HI all,
So I work for a company that uses MDS to deploy 10.14 and 10.15 images to apple devices. Recently, we have had several units get RMA’d because when the customer receives the unit, it is MDM locked. I know there are several different companies that provide MDM solutions (JamF, Kandji, etc) but what I am trying to figure out is how can I go about scripting a step in the MDM workflow to detect if the device is managed or not? If the device is managed, we would want to have it display an error on the screen to let the technician know that the device is managed.
Our problem is we currently use a script to kick off data destruction, which secure erases the drive and then applies an image to the hard disk. After this process is complete, we have another step that resets the computer back to booting into the welcome screen (like when you get a brand new mac and it prompts you to set up a user and password, etc). At this point, the computer has already been audited and is ready to be sold. However, if the unit has MDM if you step through the first few screens after the welcome dialog, select your country, select your network (or select the option to not connect to the internet, either option will bring you to the Remote Management lock dialog.)
We need the ability to at the very least detect the presence of MDM on a given computer. Is there some way to do this via the command prompt inside of recovery mode? I do not fully understand how the MDM enrollment process works, but obviously erasing the drive does not get rid of the enrollment (nor should it).