info is accessible remotely on an MDM device, there is no expectation of privacy. The MDM owner can even change the password remotely. I used MDM devices for my employer and NEVER had personal information like that on the work computer, for that reason. Employees of the IT department who manage MDM for the employer can access any or all of those devices remotely. I trust those employees but really have no idea who they are.


If your computers are really MDM enrolled, you have no expectation of privacy on them no matter how you encrypt or password protect them. All that can be undone remotely on MDM devices.

Reply
User profile for user: HWTech
HWTech
Community+ 2026
User level: Level 9
73,122 points

Dec 24, 2025 11:22 AM in response to kamelotnsk

Since you don't control these devices, then you should follow all of the instructions in the following Apple article:

What to do before you sell, give away, trade in, or recycle your Mac - Apple Support


Without knowing who is in control of these MDM controlled devices, you may also want to change all of your passwords that you accessed while using these devices since they may be compromised.


Reply
User profile for user: steve626
steve626
User level: Level 6
15,819 points

Dec 24, 2025 11:40 AM in response to HWTech

HWTech wrote:

Since you don't control these devices, then you should follow all of the instructions in the following Apple article:
What to do before you sell, give away, trade in, or recycle your Mac - Apple Support

Without knowing who is in control of these MDM controlled devices, you may also want to change all of your passwords that you accessed while using these devices since they may be compromised.

Excellent suggestions. Unfortunately, with certain types of MDM, MDM can be configured to prevent users from executing the steps indicated in the link you provided.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Automated Device Enrollment + SSO (Microsoft Entra)

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up