henrik242/Disable Device Enrollment Program (DEP) notification on macOS Ventura.md

Forked from sghiassy/Disable Device Enrollment Notification on Mac.md

Last active October 26, 2025 15:40

Star (638) You must be signed in to star a gist
Fork (129) You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/henrik242/65d26a7deca30bdb9828e183809690bd.js"></script>
Save henrik242/65d26a7deca30bdb9828e183809690bd to your computer and use it in GitHub Desktop.

Download ZIP

Raw

Disable Device Enrollment Program (DEP) notification on macOS Ventura.md

Disable Device Enrollment Program (DEP) notification on macOS Ventura.md

Ventura docs for M2 Macs in this comment: https://gist.github.com/henrik242/65d26a7deca30bdb9828e183809690bd?permalink_comment_id=4555340#gistcomment-4555340

Old Monterey docs in this old revision: https://gist.github.com/henrik242/65d26a7deca30bdb9828e183809690bd/32c410e3a1de73539c76fa13ea5486569c4e0c5d

Solution for Sonoma: https://gist.github.com/sghiassy/a3927405cf4ffe81242f4ecb01c382ac

jklock commented Aug 26, 2025 •

edited

Loading

Throwing this one out for the homies

I recently helped out an old lady who got a second-hand computer from her grandkid and it had an MDM profile / DEP screen that stole the mouse and keyboard input. I did not wipe the machine or reinstall macOS. I used recovery mode + root account. Machine was an M1 MacBook Air running the 14.7.8 that was hard stuck at DEP enrollment (would lock you out after 10 seconds). If you want to run the script at the end, you will need to leave csrutil disabled (which I disabled as part of this exercise). Otherwise, after you validated you are back in and working, just enable it again and reboot.

⸻

Recovery Mode

##################################################################################`
# RECOVERY: unlock the Data volume, clear ADE/MDM state, block Apple endpoints,
# sync Preboot (important with FileVault), then reboot. Make sure to note diskXsY.
##################################################################################

# 1) Identify and unlock the FileVault Data (Macintosh HD - DATA) volume
diskutil apfs list
diskutil apfs unlockVolume diskXsY -passphrase "YOUR_FILEVAULT_PASSWORD"

# 2) Flip ADE state on the Data volume:
cd "/Volumes/Macintosh HD - Data/var/db/ConfigurationProfiles/Settings"

rm -rf ./.*
rm -rf ./*

touch .cloudConfigProfileInstalled
touch .cloudConfigRecordNotFound

# 3) Remove any already-installed MDM profiles from the local store (Sequoia stores them in Store/).
cd "/Volumes/Macintosh HD - Data/var/db/ConfigurationProfiles/Store"

rm -rf ./.*
rm -rf /*

# 4) Ensure Setup Assistant won’t rerun
touch "/Volumes/Macintosh HD - Data/var/db/.AppleSetupDone"

# 5) Block Apple Automated Device Enrollment endpoints
echo "0.0.0.0 deviceenrollment.apple.com" >> "/Volumes/Macintosh HD - Data/etc/hosts"
echo "0.0.0.0 mdmenrollment.apple.com"   >> "/Volumes/Macintosh HD - Data/etc/hosts"
echo "0.0.0.0 iprofiles.apple.com"       >> "/Volumes/Macintosh HD - Data/etc/hosts"

# 6) Sync Preboot with updated Data volume
diskutil apfs updatePreboot diskXsY

# 7) Reboot
reboot

⸻

Normal macOS (not recovery)

################################################################################
# NORMAL macOS: disable enrollment daemons/agents so they can’t reassert nag state
################################################################################

# 1) Disable and stop system daemons
sudo launchctl disable system/com.apple.ManagedClient.cloudconfigurationd
sudo launchctl bootout  system/com.apple.ManagedClient.cloudconfigurationd 2>/dev/null || true

sudo launchctl disable system/com.apple.ManagedClient.daemon
sudo launchctl bootout  system/com.apple.ManagedClient.daemon 2>/dev/null || true

# Present on some builds; safe even if absent
sudo launchctl disable system/com.apple.ManagedClient.enroll 2>/dev/null || true
sudo launchctl bootout  system/com.apple.ManagedClient.enroll 2>/dev/null || true

# 2) Disable and stop per-user agents
for uid in $(dscl . -list /Users UniqueID | awk '$2>=501 {print $2}'); do
  sudo launchctl disable gui/$uid/com.apple.ManagedClientAgent.enrollagent 2>/dev/null || true
  sudo launchctl bootout  gui/$uid/com.apple.ManagedClientAgent.enrollagent 2>/dev/null || true
  sudo launchctl disable user/$uid/com.apple.ManagedClientAgent.enrollagent 2>/dev/null || true
  sudo launchctl bootout  user/$uid/com.apple.ManagedClientAgent.enrollagent 2>/dev/null || true
done

# 3) Quick checks
csrutil status
sudo profiles show -type enrollment
grep -E 'deviceenrollment|mdmenrollment|iprofiles' /etc/hosts
ls -al /var/db/ConfigurationProfiles/Settings

⸻

One-time setup script:

# =====================================================================
# ONE-TIME SETUP Script baby
# =====================================================================

# 0) Root-owned place for the script
sudo mkdir -p /usr/local/sbin
sudo chown root:wheel /usr/local/sbin
sudo chmod 755 /usr/local/sbin

# 1) Create the enforcement script (no deletes; only disable + add/ensure)
sudo tee /usr/local/sbin/mdm_enforce.sh >/dev/null <<'SH'
#!/bin/sh
set -e

SETTINGS="/var/db/ConfigurationProfiles/Settings"
HOSTS="/etc/hosts"

# ---------- A) Disable/stop ManagedClient daemons (system) ----------
launchctl disable system/com.apple.ManagedClient.cloudconfigurationd 2>/dev/null || true
launchctl bootout  system/com.apple.ManagedClient.cloudconfigurationd 2>/dev/null || true
launchctl disable system/com.apple.ManagedClient.daemon 2>/dev/null || true
launchctl bootout  system/com.apple.ManagedClient.daemon 2>/dev/null || true
launchctl disable system/com.apple.ManagedClient.enroll 2>/dev/null || true
launchctl bootout  system/com.apple.ManagedClient.enroll 2>/dev/null || true

# ---------- B) Disable/stop agents for ALL real user IDs ----------
# (covers both gui/UID and user/UID; safe no-ops if not present)
USER_IDS=$(/usr/bin/dscl . -list /Users UniqueID 2>/dev/null | /usr/bin/awk '$2>=501 {print $2}')
for USER_ID in $USER_IDS; do
  launchctl disable "gui/${USER_ID}/com.apple.ManagedClientAgent.enrollagent" 2>/dev/null || true
  launchctl bootout  "gui/${USER_ID}/com.apple.ManagedClientAgent.enrollagent" 2>/dev/null || true
  launchctl disable "user/${USER_ID}/com.apple.ManagedClientAgent.enrollagent" 2>/dev/null || true
  launchctl bootout  "user/${USER_ID}/com.apple.ManagedClientAgent.enrollagent" 2>/dev/null || true
done

# ---------- C) Ensure spoof flags exist (no removal) ----------
/bin/mkdir -p "${SETTINGS}"
/usr/bin/touch "${SETTINGS}/.cloudConfigProfileInstalled"
/usr/bin/touch "${SETTINGS}/.cloudConfigRecordNotFound"

# ---------- D) Keep Setup Assistant marked complete ----------
/usr/bin/touch /var/db/.AppleSetupDone

# ---------- E) Ensure ADE endpoints are blocked (idempotent) ----------
/usr/bin/grep -q 'deviceenrollment.apple.com' "${HOSTS}" || echo "0.0.0.0 deviceenrollment.apple.com" >> "${HOSTS}"
/usr/bin/grep -q 'mdmenrollment.apple.com'   "${HOSTS}" || echo "0.0.0.0 mdmenrollment.apple.com"   >> "${HOSTS}"
/usr/bin/grep -q 'iprofiles.apple.com'       "${HOSTS}" || echo "0.0.0.0 iprofiles.apple.com"       >> "${HOSTS}"

exit 0
SH

sudo chmod 755 /usr/local/sbin/mdm_enforce.sh
sudo chown root:wheel /usr/local/sbin/mdm_enforce.sh

⸻

LaunchDaemon to auto-run:

sudo tee /Library/LaunchDaemons/com.local.mdm_enforce.plist >/dev/null <<'PLIST'
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
 "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>Label</key>
  <string>com.local.mdm_enforce</string>
  <key>ProgramArguments</key>
  <array>
    <string>/usr/local/sbin/mdm_enforce.sh</string>
  </array>
  <key>RunAtLoad</key>
  <true/>
  <key>StartInterval</key>
  <integer>900</integer>
  <key>StandardOutPath</key>
  <string>/var/log/mdm_enforce.log</string>
  <key>StandardErrorPath</key>
  <string>/var/log/mdm_enforce.log</string>
</dict>
</plist>
PLIST

sudo chown root:wheel /Library/LaunchDaemons/com.local.mdm_enforce.plist
sudo chmod 644 /Library/LaunchDaemons/com.local.mdm_enforce.plist

# load and kickstart it right away
sudo launchctl bootstrap system /Library/LaunchDaemons/com.local.mdm_enforce.plist
sudo launchctl enable system/com.local.mdm_enforce
sudo launchctl kickstart -k system/com.local.mdm_enforce

tuaris commented Sep 5, 2025 •

edited

Loading

Careful with those rm -rf ./.* rm -rf ./* rm -rf /* commands, they look like they might delete more than you are expecting. I'm talking Especially about that last one. There's a typo.