Can Apple Configurator prevent removal of the management profile?

jbhnrh wrote:

There are now two ways profiles cant be removed:

1. The profile was CREATED by Apple Configuator and is password protected

2. The profile is LINKED to a MDM profile that is ENROLLED with DEP.

Neither of these can be removed. If it is a MDM profile but is not enrolled with DEP then the profile will ALWAYS be removable, and that is by design. Apple believes end users should have the OPT-OUT option, unless the devices is enrolled in DEP.

How do you know this?! Where in the world is this actually stated in the documentation? Why doesn't the stupid Server software throw an error and warn you that it's not going to work as intended, if the "MDM profile" (whatever that is) is not enrolled in DEP?

I don't understand. The documentation clearly says that as long as the iOS device is "supervised" then it should be fine. Well, my device is supervised; I set it up to be supervised in the Configurator. Then the Configurator downloads the profile from the server onto the device during the "Preparation" phase. So why can we still erase the **** profile off the device?

This is so frustrating. Why can't Apple do their dang jobs and write adequate documentation for this stuff? If that's going to be their policy then why don't they just say so, so that people don't waste entire days of their lives trying to make it work and diligently following the directions, to no avail? It's so stupid!

In Apple Configurator, go to File > New Profile. Under General, there is an option for Security. Click the pop-up menu and choose the option you want for removal: "With Authorization" or "Never." If you choose "With Authorization" a field is added for you to enter a password. Type carefully because there is no field for confirming the password.

Note: The profile must be installed by Apple Configurator for the removal restriction to stay in effect. If you import the profile into a third-party MDM and then push it out to the iPad, the profile becomes part of that MDM's management profiles and removing the management will remove the profile. Installing it with Configurator keeps it separate from the MDM. Unfortunately, that also means remote removal will not be possible.

Hi jbhnrn,

Can you please let me know how The profile was CREATED by Apple Configuator and is password protected?

Could you please provide the procedures? Thanks in advance.

We were never able to prevent certain profiles from being removed. I can't remember exactly how they were configured, unfortunately, but when we had iPads in the hands of students, the management profile contained the credentials for the student wireless network. Removing the profile would remove internet access from the device, rendering it pretty useless at school.

Is the management profile being created outside of Apple Configurator and being imported in?

~Lyssa

Have you tried building the profile in Configurator? Maybe that's the missing piece.

I'm 90% sure what you wish to do is not possible, but I haven't used the profile portion of Configurator for over a year and something may have changed.

~Lyssa

There are now two ways profiles cant be removed:

1. The profile was CREATED by Apple Configuator and is password protected

2. The profile is LINKED to a MDM profile that is ENROLLED with DEP.

Neither of these can be removed. If it is a MDM profile but is not enrolled with DEP then the profile will ALWAYS be removable, and that is by design. Apple believes end users should have the OPT-OUT option, unless the devices is enrolled in DEP.

I think he ment the Archive-Create Profile option.

Then under security in the first tab you can setup a password.(this is only for restriction profile/wifi etc)

Not MDM profile,what we actually are looking for.