Vexluna

When enrolling an Apple device via <a href="https://support.vexluna.com/en/articles/12951932-automated-device-enrollment-via-apple-business-manager-or-apple-school-manager">Automated Device Enrollment</a>, you have an option to lock the enrollment.

Non-locked enrollments can be removed from the Settings app, and the device will not be erased when removed, although MDM-installed apps and data will be removed from the device. If the device is supervised, it will lose its supervised state once unenrolled from MDM.

When you manually enroll a device in Apple Business Manager or Apple School Manager using Apple Configurator, enrolling the device in MDM begins a 30-day <i>provisional enrollment</i>.

Provisional enrollment does not affect devices added to ABM by an Apple authorized reseller.

While ADE enrollment is usually mandatory in Setup Assistant, a provisionally enrolled device presents an option to instead remove the device from its organization. If the user selects this option, MDM enrollment will be skipped <b>and the device will be released from ABM</b>.

Additionally, once a provisionally enrolled device is activated and enrolled in MDM, an option will be presented in Settings to unenroll the device. Doing so will factory reset the device and it will be released from ABM.

Some provisionally enrolled devices will display a footnote on the lock screen indicating that the user can leave device management in Settings.

Once the provisional enrollment period lapses, the enrollment becomes truly locked and can no longer be unenrolled.

To prevent end-users from unenrolling organization-owned devices during the provisional period, activate newly ABM-enrolled devices in MDM, then store them for 30 days before delivering them to users. Once the provisional period expires, you can wipe the device and enroll it again without going through another provisional enrollment.

The provisional period only begins once the device is activated in MDM, not when it's enrolled in ABM.

Devices under locked enrollments can still be erased, even if you enable the policy to disable the Erase All Content and Settings option in Settings.

Anyone can erase a device by putting it into <a href="https://support.apple.com/en-us/118106" rel="nofollow noopener noreferrer" target="_blank">DFU mode (also called recovery mode)</a> and restoring it with a computer, even if it's under a locked enrollment or they don't know the passcode. If this happens, Vexluna has no way of detecting it.

Devices that still have an ADE profile assigned will require re-enrollment during activation (unless in the provisional period). If you're concerned about theft of organization-owned devices, we recommend using <a href="https://support.vexluna.com/en/articles/13050555-organization-activation-lock">Organization Activation Lock</a>.

Prevent MDM enrollments from being removed on Apple devices

Locked Enrollment

Find answers and get help from Intercom Support and Community Experts

This site employs cookies and other technologies that we and our third party vendors use to monitor and record personal information about you and your interactions with the site (including content viewed, cursor movements, screen recordings, and chat contents) for the purposes described in our Cookie Policy. By continuing to visit our site, you agree to our {websiteTermsLink}, {privacyPolicyLink} and {cookiePolicyLink}.

This site uses cookies and similar technologies ("cookies") as strictly necessary for site operation. We and our partners also would like to set additional cookies to enable site performance analytics, functionality, advertising and social media features. See our {cookiePolicyLink} for details. You can change your cookie preferences in our Cookie Settings.

We use cookies to make our site work and also for analytics and advertising purposes. You can enable or disable optional cookies as desired. See our {cookiePolicyLink} for more details.

Advertising cookies are set by our advertising partners to collect information about your use of the site, our communications, and other online services over time and with different browsers and devices. They use this information to show you ads online that they think will interest you and measure the ads' performance. Social media cookies are set by social media platforms to enable you to share content on those platforms, and are capable of tracking information about your activity across other online services for use as described in their privacy policies.

These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.

These cookies are necessary for the website to function and cannot be switched off in our systems.

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site.

You have the right to opt out of the sale of your personal information. See our {cookiePolicyLink} for more details about how we use your data.

Your Privacy Choices

We use cookies to enhance your experience. You can customize your cookie preferences below. See our {cookiePolicyLink} for more details.

Cookie Settings

Link, Press control-option-right-arrow to exit

Empty Help Center

Uh oh. That page doesn’t exist.

Disappointed

Neutral

Smiley

Thinking...

Searching through sources...

Analyzing...

Tickets submitted through the messenger or by a support agent in your conversation will appear here.

Locked Enrollment

Devices Recently Enrolled in ABM/ASM

Erasing Locked Devices