shadisoft
Level 1 (0 points)

Q: Block removal of mdm profiles

Hi..

 

I am on iOS 9 and trying to somehow prevent users from removing the MDM profile installed by MobiControl.

 

I know this was not possible before, and I want to confirm if with iOS 9 it still isn't possible except if we use DEP... We already have many iPads and DEP only applied to new units from a third party.. Or can I use DEP at our enterprise to lock the MDM profile for our existing units?

 

I tried to push a profile with a password for profile removal but that didn't work either.

 

Any help would be appreciated.

 

Thanks...

Posted on Oct 21, 2015 12:29 PM

Close
shadisoft

Q: Block removal of mdm profiles

  • All replies
  • Helpful answers

  • by jbhnrh,Helpful

    jbhnrh jbhnrh Oct 22, 2015 5:20 AM in response to shadisoft
    Level 1 (105 points)
    Oct 22, 2015 5:20 AM in response to shadisoft

    You are correct. Only DEP enrolled devices cannot have their MDM profiles removed. This is by design. Apple believes end-users should be able to opt out of any MDM, unless that device is enrolled in DEP.

  • by shadisoft,

    shadisoft shadisoft Oct 22, 2015 5:20 AM in response to jbhnrh
    Level 1 (0 points)
    Oct 22, 2015 5:20 AM in response to jbhnrh

    Any way for MDM admins to configure ipads before they are distributed to enterprise users with a setup like DEP to prevent removal of MDM profile? We have many devices that were purchased that we already own in stock that we want to lock?

     

    Thanks,

  • by jbhnrh,

    jbhnrh jbhnrh Oct 22, 2015 5:58 AM in response to shadisoft
    Level 1 (105 points)
    Oct 22, 2015 5:58 AM in response to shadisoft

    Profiles created by Apple Configurator can be password protected or can be told to be "never" removable. You can administer with Apple Configurator however the devices will have to be synced directly to a Mac running the Configurator software. Configurator allows the restrictions of various settings (disallowing app store, various app restriction, turning off the camera, configuring wifi, etc.)

     

    Configurator can also push out MDM profiles but if that MDM solution isn't enrolled with DEP then the MDM profile will be removable as said above.

  • by shadisoft,

    shadisoft shadisoft Oct 22, 2015 6:10 AM in response to jbhnrh
    Level 1 (0 points)
    Oct 22, 2015 6:10 AM in response to jbhnrh

    Thanks for the info.

     

    I also use Apple Configuration Tool to supervise... But if used, that means that whatever policies I do in the Apple tool, they cannot be changed by the MDM. so I guess I have to find the right balance where I fix some rules in apple configurator, and leave some open for MDM to change.

     

    Thanks,

  • by shadisoft,

    shadisoft shadisoft Oct 22, 2015 7:58 AM in response to shadisoft
    Level 1 (0 points)
    Oct 22, 2015 7:58 AM in response to shadisoft

    Any change iOS 9.1 changed anything to do with protecting the MDM profile?

  • by jbhnrh,Helpful

    jbhnrh jbhnrh Oct 23, 2015 9:53 AM in response to shadisoft
    Level 1 (105 points)
    Oct 23, 2015 9:53 AM in response to shadisoft

    Not really, other than the fact the Apple Configurator 2 has now been released which makes it easier to enroll devices into MDM solutions when they are first deployed.

     

    If you are using MDM your best bet is to contact the vendor you bought the devices thru and see about enrolling in the DEP program. It really is the best way for managing massive numbers of iPads.

  • by BlueMnMnM,

    BlueMnMnM BlueMnMnM Oct 19, 2016 9:30 PM in response to jbhnrh
    Level 1 (4 points)
    Oct 19, 2016 9:30 PM in response to jbhnrh

    If you have already purchased and supervised ipads using configurator2, is it possible to arrange DEP on the existing devices so the profile cannot be removed?