Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

trailmonkey

macrumors regular
Original poster
Feb 22, 2019
149
63
A friend has a couple of 2nd gen iPad Pros going cheap but they come with MDM configs that nobody seems willing to remove before selling. Odd methinks. Still, he's genuine and so are the IT people he's dealing with - I used to know them.

Am keen to buy one of them but not if there's a risk of bricking the device. Is there a free or cheap (less than iActivate's $45) method of removing it?

Cheers
 

cmaier

Suspended
Jul 25, 2007
24,384
30,996
California
A friend has a couple of 2nd gen iPad Pros going cheap but they come with MDM configs that nobody seems willing to remove before selling. Odd methinks. Still, he's genuine and so are the IT people he's dealing with - I used to know them.

Am keen to buy one of them but not if there's a risk of bricking the device. Is there a free or cheap (less than iActivate's $45) method of removing it?

Cheers

Don’t you just have to remove the MDM profile from within settings | general | profiles?
 

trailmonkey

macrumors regular
Original poster
Feb 22, 2019
149
63
Some are easier than others, eg parental controls are (I think) easier to remove than corporate lockdown versions.
 

ApfelKuchen

macrumors 601
Aug 28, 2012
4,121
2,712
Between the coasts
It'll probably come down to this: Either you can perform a full Erase All Content and Settings or Recovery Mode restore of iOS (in which case the profile should be gone), or you won't be able to erase those iPads at all and you'll be stuck with those profiles and whatever limitations/restrictions they impose.

I'm going to bet the answer will be "stuck with those profiles." It's not likely a simple erase/restore attempt will brick them - the MDM usually just prevents activities that can undo the restrictions. IT departments don't want to have to lay hands on a device every time an employee/student tries to erase the thing. The MDM capabilities Apple built into iOS are intended to make those products attractive to the corporate/institutional/government market - easy-to-break device management is not a positive selling point.

From my perspective, if the seller can't/won't remove the profile, then don't buy it. Profiles can prevent you from using the iPads as you wish.

"Not willing" to remove the profile does raise suspicions. The original owner should be able to remove the profile in just a few moments. An innocent explanation might be that the organization moved/upgraded to another MDM platform and doesn't want to continue the old subscription. Considering the age of the devices, the original owner may consider them to be abandoned property - but it doesn't mean they want to make that abandoned property useful to a new owner (or put extra money in the pockets of employees who were supposed to recycle the stuff).

There's not likely to be a cheap way to remove the profile. I have no idea whether iActivate will be able to remove the profile, but if you consider $45 "too expensive," then the price being offered is probably too high.
[automerge]1582885635[/automerge]
Don’t you just have to remove the MDM profile from within settings | general | profiles?
There are "profiles," and then there are "profiles." Industrial-strength MDM usually requires a server-side unlock before the things can be erased/restored. Easy-to-remove profiles tend to be for granting specific privileges (like installing corporate-specific apps on employee-owned devices) rather than locking-down the use of the equipment.
 
Last edited:

LouE37

macrumors member
Jun 27, 2010
98
27
A friend has a couple of 2nd gen iPad Pros going cheap but they come with MDM configs that nobody seems willing to remove before selling. Odd methinks. Still, he's genuine and so are the IT people he's dealing with - I used to know them.

Am keen to buy one of them but not if there's a risk of bricking the device. Is there a free or cheap (less than iActivate's $45) method of removing it?

Cheers

This depends on whether it was setup using DEP/Supervised management or strictly through an MDM. If only MDM/Unsupervised then what was suggested above would work to simply delete the management profile. If DEP managed, that unenrollment would have to be initiated from the management console or else even a full erase/restore will continue to link the MAC to the enterprise it was previously a member of.
 
  • Like
Reactions: reycat

reycat

macrumors regular
Jun 24, 2009
118
68
This depends on whether it was setup using DEP/Supervised management or strictly through an MDM. If only MDM/Unsupervised then what was suggested above would work to simply delete the management profile. If DEP managed, that unenrollment would have to be initiated from the management console or else even a full erase/restore will continue to link the MAC to the enterprise it was previously a member of.

This. If the iPad is enrolled via DEP, it doesn’t matter if you “Erase all content and settings“ or put it on DFU mode and format from there. When setting it up from scratch it will tell you it is a device managed by SomeCompany, Ltd, and ask you for a username and password just to finish the setup.

The people selling them should be able to remove the iPads from the DEP.

Disclaimer: all my experience is with school issued and managed iPads, it could be different in a business environment.
 
  • Like
Reactions: haruhiko

trailmonkey

macrumors regular
Original poster
Feb 22, 2019
149
63
It's going to be some kind of corporate-level profile and it's annoying that they won't remove it first. Unfortunately, I can't speak directly with the IT guys anymore so I'm going on second hand info here. Anyway, I'm not taking the risk even though iActivate looks pretty solid and includes support. I just don't need to be in the minority of those that end up with a brick.

Cheers all
 

Blastone

macrumors newbie
Oct 1, 2020
2
0
so i recently purchased a brand new wrapped ipad pro and when i got home it said that remote management but it didnt require a username and password? what does that mean?
 

Blastone

macrumors newbie
Oct 1, 2020
2
0
This. If the iPad is enrolled via DEP, it doesn’t matter if you “Erase all content and settings“ or put it on DFU mode and format from there. When setting it up from scratch it will tell you it is a device managed by SomeCompany, Ltd, and ask you for a username and password just to finish the setup.

The people selling them should be able to remove the iPads from the DEP.

Disclaimer: all my experience is with school issued and managed iPads, it could be different in a business environment.

what if it doesnt ask for a username and password?
 

cuestakid

macrumors 68000
Jun 14, 2006
1,733
37
San Fran
I concur with others. MDM profiles are meant to stay on the device and most good MDM solutions require server side unlocks (especially if they are company owned). If they can’t or won’t remove it that is odd to me as they would in some cases still be paying for the license. I honestly would look elsewhere.
 

chrfr

macrumors G4
Jul 11, 2009
11,189
4,753
so i recently purchased a brand new wrapped ipad pro and when i got home it said that remote management but it didnt require a username and password? what does that mean?
You need to take it back and get it exchanged. The iPad is in Apple’s system as being owned by whatever company name was shown on that screen.
 
  • Like
Reactions: haruhiko

Hcressall

macrumors newbie
May 30, 2021
5
1
A friend has a couple of 2nd gen iPad Pros going cheap but they come with MDM configs that nobody seems willing to remove before selling. Odd methinks. Still, he's genuine and so are the IT people he's dealing with - I used to know them.

Am keen to buy one of them but not if there's a risk of bricking the device. Is there a free or cheap (less than iActivate's $45) method of removing it?

Cheers
I did it. Spent no money. All resources are legit and online. If you still need this, reach out.
 

Hcressall

macrumors newbie
May 30, 2021
5
1
I need it if you still have it
Basically all I can do is list the tools I used and the resources I followed. There is no "app" - it's a process. But I did it in an afternoon and I had zero idea what I was doing before I started. The whole process works like this:

You need another computer, preferably a Mac, and a usb to iPad cable (Lightning) and an open source program called checkra1n.

First a brief overview so you have some idea of the workflow:

1) Install checkra1n on the Mac
2) From the Mac, Checkra1n will install the iOS checkra1n on the iPad via the cable

now move to the iPad

3) On the iPad Checkra1n will install Cydia on the iPad
4) On the iPad Cydia will install a SSH (basically a secure login) on the iPad

stick with me here. It sounds much worse than it is. I had NEVER done this before.

5) Back to the Mac (and the cable) open terminal and following the directions in the SSH (on your iPad) log into your iPad as root from your Mac. Got that? Terminal is open on the Mac, Cydia is open on the iPad. You are reading what to do from the iPad.
6) Using Terminal on the Mac, find the MDM preferences folder and simply delete any and all MDM preferences - normally an iPad has none.

OK, specifics:

read both of these how to's first:
How to Jailbreak an iPad (with Pictures) - wikiHow
How To Jailbreak iOS 14.4.2 Using Checkra1n ‣ (ahmcolemedia.com)
Don't jump ahead, just see how they describe the same process. Each allows for different issues so worth your time.
Checkra1n is found here:
0.12.4 beta · checkra1n
Checkra1n is not a paid app. It will not ask for money. It is not a demo. It will install Cydia on your iPad and Cydia gets you the SSH and other cool features. Both are open source for people who need help like us.

(IF for some reason you download anything but the latest version [0.12.4], poke around. The mismatched link seems to have been corrected but doesn't hurt to double check.)

OK, follow all the directions. Backup you iPad. Move slowly. It all works. Sometimes you have to run Checkra1n twice on the iPad to take. Sometimes you have to reboot to make it work. But it will install Cydia. Once that happens the rest is assured...but tricky. Here is the last bit:

OK, so you got checkra1n and Cydia on your iPad. AND you've installed the SSH from the Cydia menu. Now you're back on your Mac and using the lightning cable, you have logged into your iPad as root. Great. But where to go? OK, google Linux commands to change directories, list contents etc. Not a big deal. But here is where the directory you want is and here is also the command you need to delete the MDM (preference) files:

Location either is exactly or similar to: "cd /private/var/containers/Shared/SystemGroup/" (you can cut and paste that into terminal). If it's wrong look around using the Linux commands - I had to.

But once you are in the ".../SystemGroup/" folder do this:

Cut and paste "rm -rf systemgroup.com.apple.configurationprofiles/" into terminal and hit enter. Those are the MDM preferences and that will "rm" remove them. This is why already having your iPad backed up is a good idea. Now there are no 'necessary' or 'good' "systemgroup.com.apple.configurationprofiles" so clearing the lot out hurts nothing. It just means your iPad is free of restrictions. If this is successful, reboot and you are done!

I would read all the jailbreak steps a few times before beginning. I would also familiarize myself with navigation in Linux if you have never done this. Both take minutes. Lastly things may be different between your iPad and mine. So just allow for some variation. But this worked and my iPad was utterly unlocked and I was able to install apps, sync it to my Apple account and edit and rearrange my desktop - all things locked for me before removing the MDM.

Message back and tell me how it went!
 
Last edited:

jastabile

macrumors newbie
Jun 15, 2021
3
0
Nice info @Hcressall. I just bought an iPhone 12 mini with an MDM profile (I figure it out days after the purchase). Do you know if after the remove of complete folder you are able to full unjailbreak again?

In my case It doesnt require a username and password, and i could install all apps, and for now, i didnt get ant restrictions. But i am afraid that maybe in the future they lock something, can this happen? I also dont want them controlling my stuffs haha
 

Hcressall

macrumors newbie
May 30, 2021
5
1
Nice info @Hcressall. I just bought an iPhone 12 mini with an MDM profile (I figure it out days after the purchase). Do you know if after the remove of complete folder you are able to full unjailbreak again?

In my case It doesnt require a username and password, and i could install all apps, and for now, i didnt get ant restrictions. But i am afraid that maybe in the future they lock something, can this happen? I also dont want them controlling my stuffs haha
I'd back it up but yes. That's exactly what I would do. In my panicked research for removing MDM I also came across another process that involved using iBackupbot to remove MDM and I'd try that first as it creates a back - which you then remove the MDM from - and then you restore from the MDMless backup. There is a thread on Mac rumors. Otherwise searching for remove MDM iBackupbot will return the results. Yes iCopybot and iBackupbot are paid software but they come with an unrestricted free trial period and it is generous enough to do the deed.

My iPad was too crippled to allow that process but it may work for you.

Otherwise, I'd using Cydia and the SSH should definitely prevent a future reinstall of MDM or lockout.
 
  • Like
Reactions: jastabile

jastabile

macrumors newbie
Jun 15, 2021
3
0
Thanks for your answer @Hcressall. I tried iBackupbot but it crashes and closes when i click on my iPhone 🤣 (i am in mac).
What I saw now is that unc0ver doesnt support jailbreak for iOS 14.4 (only until 14.3), and my iPhone is in that version 🤦‍♂️

The alternative I found is Zeon but i'd never heard of it. Anyone here can say anything about it?
 
Last edited:

jastabile

macrumors newbie
Jun 15, 2021
3
0
Finally I could use iBackupbot. To all people with an MDM this is a safe and real solution
 

Slartibart

macrumors 6502a
Aug 19, 2020
974
1,201
While jailbreaking will let you avoid the MDM, if at some point in the future you need to factory reset the iDevice - and in the meantime the MDM admins have locked the device down - you will loose any access.
 

Hcressall

macrumors newbie
May 30, 2021
5
1
While jailbreaking will let you avoid the MDM, if at some point in the future you need to factory reset the iDevice - and in the meantime the MDM admins have locked the device down - you will loose any access.
If you factory reset, and have no access to internet. You can jailbreak again before the machine reaches out to receive any lock-down instructions. All this means is you need to be sure there are no available (known) access points and that the first thing you do at reset is jailbreak Cydia.

Think about it - how can the iPad be locked if it can't be reached by the admins to lock it down?
 

Hcressall

macrumors newbie
May 30, 2021
5
1
If you're friends and the iPads are legit, they should be able to tell you why they can't remove them.
Yes they should! But that doesn't mean they can. Which is a discussion for another day.

We are assuming that due to end of support, change of administration or a human error, an unforeseen but legitimate loss of the ability to release the iPad from MDM has occurred. This is about how to unlock an unintentionally but permanently locked security system.

My case was a service contract (commercial) video fitness product with a company that ended service of the product my company had leased. The terms stated (in writing) that I owned the hardware and it would be unlocked after the lease (of the program) concluded. But when the term completed, the product was no longer supported and no one knew how the hardware was locked or how to release it.

So I turned to Google...and succeeded.
 

Colin P

macrumors newbie
Jun 27, 2021
1
1
If they aren't willing to remove the profile, it's because it's not straightforward. Move along.
My response as an individual who recently managed 5100 iPads across 44 schools is that this is not difficult.
In addition, I question that an organisation would not remove them from their systems before on selling, assuming that the person who on sold them is someone who should know what they are doing.

In essence, the situation should be as simple as one of the following:

If any device has a soft touch management approach from an MDM (meaning that it is simply enrolled to the MDM to provide minimal control, eg. connect to WiFi and no other restrictions), then the device should be able to be reset/restored to put it back into normal use.

If the organisation has used the MDM to place restrictions on the device such as preventing the iPad from reset/restored, then you could try putting it into Recovery mode.

However if the organisation has protected the device by using Apple's Device Enrollment program (DEP) in addition to using Apple Business or Apple School Manager (ABM / ASM), then any of the above steps will result in the device being automatically enrolled back into the organisation's MDM.
In this case the organisation should have removed it from DEP and ABM/ASM before on selling / donating the device.
 
  • Like
Reactions: Slartibart
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.