Profile feature of System Prefs in Yosemite

[Ormond]

Are you guys familiar with the Profiles panel of System Prefs?

Here's why I'm asking. I bought a copy of Yosemite on Amazon from a nice guy. However, it looks like this was an installed used by a college, and they have added items to the Profiles section that can't be edited. Here's a screenshot.

The seller is sending me another copy of Yosemite. This will however require me to start again from scratch in setting up this machine.

I thought I'd take this opportunity to learn more about the Profiles feature, as it is new to me (upgrading from Snow Leopard). I'm wondering how concerned I should be about my current install of Yosemite, what control the college may still have and so on. Any info you can share will be an education here, thanks.

 

[Cory Cooper]

Hello,

Correct, it looks like the copy you purchased is a custom built installer for Yosemite for a community college in MN. Technically, this isn't legal and violates Apple's licensing policy, as well as any of the third-party software that was installed. Your Mac is totally controllable by their IT department, and they are susceptible to legal action for selling Apple and other software to the public.

That being said, those are Mobile Device Management (MDM) profiles created with software from a company call jamf. They are used to institute automatic settings, software distribution, device and user management, etc. for educational and enterprise organizations. The Profiles preference pane only appears when profiles have been installed, and they can only be removed by their IT department.

I would definitely get your money back and not deal wth that Amazon customer, even though they may have been very nice to deal with. Your Mac is at the college's mercy, and can actually be tracked and wiped, until you do a complete erase and install.

-Which model Mac?
-Did you ever download any of the older versions of OS X with your Apple ID from the App Store?

C

 

[Ormond]

Thanks so much Cory. You're right, I've been screwed.

The seller claimed no knowledge of this and immediately sent me a new installer. Which has the same issue.

Given that it's not possible to install or even use this version of Yosemite without seeing the reference to the college, I now have to assume the seller is lying, or perhaps just has no idea what he is doing. In any case, he is soon going to regret meeting me.

To expand the topic a bit, this problem started when I bought a used Mac from MacOfAllTrades. It arrived with Snow Leopard instead of the Mavericks or above promised on the sales page. Given that this is the second time they've sent a machine with a problem that could have been easily detected with a 2 minute inspection, I'm now convinced they are lying when they say they test machines. Thanks for the lying MacOfAllTrades.

Sierra is brand new, and I want nothing to do with brand new OSs from Apple. Thanks for the incompetence Apple. My understanding was and still is that Apple does not make the older version available, but please correct this if I am wrong. I did just go to the App Store again and search for Yosemite, and found nothing on Yosemite but tutorials.

So I bought the last version of El Capitan on Amazon. I installed it and set it all up only to discover that Apple has deleted important security features available in good old Snow Leopard. Thanks for the "upgrade" Apple.

So I moved on to Yosemite, installed and set it up only to discover this college IT installer issue. Thanks for the screw up Amazon seller.

So I waited for the new Yosemite installer from the Amazon seller, installed and set much of it up only to discover the college IT issue is still there, despite earnest promises from the seller. Thanks for the lying Amazon seller.

All of this could have been easily avoided if Apple simply made old versions of their OS easily available, but apparently that interferes with the fantasy that their new OSs are not beta software.

Sorry to whine, whine, whine, but it appears I'm becoming pretty fed up with everybody involved in this process. What a huge waste of time. And the thing is....

I've not really discovered any compelling new features in Yosemite or El Capitan that make all this worth it. Some improvements for sure, but some steps backwards too.

Perhaps I'll head back to Snow Leopard and stick with it until it won't run anything, and then install all my Macs in the bottom of my swimming pool, bail out of the Net, and get a life.

A life. A life! I used to have one of those. Now where did I put it?? It must be around here somewhere.

 

[Ormond]

-Which model Mac?

Sorry, missed that.

iMac (27-inch, Mid 2011)
2.7 GHz Intel Core i5
16 GB 1067 MHz DDR3

 

[Ormond]

A new wrinkle...

The Amazon seller still claims he's never seen this problem, and it kind of makes sense. Why would he immediately send me a new install disk by priority mail if he knew the new disk had the same issue as the first one?

His theory is that Normandale College Profiles came with this Mac, and he may have a point. I bought this Mac from MacOfAllTrades, and they buy their Macs in bulk from organizations who are upgrading their machines, like perhaps a community college.

I wiped the drive clean with Disk Utility before running the installer. I've done this two or three times now. Could the Normandale College Profiles be hiding some place on the Mac that I am ignorant of? What could survive the hard drive erasure?

What say you? Is there any chance this theory might be correct? Or is it impossible?

Many thanks!

 

[Cory Cooper]

Hmmm...interesting...I hadn't thought of that scenario.

Yes...if the Mac you purchased from Mac of all trades was used/refurbished, then it could have previously been owned by the college and sold to Mac of all trades as you stated, still being enrolled in their jamf MDM. If that is the case, it was either never deleted from their management, which would automatically contact them through Apple's server with an Internet connection, after the installation during Setup Assistant. However, you would probably see some form of banner stating that your "Mac is being configured by Normandale CC". Or, it is possible it was stolen and wiped, in which Mac of all trades wouldn't see that during hardware/refurbishment testing unless they completed the Setup Assistant process. I would guess the first scenario.

You could always contact Mac of all trades and inquire. Maybe the Amazon buyer is correct and it isn't embedded in the software he sold you. However, that still doesn't make it a legal copy, as Yosemite was never available on disc or flash drive. It was only available through the Apple App Store app tied to an Apple ID account.

C

 

[Ormond]

Cory, thanks for your ongoing advice.

I have confirmed the Amazon seller's theory. I wiped the drive clean again with Disk Utility, and installed from a completely different installer. Sure enough, the Normandale College business is still there.

Yes, I did see "your Mac is being configured by Normandale CC" at the end of the install process.

So the Amazon seller is utterly blameless, and I have apologized to him and thanked him for his patience. I'm now glad I didn't name him above.

Yes, I have a support ticket in to MacOfAllTrades and expect a reply on Monday. However, I'm not expecting much from them. I specifically asked them to test this machine prior to placing my order, they specifically said they would, and then ignored the request and sent me a Mac with the wrong OS (not those promised on the sales page). This is the second time they have done this, so I've lost all faith in their company.

To return to the technical problem, this Normandale College business appears to be hiding on this Mac somewhere beyond the reach of a Disk Utility erasure. Do you have any idea where, or how I might be able to remove it? Ideally I will learn how to fix this on my own.

Let's see.... I went to Pakistan.com and they're having a pretty good sale on nuclear weapons. That might work in cleaning this drive. However, North-Korea.com has free shipping on all nuke orders, so that's appealing too. Hmm... I wonder if they would be willing to ship my nuke order directly to MacOfAllTrades?

 

[Cory Cooper]

Good...we have progress.

Nice that you let the Amazon seller know. I apologize for putting the blame on him as well. After I read your response, I thought it through, and realized that it probably wasn't in the installer, since Macs are enrolled individually in the jamf MDM - either as part of an installer script during imaging, or after the fact for Macs already in the field using a jamf application. Older MDM systems would allow the profiles to be installed in different ways than the more current ones.

It will be interesting to see what the response from Mac of all trades is. I would guess that they did run a hardware diagnostic and other testing, but that they didn't go through the Setup Assistant as I mentioned previously. That is why they didn't catch this.

The college profiles aren't hiding anywhere on the Mac or the installer, so you won;t be able to remove them by wiping the hard drive. When a Mac is enrolled in an MDM, it stays that way until it is removed. It is a security feature that aids in recovery of lost or stolen equipment, as well as allows a way to remotely install software, set configuration defaults, and perform remote configuration and management of the Mac. It is very useful for IT departments, because Macs do not have to come back for hands-on configuration and management. It can be done remotely and in bulk to a large number of Macs simultaneously.

There isn't a way around it, as you have seen. You can erase the drive and reinstall any version of OS X. But, when you go through the Setup Assistant, it contacts Apple when you add a wired/wireless network. At this point, the college's servers are linked to Apple through the MDM, and it "calls home" to the MDM to say "hey, I am here and online, this is my hardware profile and location, send me the configuration profiles for whatever building/department/organizational group I am part of".

Ultimately, the college needs to be contacted to have your Mac unmanaged and deleted from their MDM. Once this has be is done, the profiles will automatically disappear from the Mac. They may or may not have to remove the serial number from their Apple's Device Enrollment Program records as well, depending on how the Mac was purchased and/or added. That will completely break the link between your Mac - Apple - Normandale, and you will not see the "your Mac is being configured by Normandale CC" during the Setup Assistant.

Hope that gives you a better picture of what is happening here, and what needs to happen to resolve the issue.

C

 

[Ormond]

Thanks again Cory, having your guidance on this issue is very very helpful. I'd still be largely in the dark about this without you.

If you know, where exactly is this data stored on the Mac? As example, if I ripped this hard drive out and replaced it would that break the connection? Or is the connection data stored somewhere else? It must be physically on this machine somewhere, right?

The best I can offer you in return for your assistance is a closer look at MacOfAllTrades. As best I can tell, they don't test machines before shipping them out, despite promising that on their site and in private. Here's how I came to that conclusion.

A few years back I bought a laptop from them which arrived with a jammed space bar. Even a three minute review of the laptop prior to shipping would have found that problem. I was a good sport about it, figuring everybody makes mistakes sometimes including me.

Before I bought this Mac I contacted them and reminded them of the laptop story and asked them to carefully review this machine prior to shipping. They said they always do that and of course would in this case. And the machine arrived with Snow Leopard, instead of the Mavericks or above promised on the sales page. Again, a problem which could have easily been discovered with any kind of inspection.

They don't admit to or apologize for any of this. They do respond to tickets, but their mindset is that they are doing you a favor by helping you with "your problem". They seem to conceive of quality control as a favor they do for whiners like me, instead of an essential tool for protecting their brand. As you can see, using this mindset they have successfully converted me from a once happy customer to a negative word of mouth machine.

Point being, I don't have high hopes for MacOfAllTrade's participation on this issue, and of course the community college doesn't know me or owe me anything, so who knows if they will be cooperative. They may see me as some stranger trying to run a scam on them.

Thus, I'm thinking ahead to what I'm going to have to do if I'm on my own here. Thankfully, I at least now know what the problem is, thanks much for that.

 

[Ormond]

The Amazon seller has suggested....

"I think you have a netinstall/netboot partition hidden on the hard drive that is forcing these changes. When you reformat the disk, make sure you are choosing the ENTIRE disk, and not just the OS partition."

Any chance this will work? I think I've been doing that, but not entirely sure.

 

[Cory Cooper]

No worries...glad to help.

I believe your Mac's Hardware UUID is what is used to tie the Mac to the jamf MDM system. The only way to break that link is to have the Mac unmanaged and deleted from the college's MDM system, or to do a logic board swap

If Mac of all trades isn't helpful or won't assist, then your only course of action is to contact the school and explain the situation, or replace the logic board.

C

 

[Ormond]

Thanks again Cory. Logic board, ouch. Not what I want to hear of course, but what I need to hear for sure.

Ok, I'll give diplomacy a shot as the first step. I'll probably hear from MacOfAllTrades on Monday, will report on that when it happens.

 

[Ormond]

Cory, if your time and interest permits, would you like to comment upon the following?

1) Technically, my Mac will always be under control of the college because if they can take me off an MDM list they can put me back on at any time, right? In your view, am I essentially permanently at their mercy so long as I'm using this logic board?

2) My copy of OSX is edited to add the college MDM profiles by the Setup Assistant during install, yes? And this depends on my machine talking to Apple over the net during setup? If the above is true then...

3) What if I installed OSX on a backup drive connected to my laptop, and then used SuperDuper to copy that install of OSX over to my iMac (the afflicted machine)? Would this prevent the setup assistant from recognizing my iMac UUID, given that the setup assistant wouldn't be running on my iMac?

4) Worst case scenario, if I were to permanently unplug the iMac from the Net there's no way anybody else can control it, right? Doesn't the MDM control work over the Net?

Sheesh, we're all gonna be MDM experts before this is over....

Thanks as always!

 

[Cory Cooper]

1) No. If they remove your Mac from their jamf MDM and Apple DEP, they cannot re-enroll it.
2) No, the OS X installer is a normal version. The MDM profiles are installed during the Setup Assistant step, because it is enrolled in their MDM and DEP.
3) No, I believe it will still "call home" and install the profiles.
4) Yes, if it never connects to the Internet, it will not contact the MDM or Apple's (DEP) servers. But, then you won't have much flexibility for updates, etc.

The bottom line is that it needs to be removed from the MDM and DEP.

C

 

[Ormond]

1) No. If they remove your Mac from their jamf MDM and Apple DEP, they cannot re-enroll it.

Thanks for this. I'm not sure why this is true, but I of course hope that it is.

2) No, the OS X installer is a normal version. The MDM profiles are installed during the Setup Assistant step, because it is enrolled in their MDM and DEP.

Shouldn't this mean that if I don't allow the Setup Assistant to see my iMac (the affected machine), then the MDM profiles could not be installed on it?

3) No, I believe it will still "call home" and install the profiles.

Ok, if this is the case, wouldn't this mean that every Mac is calling home to Apple all the time, and continually being checked against the MDM list?

If this is true, then I guess the next question would be, how do we get Apple out of our #$%^$# life? It's one thing if we voluntarily signup for some Apple service which requires an ongoing connection with Apple. It's another thing if Apple forces that connection upon each and every user without informing them of the requirement (if that is true). Am I on to something here, or is this a false paranoid conspiracy theory?

As example, might it be possible to configure my router to forbid all connections with Apple's servers? I realize there would be a price tag for this, but as my profile pic might suggest, I'm really uncomfortable with the government and fat cat multi-national corporations shoving their nose in to my life against my will. I don't choose to be one of the mindless drone marching robot people shown in the famous 1984 Apple TV ad.

I hope it's clear that I'm not arguing with you, and am not in a position to do so anyway. I'm just trying to think this through and learn something about MDM while I am immersed in it. This kind of challenging is just part of my learning process, like a philosophy conversation.

I'll test some of my theories today while I'm awaiting word from MacOfAllTrades, probably on Monday.

Thank you again for your time! Hopefully this thread will become an informational resource on the forum for any to come who are affected by this issue.

 

[Cory Cooper]

Thanks for this. I'm not sure why this is true, but I of course hope that it is.

It is true, so no worries there. If it weren't, all Macs in the general public would be susceptible to being enrolled and controlled, which they're not.

Shouldn't this mean that if I don't allow the Setup Assistant to see my iMac (the affected machine), then the MDM profiles could not be installed on it?

After thinking about it more, that may prevent them from being installed, but I am not totally sure. This is a gray area that I am not totally experienced with. You could experiment with it as you mentioned.

Ok, if this is the case, wouldn't this mean that every Mac is calling home to Apple all the time, and continually being checked against the MDM list?

It is my understanding that the MDM check is only done during the Setup Assistant process.

If this is true, then I guess the next question would be, how do we get Apple out of our #$%^$# life? It's one thing if we voluntarily signup for some Apple service which requires an ongoing connection with Apple. It's another thing if Apple forces that connection upon each and every user without informing them of the requirement (if that is true). Am I on to something here, or is this a false paranoid conspiracy theory?

This check is also how Macs can perform an Internet Recovery OS X install and verify the licensing for the original install. It's not a conspiracy.

No worries, I know that you aren't arguing...you are just trying to learn.

C

 

[Ormond]

Hi again Cory, ye the most helpful Mac forum admin who ever lived.

So I did the experiment, here's what I learned.

1) I installed Yosemite on a backup drive connected to my laptop. No MDM appears, confirming again that the OSX install disks are not the source of MDM.

2) I then unplugged my router, and booted the iMac (the MDM afflicted machine) from the Yosemite install partition on the backup disk. Again no MDM appears, confirming that Net access is required for the calling home to Apple process.

3) I then turned the router back on, and something interesting happened. Within less than a minute an alert popped up giving me the option to install the MDM Profiles. I declined the option, and MDM did not install.

First, this confirms your idea that the Mac is continually calling home to Apple to test the Mac serial number against the MDM list. More on this later...

Second, isn't it odd that it's giving me the option to install the MDM profiles?? I've had to install OSX about ten times over the last week and I now recall that it sometimes gives the option, and sometimes it doesn't. Can make no sense of this.

Third, it remains to be seen what may happen over the coming days. The experiment continues, and I will report back if anything new happens.

OPTIONAL EDITORIAL:

First, I totally agree that everybody is entitled to have whatever relationship with Apple works for you. But "everybody" includes me. And for me, just one guy's opinion, having Apple constantly snooping around on my Mac without warning and without permission is very offensive.

If readers should find that extreme, then consider how you might feel if the software came from me instead of Apple, and my software was constantly sending hidden data (there's no way for you to know what) from your machine back to my servers, without warning or disclosure, and without your permission.

I'm guessing you might wind up being quite mad at me the developer of such software, in fact, outraged. This would likely be doubly so if you had paid me $1500 or more for the Mac, which you thought then belonged to you.

To me, if readers should find it entirely acceptable that Apple do this, but would find it scandalous if another developer/vendor did exactly the same thing, that is evidence of an Apple Religion. Such a phenomena represents the same kind of blind unquestioning obedience to large powers which Apple was founded to resist. That is, such thinking is very much NOT "thinking differently".

The solution here is simple. Apple, or any developer, should very clearly disclose what information they want to obtain from your Mac, and make that a transparent opt-in choice.

Apple reports they have over 66,000 employees in the U.S. Like humans everywhere, some of these people will be great, and some will not. That's who you're sending your data to against your will, large numbers of anonymous people of unknown personal qualities.

OMG, you've been hacked!!!

 

[Ormond]

1) No. If they remove your Mac from their jamf MDM and Apple DEP, they cannot re-enroll it.

I believe you Cory, but I don't yet understand you on this point.

Correct me if I'm wrong, but my understanding so far is my Mac is MDM infected because my UUID is on a list at Apple and the college. If they can take my number off that list, why can't they also put it back on?

As example, imagine I got a job at the community college and brought this Mac with me for use at work. The college IT department would then re-establish control over this Mac via MDM, as they should.

How would they go about doing that? Would they require physical access to the Mac? Is there something involved in setting up MDM on a Mac other than adding a number to a list?

 

[Ormond]

Well, I fixed it. Almost, very close. Happy to share the details if anyone finds that useful.

Still, Cory is right, the ideal solution is to get the college to remove me from their list, so still working on that.

 

[Cory Cooper]

The point is this...it cannot be enrolled again after deletion, because they would need several pieces of information to re-enroll it: UUID, serial number, IP address, etc. Basically, the serial number is added to Apple's DEP and assigned to the college's MDM server. Once it is there, they can fully enroll it as part of the imaging process, or run an application to enroll it into the MDM remotely using it's local network IP. The MDM then gathers all the system information for the record, including UUID, serial number, and IP address.

Because it is then enrolled in the MDM and registered with DEP, the security/tracking components come into play, as well as the ability to automatically configure it if it is erased completely, when it contacts Apple's servers during the Setup Assistant phase. Apple's DEP knows it is owned/managed by the college, and the MDM takes over and installs anything for the pre-stage enrollment group that the Mac is already assigned to.

There is actually a bit more to it, but that is a general overview of the process.

Hope that helps,

C