How to know if a mac is under DEP (Device Enrollment Program)? [closed]
I just bought a used macbook air 2015 I made a system restore... and was confident the mac is not stolen because of these checks
1- there were no icloud on the computer, and I was able to add my own iCloud normally.
2- the mac firmware had no password
but now, I see something that I have never seen before
I keep seeing this message, always skipping it
1- what are the consequences of allowing DEP, and is it reversible?
2- how to contact the person who has DEP and ask them to remove it from the program?
3- when buying a new mac, how to know if it's on DEP? (the most important question)
4- someone on IRC said that if i was unable to authorize my machine from itunes then the machine is on DEP.. is this correct?
5- the same person on IRC says that there could be a previous owner, and this owner can format my computer and see all of my files even if i have my own icloud on it, is this correct?
the person who sold it to me imported 60 macs from a closed startup in sweden, I can return it to the seller and get my money back, but I really need an answer for these questions...
Solution 1:
Have you seen Apple's DEP FAQ? It says
Which devices can be enrolled in DEP?
Any Apple Mac or iOS devices purchased on or after March 1, 2011 can be enrolled in DEP. Mac or iOS devices purchased from participating Apple Authorized resellers or carriers must be added to your DEP instance to be included. All iOS devices must use iOS 7 or later, and all Mac computers must have OS X Mavericks v10.9 or later. Once configured, automatic enrollment in MDM occurs at the time of device activation if a profile has been assigned. If a device has already been deployed (activated), you can trigger automatic MDM enrollment by erasing and restoring the device.
- what are the consequences of allowing DEP, and is it reversible?
DEP supervises and enrolls the device into your Meraki MDM. Any configuration profiles are going to come from Meraki, not DEP. If there are configuration profiles that you want to remove, make the change in Meraki... either remove the device from the "Clients in scope" list under the profile, or remove the profile completely from >Meraki (if you don't want it on any device).
DEP allows for the changing of the following: App Lock (Single App Mode)
Global HTTP Proxy
Activation Lock Bypass
Autonomous Single App Mode
Web Content Filter
Set background & lock screen
Silent App Push
Always-On VPN
Allow managed app installation exclusively
Additionally, you can block/disallow:
iBookstore
iMessages
Game center
AirDrop
AirPlay
Host pairing
Cloud Sync
Spotlight internet results
Handoff
Erase
Restrictions UI
Installation of configuration profiles by UI
News
Keyboard shortcuts
Passcode modifications
Device name changes
Wallpaper changes
Automatic app downloads
Changes to enterprise app trust
Apple Music
Mail Drop
- how to contact the person who has DEP and ask them to remove it from the program?
The line under "add to enrollment" will tell you who is running the DEP. You may see details by clicking add, and it will bring up preferences. Under this, you may read (in plaintext) who is trying to enroll you, and you may find out who it is.
- When buying a new mac, how to know if it's on DEP? (the most important question)
Reset it. See if it bypasses Setup.
- Someone on IRC said that if i was unable to authorize my machine from itunes then the machine is on DEP.. is this correct?
Yes. It would bypass this under MDM or under a DEP.
- The same person on IRC says that there could be a previous owner, and this owner can format my computer and see all of my files even if i have my own icloud on it, is this correct?
This is true.
The Device Enrollment Program enables IT to easily leverage the advanced capabilities of supervision without the need to physically tether a device to a master computer running Apple Configurator – supervision can be turned on with the click of a button OTA. IT also benefits from the avoided risks associated with unmanaged devices. With the Device Enrollment Program, IT can leverage un-removable MDM profiles and even require devices to re-enroll after being wiped or reset.
Best of Luck!