If you’re using an MDM solution with your iPads you may have noticed that your users can easily remove any management profile they wish. Here’s why, and what you can do about it.


UPDATE March 2014: Apple has announced the Device Enrollment Program which will resolve this issue for many schools. Find out more about DEP here.

Mobile Device Management (MDM) is an extremely useful tool for schools managing large numbers of iPads allowing administrators to remotely push apps and settings to iOS devices.

There are a wide range of MDM solutions available from free cloud hosted services like Meraki, self-hosted options like SCCM 2012, and high-end feature rich services like AirWatch and Casper Suite.

But there’s a problem that affects every one of the available MDM services, including Apple’s own Profile Manager.

MDM profile settings are applied via Apple’s MDM API for iOS. One of the restrictions of the MDM API is that the end-user — your teachers and students — can simply remove any applied management profiles by opening Settings > About > Profiles.

The single exception to this are management profiles created and installed by Apple Configurator.

You’ve probably noticed in your MDM solution’s settings an option to enter a password to prevent the profile being removed. This does not resolve the problem. From Meraki’s website:

The ‘Meraki Management’ profile contains mobile device management settings for iOS devices. Apple does not allow profiles that contain these settings to be password protected. All other profiles pushed through Systems Manager can be password protected. However, if the user removes the ‘Meraki Management’ profile, all profiles (and, potentially, apps) pushed through Systems Manager will be deleted as well.

How Can I Stop Teachers and Students Removing iPad Management Profiles?

At the time of writing there is no solution to this problem. The situation is the same for all MDM solutions, including high-end options like AirWatch and Casper Suite.

This issue is a major problem for administrators responsible for managing fleets of iPads. The fact that the end user can simply remove any settings, security, and apps that they wish is a huge oversight by Apple. Management profiles can be accidentally or maliciously removed deleting important settings for WiFi connections, proxy information, email accounts, and VPN settings. This results in an increased administrative overhead for those responsible for managing the devices and has knock on effects for hardware security, data protection, and e-Safety.

The problem emphasises the boundary between Apple’s propensity for all encompassing control of the user experience and a private organisation’s need to manage their devices. If a school buys an iPad for a student it should be the decision of the school which settings are applied to the device to enforce school policies, even if it does impinge on the user experience.

If a school wishes to leave the device open, that is fine, but this issue also prevents things such as limiting the network to which the device can connect, how the user stores work, and asset management.

I’m hopeful that this problem will be sorted out in iOS7. Apple are making clear signs that they’re prepared to improve iPad management for education, but only time will tell.

Has the ability for end users to remove management profiles caused any issues in your school? Share in the comments.


About Author

Profile photo of Karl Rivers

Karl is an award winning Director of IT for the Royal Grammar School Guildford, based near London, England. He has been working in education for more than ten years and founded ClassThink in 2013 to share technology best practice with other schools. In 2014 he won the NAACE Impact Award for support services in schools, and writes edtech articles for Education Executive Magazine.


  1. I think it is point less not having ability to stop users from removing the profile from device, the MDMs will only be help if we can stop users from removing profiles.

  2. Correct me if I’m wrong but Meraki can now prevent a profile from being removed by setting a password which you control from the dashboard. That’s what we’ve done for iPads we loan to customers to try our App. The other great thing you can do is to lock an iPad to only run one App. This is also a huge benefit if you want someone to try your App and only have the iPad used for that.

  3. Hi there, I bumped into this conversation as I was stuck at a similar situation. But I had access to the support guys (evaluating a trial version) and indeed was able to restrict the profile from being removed at the user level. So the restriction for “Allow Removal” under profile are “Always”, “With Authorization” & “Never”

    MDM -> Airwatch
    VErsion -> iOS 7.0.6
    Device – > iPhone 5

  4. Hi, I need to know how to get the school profile off my school ipad for the weekend but there is no delete button on the side of the profile like there was last year, the school blocked my camera which I need for a HUGE project due Monday. The school goes through the Casper suite thing. How do I get it off my iPad? I know how to put the profiles back on just not take them off, please help me if you can!!!

    • Profile photo of Karl Rivers

      Hi Daniel,

      Meraki does let you set a password, but it doesn’t apply to the top level configuration profile. Students are therefore free to remove the profile whenever they choose.


  5. Dear Karl,

    My son’s high school supplies iPads to each student in a effort to go green. This past weekend my son had his iPad plugged in to our desktop computer for charging plus using home WIFI and during this his IPad crashed and was unusable. Monday he took the iPad to the school IT department and they reconfigured it so it is now usable. Today he has received two detentions as he was accused of removing the MDM profile. He emphatically denies tampering with and removing the MDM profile. Now I know my son is a very computer savy and would have the ability and knowledge to remove it. I would just like to know if something or someone else could have tampered with the iPad and caused the MDM to be deleted? He did not have the iPad passcoded because this iPad was just received as the new replacement for the one that he dropped and damaged.

    Please know that what ever happened to the iPad, be it his doing or something/someone else, he will take the detentions and learn the lesson. I would just like to know if something else could have happened as my son has been a target of bullying in the past.

    Thank you!

    • Richard Campbell on

      Anyone can delete MDM profiles at any time. Only devices enrolled using Apple’s DEP can this be prevented. However if the iPads are controlled through Apple Configurator then they cannot be controlled through DEP. One “supervisor” only. So if Apple Configurator is supervising these iPads, then the MDM solution can always be removed.

      Richard Campbell
      Education Systems Support
      GVSD 61 – Victoria BC

  6. Well, here we are on iOS 9.1 and the problem is still not solved. And some other problems neither. I do have about 170 iPads in 6 Tablet carts. Base-configured by apple configurator and hooked to Sophos Mobile Control 5. But I can’t do the most simple things like rebooting the ipads to get a defined state. Or rolling out an app PLUS configuration (e.g. citrix receiver configured for our citrix farm). MDM is just a buzzword for me right now. It’s a shame that Blackberry lost the race because the blackberry enterprise server was much more oriented to administrative needs.

  7. If the iPad was enrolled with DEP and a MDM solution, you can just “factory reset” the iPad and it will re-connect to the MDM server and get the MDM profile back.
    If the profile was installed the “default” way through your MDM solution, then ask your MDM administrator for a new enrollment. You will receive a link and further instructions to get your profile back.

  8. I bought an iPad Air from a pawn shop took it home and it has some college block thing on it. How do I remove this and allow it to work as if I just bought new out of box. How do I get the college settings off of it to start it up and set it up for me.

    • Hi Angela, you can try resetting the whole iPad by clicking on “Settings” –> “General” –> “Reset” .Be aware that everything is deleted from the device – really everything.

  9. My child is using her own personal iPad for school. They are now going to use Apple Classroom. Is there a way for her to be able to use the apps needed for class but restrict the school from monitoring her iPad? I understand school supervision of devices owned by the school, but I am NOT okay with the school having complete access to her personal stuff on her personal iPad. Any reasonable solutions?

  10. Any update on this? Or is it still impossible to prevent users from removing the profiles installed on company owned devices? This is a big sticking point for my company too!

Tell us what you think!