How to know if a mac is under DEP (Device Enrollment Program)? [closed]

I just bought a used macbook air 2015 I made a system restore... and was confident the mac is not stolen because of these checks

1- there were no icloud on the computer, and I was able to add my own iCloud normally.

2- the mac firmware had no password

but now, I see something that I have never seen before

I keep seeing this message, always skipping it

1- what are the consequences of allowing DEP, and is it reversible?

2- how to contact the person who has DEP and ask them to remove it from the program?

3- when buying a new mac, how to know if it's on DEP? (the most important question)

4- someone on IRC said that if i was unable to authorize my machine from itunes then the machine is on DEP.. is this correct?

5- the same person on IRC says that there could be a previous owner, and this owner can format my computer and see all of my files even if i have my own icloud on it, is this correct?

the person who sold it to me imported 60 macs from a closed startup in sweden, I can return it to the seller and get my money back, but I really need an answer for these questions...


Solution 1:

Have you seen Apple's DEP FAQ? It says

Which devices can be enrolled in DEP?

Any Apple Mac or iOS devices purchased on or after March 1, 2011 can be enrolled in DEP. Mac or iOS devices purchased from participating Apple Authorized resellers or carriers must be added to your DEP instance to be included. All iOS devices must use iOS 7 or later, and all Mac computers must have OS X Mavericks v10.9 or later. Once configured, automatic enrollment in MDM occurs at the time of device activation if a profile has been assigned. If a device has already been deployed (activated), you can trigger automatic MDM enrollment by erasing and restoring the device.

  1. what are the consequences of allowing DEP, and is it reversible?

DEP supervises and enrolls the device into your Meraki MDM. Any configuration profiles are going to come from Meraki, not DEP. If there are configuration profiles that you want to remove, make the change in Meraki... either remove the device from the "Clients in scope" list under the profile, or remove the profile completely from >Meraki (if you don't want it on any device).

DEP allows for the changing of the following: App Lock (Single App Mode)

Global HTTP Proxy

Activation Lock Bypass

Autonomous Single App Mode

Web Content Filter

Set background & lock screen

Silent App Push

Always-On VPN

Allow managed app installation exclusively

Additionally, you can block/disallow:

iBookstore

iMessages

Game center

AirDrop

AirPlay

Host pairing

Cloud Sync

Spotlight internet results

Handoff

Erase

Restrictions UI

Installation of configuration profiles by UI

News

Keyboard shortcuts

Passcode modifications

Device name changes

Wallpaper changes

Automatic app downloads

Changes to enterprise app trust

Apple Music

Mail Drop

  1. how to contact the person who has DEP and ask them to remove it from the program?

The line under "add to enrollment" will tell you who is running the DEP. You may see details by clicking add, and it will bring up preferences. Under this, you may read (in plaintext) who is trying to enroll you, and you may find out who it is.

  1. When buying a new mac, how to know if it's on DEP? (the most important question)

Reset it. See if it bypasses Setup.

  1. Someone on IRC said that if i was unable to authorize my machine from itunes then the machine is on DEP.. is this correct?

Yes. It would bypass this under MDM or under a DEP.

  1. The same person on IRC says that there could be a previous owner, and this owner can format my computer and see all of my files even if i have my own icloud on it, is this correct?

This is true.

The Device Enrollment Program enables IT to easily leverage the advanced capabilities of supervision without the need to physically tether a device to a master computer running Apple Configurator – supervision can be turned on with the click of a button OTA. IT also benefits from the avoided risks associated with unmanaged devices. With the Device Enrollment Program, IT can leverage un-removable MDM profiles and even require devices to re-enroll after being wiped or reset.

Best of Luck!