Skip to main content

Bypassing MDMs on Arm Macs With RecoveryOS

· 3 min read

MacOS has a implemented a new security layer for their new M1 Macs. If you were to buy a Mac owned by a company that closed its doors and can not disable the MDM system, you would have some options on the Intel platform. Bootable USBs make it easy to reinstall MacOS, Windows, or Linux. With the new Macs, you would be left with a paper weight. This is not a perfect fix. After every major update, the MDM enrollment can reactivate. Rebooting can also lead to the same results and render the Mac useless.

Often times, companies sell Macs without removing the MDM or they go under and sell off their computers in bulk and forget about it.

Initial Boot into RecoveryOS

  1. Hold down the power on boot up and select RecoveryOS
  2. Launch the terminal

Disabling Platform Integrity Protection

PIP is a security mechanism that helps prevent unauthorized modifications to the system software and firmware. It's designed to protect the device from malicious software and unauthorized access. It really focuses on three things to ensure system integrity:

  1. Prevents Unauthorized Modifications: PIP prevents unauthorized changes to the system software and firmware, including the kernel, drivers, and system extensions. This helps protect the device from malware and other security threats.
  2. Enforces Code Signing: PIP requires all system software and firmware to be digitally signed by Apple or an authorized developer. This ensures that only trusted code can be executed on the device.
  3. Protects Boot Process: PIP protects the boot process from unauthorized modifications, preventing attackers from gaining control of the device before the operating system loads.

Here is some more info: https://support.apple.com/en-us/102149

In the terminal we can disable PIP:

csrutil disable

Edit Managed Client Property List

A property list is a file format used by Apple to store configuration data and settings for various applications and system components on MacOS.

They are used frequently in MacOS, we can see just how many starting at root here:

image

That's a lot of property lists. We can edit the property list that contains data about mobile device management.

sudo vi /System/Library/LaunchDaemons/com.apple.ManagedClient.enroll.plist

We need to change

<key>com.apple.ManagedClient.enroll</key>
        <true/>

to be

<key>com.apple.ManagedClient.enroll</key>
        <false/>

Blocking Additional Apple Servers

0.0.0.0 iprofiles.apple.com
0.0.0.0 mdmenrollment.apple.com
0.0.0.0 deviceenrollment.apple.com
0.0.0.0 gdmf.apple.com
0.0.0.0 acmdm.apple.com
0.0.0.0 albert.apple.com

Disable the Enrollment Service

sudo launchctl disable system/com.apple.ManagedClient.enroll

Additional Resets

# Resets the cloud configuration activation status.
sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigHasActivationRecord

# Forces a re-search for cloud configurations.
sudo rm /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordFound

# Indicates that a cloud configuration profile has been installed.
sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigProfileInstalled

# Indicates that a cloud configuration record was not found.
sudo touch /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordNotFound