The Curse of Non-Removable MDM
Non-removable MDM is a feature of Apple’s Device Enrollment Program (DEP) that locks in the MDM profile to the device, controlled by the is_mdm_removable
key in the enrollment profile. This is a great feature, especially if any users in your environment have admin permissions for their machines and you want to make expressly sure that they can’t remove the MDM profile - in an enterprise environment, the ability to restrict as much as possible is key to keeping your devices compliant and working. With this key set to false
, a user is unable to remove the MDM profile from the Profiles pane in System Preferences or with any terminal command and, with System Integrity Protection (SIP) in High Sierra protecting the /var/db/ConfigurationProfiles
folder, it now can’t be touched at all. This is great!
This is also not great, because computers are not perfect, MDM is not perfect, DEP is not perfect, and user migrations are a thing.
This MDM profile cannot be touched at all. It cannot be removed or altered, but it also cannot be replaced or overwritten. This means that all mechanisms for re-enrollment or re-application of the MDM profile will fail. Everything from sudo jamf mdm
in Jamf shops to sudo profiles renew -type enrollment
(sudo profiles -N
on regular Sierra) will return with a message like the one in the image above informing you that your current MDM profile exists and can’t be replaced. So how do you re-apply MDM? If you need to change the MDM enabled user (ie. after using Migration Assistant or Time Machine to restore a user to the machine) or something has just timed out and your user just isn’t downloading that configuration profile or VPP app? If you can’t send any commands from your MDM server (including the one to remove the profile in the first place) since your MDM is broken?
Well, in macOS Sierra, you remove that ConfigurationProfiles folder. Good old rm -rf /var/db/ConfigurationProfiles
. Reboot for safety, re-enroll with your DEP nag command of choice or whatever other mechanism you use to enroll devices. But in High Sierra, this folder is protected by SIP.
“I know how to disable SIP, though, why can’t I just do that?” You can. You should definitely not remove the whole folder (removing the whole folder breaks the ability to have configuration profiles on the machine forever), but if you disable SIP, you can rm -rf /var/db/ConfigurationProfiles/Store/
and re-enroll with your profiles
command while SIP is still disabled, and then turn SIP back on. This comes with a whole bucket of risks, though, some of which I’m not sure we’re willing to take. The machine needs to be able to connect to the internet in order to re-enroll, and I’ve seen and heard stories of things going wrong with SIP disabled even for a few minutes with minimal action taken - corrupt System keychains and entire System Preferences functions breaking are just two examples I’ve encountered while trying to execute this fix post-Migration Assistant that have led to wiping the entire machine and setting it up fresh for the user anyway.
Disabling SIP is also a function that can only be performed by the user on the machine physically touching it. You can’t remote in and boot to recovery and you can’t send it as a command or a script. If you aren’t physically with the machine, this is definitely a more complicated procedure than just two terminal commands in a live environment (that can even be scripted and cached!), and maybe you don’t want to teach your users how to disable SIP or risk that they won’t turn it back on. So how do we solve this in a live environment, running 10.13+, that can’t receive MDM commands on the correct user (or at all)?
There’s no way to deal with this, outside of disabling SIP, except with prevention. You can keep your High Sierra adoption rate low. You can choose to not use VPP-only apps (or distribute repackaged versions instead using a mechanism like Munki). You can choose to not make changes to your configuration profile setup after the initial deployment. But even with avoiding as many MDM features as possible, your enrollment may just stop working at some point and you may need to re-enroll, and if the only solution is disabling SIP and re-enrolling…to me, that’s a hack, not a solution.
There are a couple real solutions to this problem that I can think of off the top of my head. The one that seems most likely to work is for MDM services to figure out how to do everything without an MDM enabled user, so there’s never a need to re-enroll so long as there’s that system level MDM profile there somewhere. The other is for Apple to reconfigure the way non-removable MDM works to allow it to be replaceable using the profiles renew
command but not removable or replaceable under any other circumstances. But those are just two ideas. The people at Apple (and at Jamf) are making best-in-class products, so I firmly believe they are smarter and more innovative than me in regards to coming up with ways to fix this issue.
It doesn’t matter how it gets fixed really, so long as I don’t have to live in fear of imperfect systems failing and there being no good way to fix them for another year after 10.14 hits. Someday, Apple will stop supporting El Capitan and Sierra. Someday, you won’t be able to downgrade new machines from High Sierra to Sierra. That day, unless this is solved, either we will all have to make our DEP MDM profiles removable and hope the users leave them alone, or resign ourselves to wiping machines or taking a chance on disabling SIP every time MDM breaks. I’ve got my fingers crossed.
Radar #40520642 from me specifically focuses on the fact that there is no recourse to enable MDM for a newly migrated-with-Migration-Assistant user with DEP non-removable MDM on the receiving machine. In addition to Twitter, I’m also @crystallized on the MacAdmins Slack, so feel free to pop by with questions!
Why I Still Wear My Apple Watch
When I thought about making this my first blog post, this series of texts from Grant from about a year ago came immediately to mind:
Matt said I should write a blog about office management and Google Apps and managing people, so of course my first post is about Apple Watch. WWDC is coming up though, and for all the posts I’ve read about why someone sold or stopped wearing their Watch, I haven’t seen a lot about continued use. I’ve worn my Watch almost every day since I received it a year ago - in 12 months I’ve only missed 15 days. I put it on before I leave my apartment and take it off before I go to sleep, it charges overnight, and I put it back on again the next morning. Those 15 days that I missed wearing it? They were all days that I didn’t leave the house. I’ve left my phone at home and still worn my Watch! So, why am I so loyal to my Watch when so many others have discarded it?
Telling Time
Telling time is the primary function of a watch, and I think Apple Watch does it splendidly. I use the Modular face, have since I got it, and being able to flip up my wrist, see the time in bright white on black super easily, and then return to what I was doing is something I actually never experienced prior to the Apple Watch. I wore a waterproof digital watch as a youngster (with a button to illuminate the face) but of course sometimes I would press one of the other buttons by accident, or just try to squint at it instead. I wore that watch until the day its batteries died and I couldn’t get them replaced, and never got a new one. Cell phones were a thing by then, I had one, and decided to just tell time with it.
Telling time with a phone, even an iPhone, is actually kind of annoying. You have to get your phone and press a button, and then press it again to turn it off. You have to do this every time you want to know what time it is. Whether it’s in your pocket or a purse or just sitting on the table in front of you, it’s a little bit annoying, and definitely noticeable to anyone with you. I know the wrist twist is buggy and doesn’t always work, but even tapping my Watch with my fingers to see the time is faster than pulling out my phone, and less terrible for my social life - the next reason to love the Watch.
Seamless Notifications
In the days before Apple Watch, feeling my phone buzz in my pocket or ding from my bag meant I had two options: I could retrieve it from its location, see what the notification was, and inevitably act on it, or I could ignore the notification and spend some amount of time wondering if it was important. If I was in a group setting like dinner or drinks and took my phone out, well, that was it, I was on Twitter and IRC and back in my antisocial digital world - but if I ignored it, the anxiety over importance ensued.
The Watch has totally changed the way I interact with humans face-to-face. Now, when I’m out on a date or talking to a friend and I get a notification, it taps my wrist (no phantom pocket buzzes anymore either!), I glance at it, and then if it’s important, I’ll ask to take care of it the next time there’s a pause in conversation. I can tell very quickly if it’s important, and the interface is such that even if I do scroll the notification, I’m not exactly going to go on Twitter from there and try to get absorbed in my wrist. Almost everyone I’ve talked to who still wears their Watch mentions notifications being one of their few reasons, but there’s another reason why notifications on the Watch are so awesome for me.
Girl Pockets
Also, dresses. Even the iPhone 4S didn’t fit particularly well in my jeans pockets, so the 6 has always been right out. Before the Watch, I would go to work and pull my phone out of my purse, plug it in, and leave it on my desk. If I went elsewhere in the office for a while (as I often did, being the office manager and general doer of things) I had the option to shove my phone uncomfortably in my pocket, to carry it with me in my hand and then put it down next to me somewhere, or to leave it on my desk. The day I was assembling the ping pong table out on the deck was a rough day for my phone - I left it on my desk at first and missed many hours of questions, so I moved it to the deck floor next to me where it got kicked around, a lot, then rained on, etcetera, it was very sad.
The Watch changed all of that. The other day at work I was unpacking a new FreshDirect order over in the kitchen, and my phone was plugged into my laptop over on my desk. But while I was unpacking, a question on Slack came right to my wrist, and I was able to put down what I was doing and go answer it. Without the Watch I wouldn’t even have known about the question until I made it back to my desk, and while in this instance I would have been back in ten minutes and it wasn’t a vital question, there certainly are circumstances in which a notification could be time-sensitive and the Watch would be a life-saver.
The last note on girl pockets and the Watch is about purses. When my phone is in my purse, half the time I won’t even hear a notification - bars, grocery stores, subway stations, and even the sidewalks of NYC are all loud places. I’ll think I feel vibrating when I don’t, and won’t feel or hear anything when there is a notification. Though rarely if I’m wearing a thick coat I won’t notice the taps from the Watch anyway, there has been a much higher success rate of notifications actually getting to me when I’m out ever since I started wearing the Watch.
Management
So I guess I can tie the Watch back to office management after all, because the Watch actually has made me a more efficient office manager! By getting notifications on my wrist instead of at my desk, I’ve become able to answer them more quickly during the workday. By having the Watch when I’m out and about, I can see if a notification is a text from a friend for later or something from work that is in dire need of response, and never miss something that actually is important. Reminders and calendar notifications on the Watch keep my time organized when away from my phone, which is useful because times when my phone is actually in my pocket are few and far-between. Even the fitness function has helped me become a better office manager - when it’s time to stand, I have to take at least a minute walking around the office and seeing if there’s anything to tidy or fix. The convenience to my job of having the vital functions on my phone on my wrist cannot be overstated. If you’re the kind of person who doesn’t carry your phone on your person all the time and you find yourself thinking your job could be easier or you could be more efficient if only your information was closer at hand, find one of the people who never wear their Apple Watches anymore and see if they’ll let you borrow it. And then keep it. Forever.
Here We Go Again
me, telling Matt about organizing shirts
“You should write a blog about this!”
me, talking to Matt about my day at work dealing with hunting down a missing ping pong table
“This would make a really good blog post!”
me, complaining about the strange ways in which Google Apps work (or don’t)
“I bet people would totally read this blog.”
So, here we are. While the pictures were pretty, the hover
very clever, and the rainbow of social icons were the Apple Watch layout before Apple Watch was a thing, it’s probably about time I put my domain to good use.
Stay tuned!