DISCLAIMER: Do not do this if you do not OWN the device in question. If your organization has provided you a device to use for educational or business purposes you may be subject to termination. This material is for educational purposes only! This is not an endorsement of theft or any practice that violates local or federal law in the United States.
Uh-oh! You just bought a second hand MacBook off of eBay and you’re greeted with the dreaded Device-Enrollment screen upon setup. If you’re into the used (Apple) electronics market like I am, this has probably happened to you at least once. Surely there isn’t anything wrong with this MacBook being sold at 20% of market value… right? The good news is you likely have recourse with the seller to return the product and get your money back. Or, in the case of the MacBook, you can boot off of an external drive and you probably won’t notice. What fun is that though?
What is the Device Enrollment Program?
I’m glad you asked. It’s actually a pretty interesting feature that Apple implements into all of their devices. If you’re already in the IT field or systems administration, you’re probably familiar with Mobile Device Management or “MDM” platforms. These types of programs are most commonly used to administer mobile devices such as laptops, phones, or tablets that are being used by a business or school. It allows for electronic devices to be setup with a pre-configured set of rules, applications, and information regarding an organization.
Apple’s built in functionality of MDM is called DEP, or Device Enrollment Program. While a device can be “registered” to an organization manually through another program, DEP allows for a device to be configured before it’s ever even taken out of the box. When an organization purchases an Apple device it is possible for that product’s serial number to be automatically added to the owner’s “Apple Business” or “Apple Education” account. When the device is setup for the first time, it automatically pulls the registration information from Apple’s activation servers.
Apple has a more commonly known “lock” system in place for its devices, known as an “activation lock”. This is tied to an end user’s iCloud or AppleID information to prevent the resale of stolen goods or personal information. Unlike a DEP lock, an activation lock can be removed by Apple directly provided you have all of your documentation in order (papers, please!). DEP locks can “only” be removed by the organization that initially enrolled them (this is generally true, it’s a more complicated topic). However it is possible to bypass a DEP lock and still use the device!
So you’ve got a DEP locked machine, and you’ve decided not to return it to the seller. Perhaps you don’t want to go through the hassle or expense of running the machine off of an external drive? It is possible, under specific circumstances, to bypass a DEP lock. There is never a guarantee here, and if you still don’t understand how to do it after reading this I can’t help you. I will be as thorough as possible.
Bypassing a DEP lock without third party software (or $$$) is only possible on the MacBook, Mac Pro and iMac specifically. I have yet to come across a DEP locked iMac or Mac Pro actually, but all the same. The reason being is we need access to a root-level terminal interface for the system files. This is only possible for non-macOS devices that are rooted or connected to another system running a boot injector. Here is a short list of MacBook models I have personally tested this method on.
Which versions of macOS are supported?
macOS Catalina (10.15.2 > 10.15.7) is your best bet, and is the basis of this guide.
macOS Big Sur (11.5.1 tested) should be avoided. You can downgrade any pre-2021 MacBook to Catalina. More on this below.
2015 and older
Due to the lack of the T1/T2 security chip, this should work for any device made prior to 2016 that can run macOS Catalina 10.15.7. So will this work on a MacBook Air 13″ 2015? 100%, I have one in front of me!
The introduction of the T1 security chip in MacBook models in 2016 makes this process both harder and easier at the same time, strangely enough. More on this later. Both the 13.3″ and 15.4″ models will work, my success rate is roughly 70%.
The second generation security chip, T2, introduces further issues with this bypass method. There is no guarantee this method will work, YMMV. Tested on both the 13.3″ and 15.4″ models, 30% success rate as of today.
I highly, highly suggest not doing this on a 2021 (M1) series MacBook. You will seriously consider jumping from a cliff during the process. I have never gotten it to work properly, and the methods of doing it cause insufferable frustration.
All set? Here’s what you need to get started: A decent internet connection, preferably Ethernet rather than WiFi. Yes, that probably means finding a USB to RJ45 adapter. That’s basically it, although if you’re not a patient or technical person maybe find someone who is.
If you’re working with a T1/2 machine, I highly suggest having another macOS machine available, with Apple Configurator 2 installed (and a cable to connect the two together). For example, my “target” (locked) machine is a 2018 MacBook Pro 13″, and my “host” machine running AC2 is a 2019 MacBook Pro 16″. They are linked together by a USB-C to C cable through mirrored ports (front left -> front left). I’ll explain why I recommend this seemingly extraneous step later.
Let’s Get Started
Shutdown the machine. Power it back up into Startup Recovery mode using the Command and R keys during POST. Once the Apple loading bar appears, you should be set. Reference this support article if you need help. Now that we’re in, you need to completely erase the internal disk of the machine using Disk Utility. I hope you have your data backed up! It might not make a huge difference, but don’t just delete the container or volume group. Connect to your available internet and then reinstall macOS.
PAY ATTENTION! Once the machine reboots, you will get a loading screen with a “time remaining” message. Once this is done and it reboots again, you must immediately go back into Startup Recovery! It’s probably OK if you miss it and have to reboot from the setup screen but take no chances. This is especially true if the system retains your internet connection from the install and is able to run the
cloudconfigurationd daemon to pull the activation record(s) from the cloud. To clarify, this has been my personal experience and may not be 100% accurate to how your system will function.
We’re back at Startup Recovery Utilities, great! We have a fresh copy of macOS installed, and hopefully it hasn’t reached out to the activation servers yet. This is the point where the difference between Catalina and Big Sur becomes apparent. Starting with El Capitan, Apple introduced “System Integrity Protection”, or SIP. This prevents modification of the system level files for macOS. This is both a curse and a blessing, depending on how much modification you need to do on your machine. From El Capitan to Catalina, disabling SIP required one command and a reboot. With the introduction of Big Sur, things have changed drastically.
Every single system file in Big Sur has a “cryptographic hash”, or “key”, stored in the filesystem’s metadata. When a file is loaded by the system, the key is checked against the metadata to verify it has not been modified or tampered with. If this key verification fails, the user must reinstall macOS. Or if this happens during a system update, it rolls back to a snapshot. This system is known as the “Signed System Volume”, or SSV. It’s essentially another layer of security inside the SIP from my understanding. You can read more about it from Apple here.
Do you really want to try it? Best of luck to you, here are the commands.
csrutil authenticated-root disable
Great, reboot and it’s off. The problem? You can’t boot into your system volume anymore! You need to mount the volume to make modifications using
mount -uw "/[volume name]/System/Library". Then you can make a bootable snapshot of the volume with the modifications and SSV disabled:
sudo bless --folder /[mountpath]/System/Library/CoreServices --bootefi --create-snapshot
Obviously these commands should be altered to fit your current volume settings. “Bless” is the command used to set volume bootability and the active boot volume.
Removing the Lock
Once you’re in Terminal, you must disable SIP and then issue a reboot command. You can do this with the
csrutil disable and
reboot commands. Don’t forget to go back into Startup Recovery when it reboots! You should get back in the terminal after this reboot, and you will be able to modify system level files which we will do now. Enter the following commands one line at a time. I’ll explain these commands in detail right after, if you want to read it before proceeding.
cd "/Volumes/Macintosh HD/System/Library" mkdir LaunchDaemons.disabled LaunchAgents.disabled mv LaunchDaemons/com.apple.ManagedClient* LaunchDaemons.disabled/ mv LaunchAgents/com.apple.ManagedClient* LaunchAgents.disabled/ cd ../../etc echo "0.0.0.0 albert.apple.com" >> hosts echo "0.0.0.0 iprofiles.apple.com" >> hosts echo "0.0.0.0 mdmenrollment.apple.com" >> hosts echo "0.0.0.0 deviceenrollment.apple.com" >> hosts echo "0.0.0.0 gdmf.apple.com" >> hosts csrutil enable
Let me explain exactly what we did here. The first line changes our active directory to the /System/Library location, and you may need to change /Macintosh HD/ to whatever your OS volume label is named. Once we’re in the right system location, we need to create two folders using
mkdir. Next we need to move the files that are actually associated with the DEP lock system, so we use an asterisk to catch all of the files that start with com.apple.ManagedClient. LaunchDaemons and LaunchAgents are the two file types here that need to be “disabled”, and the safest way to do so is to move them to a non-default file location. Then we change directory again, this time using ../ to signify a step backwards in the file structure, ending up in the /etc/ folder.
This folder contains the system’s “hosts” file, which is responsible for managing network hosts. In order to block the machine from communicating with Apple’s activation servers, we set the IP address of several domains to 0.0.0.0, which resolves to nothing and no records can be pulled during activation. Note: you may run into trouble with iMessage or your AppleID by zeroing out albert and iprofiles, so I’ve been told. The rest of the hosts should be self-explanatory. Finally we re-enable SIP so that we can boot back into macOS.
We’ve gone through all of the steps required to bypass the DEP enrollment process during setup, so you should be good to reboot without any startup commands. If for some reason you end up with the DEP screen still, you should restart the whole process. This means wiping the drive, reinstalling, and modifying the system files. Sometimes you just get unlucky and something doesn’t stick right.
For 2016 and later MacBooks: This is where having a second “host” machine comes in handy. Due to the security chip on these models, it may be possible that the machine is “permanently” enrolled in DEP no matter how many times you reinstall the OS. We can easily remedy this situation by using Apple Configurator 2! Hook up the machines and set the target (locked) machine to DFU mode. You read how to do this here. You’ll want to choose the “revive” option unless you want to do both the drive wipe/reinstall and firmware revive at the same time, which is what “restore” does.
Hopefully it only takes a few tries to get this whole process down. Once you’ve successfully done it a few times it becomes second nature. Leave a comment if this worked for you, or if you come across any weird behavior.