Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 8 subscribers
  • Views 14455 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Restrict or block MDM profile remove iOS

LirikVeigroeg

Hi,
I'm supporting SMC infrastructure with IOS devices.
I found in the forum in the upcoming v.6.1 unenrollment can be disabled by admin. What about MDM profile remove from Settings/General/Profile.

In to initial setup of SMC there is not way to block it, only for the next apllied profiles, such like Restrictions, Password, VPN, EAS, etc.

Many thanx,

Lirik



This thread was automatically locked due to age.
  • 0

    Hi Lirik,

    on iOS it is not possible to disable the deletion of the mdm_enrollment profile.
    This is by design of Apple. With SMC 6.1 only the "unenrollment" button within the app will be disabled. Manually removing the profile will still be possible.

    Best regards
    Stefan

  • 0

    Unless you enroll your devices via Apple DEP and make the profiles not removable, this cannot be achieved.

    Apple divides the world in two user groups:

    • User administered devices (e.g. BYOD). The user allows the MDM to manage their device. a lot of configurations can be done, but the user's ability to work with the device is not limited by corporate settings. The management can be removed at any time
    • Corporate devices, usually supervised. Owned by the company, enrolled via DEP or Apple Configurator, with deep control for the company. Requires factory reset to move in or out of that state. The company has better control of what can be configured on the device, including disabling the device unenrollment via Settings > General > Profile
  • 0 in reply to TLI

    Hello,

    Thank you for the feedback.

    We are using corporate owner aproach. Devices are supervised with Apple Configurator and Enrolled with SMC by administrator. Unfortunatelly, in Settings > General > Profile there is option to remove it. Only cannot be removed applied restrictions and configurations with SMC profiles. I did not find way to restrict MDM profile remove from Settings > General > Profile. As far as I understood in v.6.1 of SMC they will option to disable Unenroll from SMC client app.

    If you have guide how to configure disabling of profile removal via Apple Configurator, will be apreciated.

    Best,

Unfiltered HTML