Profile feature of System Prefs in Yosemite

[Ormond]

Are you guys familiar with the Profiles panel of System Prefs?

Here's why I'm asking. I bought a copy of Yosemite on Amazon from a nice guy. However, it looks like this was an installed used by a college, and they have added items to the Profiles section that can't be edited. Here's a screenshot.

The seller is sending me another copy of Yosemite. This will however require me to start again from scratch in setting up this machine.

I thought I'd take this opportunity to learn more about the Profiles feature, as it is new to me (upgrading from Snow Leopard). I'm wondering how concerned I should be about my current install of Yosemite, what control the college may still have and so on. Any info you can share will be an education here, thanks.

 

[Cory Cooper]

Hello,

Correct, it looks like the copy you purchased is a custom built installer for Yosemite for a community college in MN. Technically, this isn't legal and violates Apple's licensing policy, as well as any of the third-party software that was installed. Your Mac is totally controllable by their IT department, and they are susceptible to legal action for selling Apple and other software to the public.

That being said, those are Mobile Device Management (MDM) profiles created with software from a company call jamf. They are used to institute automatic settings, software distribution, device and user management, etc. for educational and enterprise organizations. The Profiles preference pane only appears when profiles have been installed, and they can only be removed by their IT department.

I would definitely get your money back and not deal wth that Amazon customer, even though they may have been very nice to deal with. Your Mac is at the college's mercy, and can actually be tracked and wiped, until you do a complete erase and install.

-Which model Mac?
-Did you ever download any of the older versions of OS X with your Apple ID from the App Store?

C

 

[Ormond]

Thanks so much Cory. You're right, I've been screwed.

The seller claimed no knowledge of this and immediately sent me a new installer. Which has the same issue.

Given that it's not possible to install or even use this version of Yosemite without seeing the reference to the college, I now have to assume the seller is lying, or perhaps just has no idea what he is doing. In any case, he is soon going to regret meeting me.

To expand the topic a bit, this problem started when I bought a used Mac from MacOfAllTrades. It arrived with Snow Leopard instead of the Mavericks or above promised on the sales page. Given that this is the second time they've sent a machine with a problem that could have been easily detected with a 2 minute inspection, I'm now convinced they are lying when they say they test machines. Thanks for the lying MacOfAllTrades.

Sierra is brand new, and I want nothing to do with brand new OSs from Apple. Thanks for the incompetence Apple. My understanding was and still is that Apple does not make the older version available, but please correct this if I am wrong. I did just go to the App Store again and search for Yosemite, and found nothing on Yosemite but tutorials.

So I bought the last version of El Capitan on Amazon. I installed it and set it all up only to discover that Apple has deleted important security features available in good old Snow Leopard. Thanks for the "upgrade" Apple.

So I moved on to Yosemite, installed and set it up only to discover this college IT installer issue. Thanks for the screw up Amazon seller.

So I waited for the new Yosemite installer from the Amazon seller, installed and set much of it up only to discover the college IT issue is still there, despite earnest promises from the seller. Thanks for the lying Amazon seller.

All of this could have been easily avoided if Apple simply made old versions of their OS easily available, but apparently that interferes with the fantasy that their new OSs are not beta software.

Sorry to whine, whine, whine, but it appears I'm becoming pretty fed up with everybody involved in this process. What a huge waste of time. And the thing is....

I've not really discovered any compelling new features in Yosemite or El Capitan that make all this worth it. Some improvements for sure, but some steps backwards too.

Perhaps I'll head back to Snow Leopard and stick with it until it won't run anything, and then install all my Macs in the bottom of my swimming pool, bail out of the Net, and get a life.

A life. A life! I used to have one of those. Now where did I put it?? It must be around here somewhere.

 

[Ormond]

-Which model Mac?

Sorry, missed that.

iMac (27-inch, Mid 2011)
2.7 GHz Intel Core i5
16 GB 1067 MHz DDR3

 

[Ormond]

A new wrinkle...

The Amazon seller still claims he's never seen this problem, and it kind of makes sense. Why would he immediately send me a new install disk by priority mail if he knew the new disk had the same issue as the first one?

His theory is that Normandale College Profiles came with this Mac, and he may have a point. I bought this Mac from MacOfAllTrades, and they buy their Macs in bulk from organizations who are upgrading their machines, like perhaps a community college.

I wiped the drive clean with Disk Utility before running the installer. I've done this two or three times now. Could the Normandale College Profiles be hiding some place on the Mac that I am ignorant of? What could survive the hard drive erasure?

What say you? Is there any chance this theory might be correct? Or is it impossible?

Many thanks!

 

[Ormond]

Cory, thanks for your ongoing advice.

I have confirmed the Amazon seller's theory. I wiped the drive clean again with Disk Utility, and installed from a completely different installer. Sure enough, the Normandale College business is still there.

Yes, I did see "your Mac is being configured by Normandale CC" at the end of the install process.

So the Amazon seller is utterly blameless, and I have apologized to him and thanked him for his patience. I'm now glad I didn't name him above.

Yes, I have a support ticket in to MacOfAllTrades and expect a reply on Monday. However, I'm not expecting much from them. I specifically asked them to test this machine prior to placing my order, they specifically said they would, and then ignored the request and sent me a Mac with the wrong OS (not those promised on the sales page). This is the second time they have done this, so I've lost all faith in their company.

To return to the technical problem, this Normandale College business appears to be hiding on this Mac somewhere beyond the reach of a Disk Utility erasure. Do you have any idea where, or how I might be able to remove it? Ideally I will learn how to fix this on my own.

Let's see.... I went to Pakistan.com and they're having a pretty good sale on nuclear weapons. That might work in cleaning this drive. However, North-Korea.com has free shipping on all nuke orders, so that's appealing too. Hmm... I wonder if they would be willing to ship my nuke order directly to MacOfAllTrades?

 

[Ormond]

Thanks again Cory, having your guidance on this issue is very very helpful. I'd still be largely in the dark about this without you.

If you know, where exactly is this data stored on the Mac? As example, if I ripped this hard drive out and replaced it would that break the connection? Or is the connection data stored somewhere else? It must be physically on this machine somewhere, right?

The best I can offer you in return for your assistance is a closer look at MacOfAllTrades. As best I can tell, they don't test machines before shipping them out, despite promising that on their site and in private. Here's how I came to that conclusion.

A few years back I bought a laptop from them which arrived with a jammed space bar. Even a three minute review of the laptop prior to shipping would have found that problem. I was a good sport about it, figuring everybody makes mistakes sometimes including me.

Before I bought this Mac I contacted them and reminded them of the laptop story and asked them to carefully review this machine prior to shipping. They said they always do that and of course would in this case. And the machine arrived with Snow Leopard, instead of the Mavericks or above promised on the sales page. Again, a problem which could have easily been discovered with any kind of inspection.

They don't admit to or apologize for any of this. They do respond to tickets, but their mindset is that they are doing you a favor by helping you with "your problem". They seem to conceive of quality control as a favor they do for whiners like me, instead of an essential tool for protecting their brand. As you can see, using this mindset they have successfully converted me from a once happy customer to a negative word of mouth machine.

Point being, I don't have high hopes for MacOfAllTrade's participation on this issue, and of course the community college doesn't know me or owe me anything, so who knows if they will be cooperative. They may see me as some stranger trying to run a scam on them.

Thus, I'm thinking ahead to what I'm going to have to do if I'm on my own here. Thankfully, I at least now know what the problem is, thanks much for that.

 

[Ormond]

The Amazon seller has suggested....

"I think you have a netinstall/netboot partition hidden on the hard drive that is forcing these changes. When you reformat the disk, make sure you are choosing the ENTIRE disk, and not just the OS partition."

Any chance this will work? I think I've been doing that, but not entirely sure.

 

[Cory Cooper]

No worries...glad to help.

I believe your Mac's Hardware UUID is what is used to tie the Mac to the jamf MDM system. The only way to break that link is to have the Mac unmanaged and deleted from the college's MDM system, or to do a logic board swap

If Mac of all trades isn't helpful or won't assist, then your only course of action is to contact the school and explain the situation, or replace the logic board.

C

 

[Ormond]

Thanks again Cory. Logic board, ouch. Not what I want to hear of course, but what I need to hear for sure.

Ok, I'll give diplomacy a shot as the first step. I'll probably hear from MacOfAllTrades on Monday, will report on that when it happens.

 

[Ormond]

Cory, if your time and interest permits, would you like to comment upon the following?

1) Technically, my Mac will always be under control of the college because if they can take me off an MDM list they can put me back on at any time, right? In your view, am I essentially permanently at their mercy so long as I'm using this logic board?

2) My copy of OSX is edited to add the college MDM profiles by the Setup Assistant during install, yes? And this depends on my machine talking to Apple over the net during setup? If the above is true then...

3) What if I installed OSX on a backup drive connected to my laptop, and then used SuperDuper to copy that install of OSX over to my iMac (the afflicted machine)? Would this prevent the setup assistant from recognizing my iMac UUID, given that the setup assistant wouldn't be running on my iMac?

4) Worst case scenario, if I were to permanently unplug the iMac from the Net there's no way anybody else can control it, right? Doesn't the MDM control work over the Net?

Sheesh, we're all gonna be MDM experts before this is over....

Thanks as always!

 

[Cory Cooper]

1) No. If they remove your Mac from their jamf MDM and Apple DEP, they cannot re-enroll it.
2) No, the OS X installer is a normal version. The MDM profiles are installed during the Setup Assistant step, because it is enrolled in their MDM and DEP.
3) No, I believe it will still "call home" and install the profiles.
4) Yes, if it never connects to the Internet, it will not contact the MDM or Apple's (DEP) servers. But, then you won't have much flexibility for updates, etc.

The bottom line is that it needs to be removed from the MDM and DEP.

C

 

[Ormond]

1) No. If they remove your Mac from their jamf MDM and Apple DEP, they cannot re-enroll it.

Thanks for this. I'm not sure why this is true, but I of course hope that it is.

2) No, the OS X installer is a normal version. The MDM profiles are installed during the Setup Assistant step, because it is enrolled in their MDM and DEP.

Shouldn't this mean that if I don't allow the Setup Assistant to see my iMac (the affected machine), then the MDM profiles could not be installed on it?

3) No, I believe it will still "call home" and install the profiles.

Ok, if this is the case, wouldn't this mean that every Mac is calling home to Apple all the time, and continually being checked against the MDM list?

If this is true, then I guess the next question would be, how do we get Apple out of our #$%^$# life? It's one thing if we voluntarily signup for some Apple service which requires an ongoing connection with Apple. It's another thing if Apple forces that connection upon each and every user without informing them of the requirement (if that is true). Am I on to something here, or is this a false paranoid conspiracy theory?

As example, might it be possible to configure my router to forbid all connections with Apple's servers? I realize there would be a price tag for this, but as my profile pic might suggest, I'm really uncomfortable with the government and fat cat multi-national corporations shoving their nose in to my life against my will. I don't choose to be one of the mindless drone marching robot people shown in the famous 1984 Apple TV ad.

I hope it's clear that I'm not arguing with you, and am not in a position to do so anyway. I'm just trying to think this through and learn something about MDM while I am immersed in it. This kind of challenging is just part of my learning process, like a philosophy conversation.

I'll test some of my theories today while I'm awaiting word from MacOfAllTrades, probably on Monday.

Thank you again for your time! Hopefully this thread will become an informational resource on the forum for any to come who are affected by this issue.

 

[Cory Cooper]

Thanks for this. I'm not sure why this is true, but I of course hope that it is.

It is true, so no worries there. If it weren't, all Macs in the general public would be susceptible to being enrolled and controlled, which they're not.

Shouldn't this mean that if I don't allow the Setup Assistant to see my iMac (the affected machine), then the MDM profiles could not be installed on it?

After thinking about it more, that may prevent them from being installed, but I am not totally sure. This is a gray area that I am not totally experienced with. You could experiment with it as you mentioned.

Ok, if this is the case, wouldn't this mean that every Mac is calling home to Apple all the time, and continually being checked against the MDM list?

It is my understanding that the MDM check is only done during the Setup Assistant process.

If this is true, then I guess the next question would be, how do we get Apple out of our #$%^$# life? It's one thing if we voluntarily signup for some Apple service which requires an ongoing connection with Apple. It's another thing if Apple forces that connection upon each and every user without informing them of the requirement (if that is true). Am I on to something here, or is this a false paranoid conspiracy theory?

This check is also how Macs can perform an Internet Recovery OS X install and verify the licensing for the original install. It's not a conspiracy.

No worries, I know that you aren't arguing...you are just trying to learn.

C

 

[Ormond]

1) No. If they remove your Mac from their jamf MDM and Apple DEP, they cannot re-enroll it.

I believe you Cory, but I don't yet understand you on this point.

Correct me if I'm wrong, but my understanding so far is my Mac is MDM infected because my UUID is on a list at Apple and the college. If they can take my number off that list, why can't they also put it back on?

As example, imagine I got a job at the community college and brought this Mac with me for use at work. The college IT department would then re-establish control over this Mac via MDM, as they should.

How would they go about doing that? Would they require physical access to the Mac? Is there something involved in setting up MDM on a Mac other than adding a number to a list?

 

[Ormond]

Well, I fixed it. Almost, very close. Happy to share the details if anyone finds that useful.

Still, Cory is right, the ideal solution is to get the college to remove me from their list, so still working on that.