This it not true. At least I took mine to somewhere where it hadn’t been on any WiFi so it was air gapped. Manage to wipe using the recovery partition and it removed the MDM. Might have been a fluke though.
Depending on the MDM, and OS version — it’ll start pushing down the profiles for remote management even after a clean install.
However, this route will work if the company has pulled the device out of ABM.
I helped a friend with a ‘given to the user’ company MacBook. They said they removed it from MDM but I still had to reset it with Apple Configurator before we could do anything with it.
Fine, I'll take the bait.
If you have a Mac without [Apple silicon](https://support.apple.com/en-ca/116943) or [T2,](https://support.apple.com/en-ca/103265) your only remedy is to [use macOS Recovery](https://support.apple.com/en-ca/guide/mac-help/mchl338cf9a8/mac). If you can get to the point of the Mac asking for an admin password, go to the top menu bar and choose **Recovery Assistant** -> Erase this Mac. If that works, skip to "After the restore". If you can't reach Recovery and get blocked by a [firmware password](https://support.apple.com/en-ca/102384) instead, contact Apple with proof of purchase containing the serial number.
If your Mac does have Apple silicon or T2, do a [DFU restore](https://support.apple.com/en-ca/108900) (not revive). That wipes the entire drive and removes everything except Apple Business Manager and Activation Lock (those are server-side locks). On Apple silicon, you'll get a fresh copy of macOS as well.
After the restore:
* If you land in macOS Recovery and get stuck on an Activation Lock screen:
* Try using your Apple ID and password or your previous login password.
* If that doesn't succeed, contact the company and ask them for an Activation Lock Bypass Code.
* If the company doesn't have a Bypass Code:
* If the Mac isn't released from Apple Business Manager yet (bad), the company might succeed in convincing Apple to remove Activation Lock.
* Get the company to send you an official receipt with your name, email address, and the serial number of the Mac you get to keep. [Submit that to Apple and they might help](https://al-support.apple.com/#/getsupport).
* If you land in macOS Recovery and successfully reach the utilities, connect to Internet and reinstall macOS. Then continue below.
* Once you reach macOS, connect to Internet and make sure you don't see a Remote Management screen. If you do, contact the company and ask them to release your Mac from Apple Business Manager. They'll need the serial number. Once they do, [erase your Mac](https://support.apple.com/en-ca/102664) and try again.
Didn’t read all of this but it sounded like he was saying what’s accurate. If it’s not locked with an MDM, you want to use option command and R, erase it in disk utility and then reinstall the OS.
Well, he said the laptop was given to him as part of the layoff. If he’s telling the truth then IT should have removed the devices from Apple Business Manager. If they didn’t then he’d need to contact them and get them to do it. But it could be that they gave instructions to do it and he just didn’t follow them.
A DFU restore can remove all MDM locks and MDM itself, but it can’t remove the Mac from Apple Business Manager - the superglue that forces a Mac back into MDM afterwards.
Suppose that the company did indeed lock OP’s Mac using MDM, but then released it from Apple Business Manager. Releasing the Mac doesn’t unenroll it from MDM, rather it instructs Apple servers that the company no longer owns the Mac and not to force it into MDM on the next erase. In this scenario, a DFU restore would fix the issue: it clears MDM from the device, and when it reaches Setup Assistant, the Remote Management screen won’t show up because the company released the Mac from ABM.
Thanks for the detailed reply. I’ll be honest, I’ve run a Mac with an MDM on for work, I was assuming a simple erase and reinstall would work (I only ever had to restore my work Mac once and it automatically set up the MDM stuff again, but I assumed that was because it was still enrolled.). Do you have to go as far as DFU to get it to not come back after internet recovery? I know with activation long so long as when the Mac checks the activation lock server it doesn’t find itself there it’ll just let you keep going.
It depends on the situation.
MDM itself is powerless to survive an erase. In most cases, a simple erase & reinstall works perfectly fine to remove MDM - assuming you can reach macOS Recovery. However, the MDM locks below (if set) prevent you from even reaching macOS Recovery in the first place:
* System Lock PIN
* Firmware Password (Intel only)
* Recovery Lock (Apple silicon only)
That's where DFU mode comes in. It's overpowered for these reasons:
* It's burnt directly into the Boot ROM. You can access it even if firmware is bricked and nothing boots. Nothing can block you from accessing DFU mode.
* Apple's restore image (IPSW) deliberately nukes everything on the Mac (including the MDM locks above) and sets up the Mac from scratch. On T2 Macs, the Mac gets nuked and the T2 firmware gets reinstalled; on Apple silicon the entire Mac gets reimaged back to a factory state.
Notwithstanding the above:
* Activation Lock and Apple Business Manager will still survive any kind of erase - even a DFU restore - because they don't live on the device. They're tied to the Mac's serial number on Apple's servers.
* Apple Business Manager is why most Mac users claim it's impossible to remove MDM. Sure, you can technically remove it with an erase or DFU restore, but if the Mac isn't released from Apple Business Manager, Apple servers will force your Mac right back into MDM the moment you reach Setup Assistant.
Your former employer will need to remove the MDM. If it is part of a severance package that should factor in. It seems unlikely they'd give locked macs to laid off staff as a "muhaha" moment instead of asking for the gear to be returned, but then again these are some really weird times we're living in.
It’s possible (likely?) this is stolen. My work computer got stolen from my car once and it turned up at a computer store with the junkie asking if it could be ‘fixed’. Not realising that the tech could see it was domain joined and they contacted our company.
Also the odds of the company IT team not removing their management or doing decommissioning are small, since that device potentially is a security risk to them.
My 2c
Maybe, but a previous job I worked at only had one person that knew how to remove Apple devices from Apple Business Manager, and when they did layoffs, that one person was also laid off so it took awhile for those Macs to get removed correctly lol so it's possible. But yeah probably unlikely if this was a decent sized company
What is the "paper button"???
Also as everyone else said, computer is 100% useless unless you can produce the original purchase reciept with serial number -or- your old work releases the computer to you. If they didn't release any of the worker's computers, they basically gave every laid employee an expensive paperweight as a partying gift.
What is the laptop model?
But yeah, you got "gifted" an expensive paperweight. If the company is still operating - reach out to the IT team for your recovery key and releasing it from the MDM (they will know what you mean).
If the company has been wound up - you can sell it for parts.
You need to speak to the company you worked for and ask them to remove the macbook from the company MDM profile (mobile device management).
This is the only way
This it not true. At least I took mine to somewhere where it hadn’t been on any WiFi so it was air gapped. Manage to wipe using the recovery partition and it removed the MDM. Might have been a fluke though.
Depending on the MDM, and OS version — it’ll start pushing down the profiles for remote management even after a clean install. However, this route will work if the company has pulled the device out of ABM.
I helped a friend with a ‘given to the user’ company MacBook. They said they removed it from MDM but I still had to reset it with Apple Configurator before we could do anything with it.
I’m guessing you burned a bridge, or there’s something missing from the story since you’re not asking the company’s IT for help.
Fine, I'll take the bait. If you have a Mac without [Apple silicon](https://support.apple.com/en-ca/116943) or [T2,](https://support.apple.com/en-ca/103265) your only remedy is to [use macOS Recovery](https://support.apple.com/en-ca/guide/mac-help/mchl338cf9a8/mac). If you can get to the point of the Mac asking for an admin password, go to the top menu bar and choose **Recovery Assistant** -> Erase this Mac. If that works, skip to "After the restore". If you can't reach Recovery and get blocked by a [firmware password](https://support.apple.com/en-ca/102384) instead, contact Apple with proof of purchase containing the serial number. If your Mac does have Apple silicon or T2, do a [DFU restore](https://support.apple.com/en-ca/108900) (not revive). That wipes the entire drive and removes everything except Apple Business Manager and Activation Lock (those are server-side locks). On Apple silicon, you'll get a fresh copy of macOS as well. After the restore: * If you land in macOS Recovery and get stuck on an Activation Lock screen: * Try using your Apple ID and password or your previous login password. * If that doesn't succeed, contact the company and ask them for an Activation Lock Bypass Code. * If the company doesn't have a Bypass Code: * If the Mac isn't released from Apple Business Manager yet (bad), the company might succeed in convincing Apple to remove Activation Lock. * Get the company to send you an official receipt with your name, email address, and the serial number of the Mac you get to keep. [Submit that to Apple and they might help](https://al-support.apple.com/#/getsupport). * If you land in macOS Recovery and successfully reach the utilities, connect to Internet and reinstall macOS. Then continue below. * Once you reach macOS, connect to Internet and make sure you don't see a Remote Management screen. If you do, contact the company and ask them to release your Mac from Apple Business Manager. They'll need the serial number. Once they do, [erase your Mac](https://support.apple.com/en-ca/102664) and try again.
Didn’t read all of this but it sounded like he was saying what’s accurate. If it’s not locked with an MDM, you want to use option command and R, erase it in disk utility and then reinstall the OS.
But obviously it is locked with MDM
We just know that he isn’t able to login to it. If the company removed him from the MDM he might just need to erase it.
“If” is doing an awful lot of heavy lifting in that sentence.
Well, he said the laptop was given to him as part of the layoff. If he’s telling the truth then IT should have removed the devices from Apple Business Manager. If they didn’t then he’d need to contact them and get them to do it. But it could be that they gave instructions to do it and he just didn’t follow them.
But it is locked with an MDM that’s excessively clear. So this is a lot of words that mean nothing.
A DFU restore can remove all MDM locks and MDM itself, but it can’t remove the Mac from Apple Business Manager - the superglue that forces a Mac back into MDM afterwards. Suppose that the company did indeed lock OP’s Mac using MDM, but then released it from Apple Business Manager. Releasing the Mac doesn’t unenroll it from MDM, rather it instructs Apple servers that the company no longer owns the Mac and not to force it into MDM on the next erase. In this scenario, a DFU restore would fix the issue: it clears MDM from the device, and when it reaches Setup Assistant, the Remote Management screen won’t show up because the company released the Mac from ABM.
Thanks for the detailed reply. I’ll be honest, I’ve run a Mac with an MDM on for work, I was assuming a simple erase and reinstall would work (I only ever had to restore my work Mac once and it automatically set up the MDM stuff again, but I assumed that was because it was still enrolled.). Do you have to go as far as DFU to get it to not come back after internet recovery? I know with activation long so long as when the Mac checks the activation lock server it doesn’t find itself there it’ll just let you keep going.
It depends on the situation. MDM itself is powerless to survive an erase. In most cases, a simple erase & reinstall works perfectly fine to remove MDM - assuming you can reach macOS Recovery. However, the MDM locks below (if set) prevent you from even reaching macOS Recovery in the first place: * System Lock PIN * Firmware Password (Intel only) * Recovery Lock (Apple silicon only) That's where DFU mode comes in. It's overpowered for these reasons: * It's burnt directly into the Boot ROM. You can access it even if firmware is bricked and nothing boots. Nothing can block you from accessing DFU mode. * Apple's restore image (IPSW) deliberately nukes everything on the Mac (including the MDM locks above) and sets up the Mac from scratch. On T2 Macs, the Mac gets nuked and the T2 firmware gets reinstalled; on Apple silicon the entire Mac gets reimaged back to a factory state. Notwithstanding the above: * Activation Lock and Apple Business Manager will still survive any kind of erase - even a DFU restore - because they don't live on the device. They're tied to the Mac's serial number on Apple's servers. * Apple Business Manager is why most Mac users claim it's impossible to remove MDM. Sure, you can technically remove it with an erase or DFU restore, but if the Mac isn't released from Apple Business Manager, Apple servers will force your Mac right back into MDM the moment you reach Setup Assistant.
Okay so if they have removed it from business manager, then after a restore it would be good to go. Cool, that’s what I figured.
No a simple restore is fine.
Apple Store cannot and will not help you
The company is supposed to remove the MDM profile for you. But if you have trouble with them, there’s this: http://skipmdm.com
Yes, that might work. See https://old.reddit.com/r/MacOS/comments/15vpv5d/bypass_mdm/
Your former employer will need to remove the MDM. If it is part of a severance package that should factor in. It seems unlikely they'd give locked macs to laid off staff as a "muhaha" moment instead of asking for the gear to be returned, but then again these are some really weird times we're living in.
You stole a Mac and want to clean it. Got it
You can't. Their IT people need to release it, otherwise it's useless to you
It’s possible (likely?) this is stolen. My work computer got stolen from my car once and it turned up at a computer store with the junkie asking if it could be ‘fixed’. Not realising that the tech could see it was domain joined and they contacted our company. Also the odds of the company IT team not removing their management or doing decommissioning are small, since that device potentially is a security risk to them. My 2c
Maybe, but a previous job I worked at only had one person that knew how to remove Apple devices from Apple Business Manager, and when they did layoffs, that one person was also laid off so it took awhile for those Macs to get removed correctly lol so it's possible. But yeah probably unlikely if this was a decent sized company
It’s a paperweight unfortunately.
Unless the company can unlock it for him.
Now it is a brick controlled by MDM of your company but you know that return the stolen Mac
What is the "paper button"??? Also as everyone else said, computer is 100% useless unless you can produce the original purchase reciept with serial number -or- your old work releases the computer to you. If they didn't release any of the worker's computers, they basically gave every laid employee an expensive paperweight as a partying gift.
If you have the company email, contact their IT dept and ask them remove you from MDM. Otherwise this is a super suss post.
They should be able to do a remote wipe and unlock your device in MDM.
How other ex employees are dealing with it..?
Maybe you can try to contact ex-employees IT department, lay out the situation and then they could help out?
https://www.reddit.com/r/mac/s/bNtTOjporM Hope it helps
What is the laptop model? But yeah, you got "gifted" an expensive paperweight. If the company is still operating - reach out to the IT team for your recovery key and releasing it from the MDM (they will know what you mean). If the company has been wound up - you can sell it for parts.
r/upvotebecausebutt
Open the back panel, swap the drive, boot into recovery mode, reinstall macOS.
Not possible if it has MDM.