I’m looking for a way to programmatically check whether the MDM profile installed on a managed Mac computer is removable or not.
The PayloadRemovalDisallowed attribute, that can be verified via any of the following:
system_profiler SPConfigurationProfileDataTypesudo profiles show -type configurationsudo /usr/libexec/mdmclient QueryInstalledProfiles
to name a few, appears to be just as irrelevant for MDM profile itself, as it is for other payloads, since „as of macOS 10.15, users can never remove MDM profiles, not even the admin”. MDM profile has very often that attribute set to false (i.e. removal allowed) even if — thanks to ADE configuration — in practice the profile is not removable.
The unremovable status is also nowhere to be found in either:
sudo profiles status -t enrollment- or
sudo /usr/libexec/mdmclient QuerySecurityInfo
A few migrations between MDMs ago, that my team’s done for Customers, I’ve relied on the value of the key IsMDMUnremovable, that can be read from /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordFound file and also matches the output of sudo profiles show -t enrollment.
Unfortunately, half–way through that one particular migration I’ve learned the hard way that this record cannot be relied on, frankly, specifically in any migration scenarios, as it does not represent the local profile attribute 🙄. There was a small percentage of devices that refreshed their enrollment record automatically prior to migration, but after reassignement — without anyone running profiles renew — and had a unremovable status reported even though the MDM profile installed at the time was actually still removable.
As of now I haven’t yet managed any other way to reliably verify that status for currently installed MDM profile. The only definite solution that comes to my mind is looking for return code 101 when attempting to remove MDM profile with profiles remove, but this is of no use for me in our migration solution. I need to verify that status long before attempting to remove the profile, while for computers with removable profile such method would wipe one immediately.
With no other options left, I would very much appreciate help with identifying the proper method of verifying unremovable status of currently installed MDM profie via command line. If not CLI, maybe it is possible to get using Swift? If it is, maybe it would be possible via JXA then? If not, maybe Objective-C — precompiled binary to do just this one check would still be better than no viable option at all 🤷♂️.