Block removal of Hexnode profile from Mac devicesSolved

Participant
Discussion
5 years ago

How can I prevent users from deleting a profile pushed via MDM from the Mac System Preferences?

Replies (3)

Marked SolutionPending Review
Hexnode Expert
5 years ago
Marked SolutionPending Review

Hey, Thanks for reaching out to us.

You can protect the profile by protecting them via a password.

Please navigate to macOS–>Restrictions. Click on configure. Check the box ‘Ask for a password when removing policy’ under ‘MDM Administration’.
A default password would be set in the box below. You can change this password if you wish to.
The user will be prompted to enter this removal password when he tries to remove a profile from the system preferences of the mac device.

Cheers!
Grace Baker
Hexnode MDM

Marked SolutionPending Review
Participant
3 years ago
Marked SolutionPending Review

Hi Hexnode MDM team,

Is it possible to prevent deletion of Hexnode MDM profile. I created additional profiles and followed the instruction above(macOS–>Restrictions. Click on configure. Check the box ‘Ask for a password when removing policy’) but if I remove the Hexnode MDM profile the additional profiles are also deleted. One more question: If someone steals the laptop and deletes the Hexnode MDM agent, how I will be able to find the laptop when the agent is deleted? What about the options like wipe or lock device ? They’re available if the agents works on the laptop.Screenshot 2021-07-06 at 19.20.20
Screenshot 2021-07-06 at 19.08.49

Marked SolutionPending Review
Hexnode Expert
3 years ago
Marked SolutionPending Review

Hi Basel,

Hope you are doing well,

The “Hexnode MDM” profile which can be seen in the screenshot shared in your comment, would be the main configuration profile with which Hexnode is able to control the device. Removing this from the device would be equivalent to disenrolling the device and hence all configurations that were set on the device would be removed as well. After this has been removed, there would be no longer any communication between the device and the portal. Therefore, features like lock device, wipe, scan device location, etc would not work if the device was stolen and the MDM profile removed.

Please note that the option to set a password from macOS–>Restrictions is applicable only to the various policy configurations that you have set on the device and not to the “Hexnode MDM” profile. This option would help prevent users from removing only the policy profiles, however, the removal of the Hexnode MDM profile will not be prevented by making use of this restriction.
In order to make this unremovable, you would have to enroll the devices via Apple Device Enrollment Program. Please note that this would require you to have an ABM account and your Mac devices should be purchased directly from Apple or from authorized resellers. Doing this, your device would enable you to ensure that you are able to identify the device as a corporate-owned device.
Devices not enrolled via DEP are considered personal devices and hence the profile would be removable. This flow has been set by Apple’s MDM protocol.

If you are unable to get your devices enrolled via DEP, you could use a workaround by blacklisting your System preferences app on your Mac devices from Policy > macOS > Blacklist/Whitelist. However, this would prevent your users from accessing the settings on the device as a whole.
On an added note, In the later macOS versions (10.15 and later) only the “Hexnode MDM” profile can be removed from the device while the others would be greyed out by default. This was a step taken by Apple to secure the profile installation on the devices.

Please do let us know if you need any further assistance.

 

Cheers,

Bob Smith

Hexnode MDM

Save