Non-MDM Partition on MDM Apple Computer

This guide is for setting up a non MDM partition on an Apple computer running macOS. Assuming that you have local admin and Jamf is used as the MDM.

To boot into boot selection on an:

• Intel Mac, Hold the 'Option' key and power on.
• Apple Silicon Mac, Hold the power button until the boot selection appears.

Create new Volume

From existing (MDM) macOS install

• Open Disk Utility
• Click the + button to add a new volume
• Name your new and rename your existing volume appropriately, these will appear when selecting a volume to boot from.

Install macOS to the new volume

From existing (MDM) macOS install, you can use an installer disk if desired, not required.

I think there is some magic that copies MDM info over since my new install got Jamf, even when installing offline from a USB.

• Download the installer for macOS from the App Store, or Mist
• Run the installer and select the new volume as the target
• Forget your current WiFi connection, ensure that you are not connected to the internet until the end of the guide.

Boot into new Volume

• Power off the Mac
• Power on the Mac into boot selection, select the new Install. This new installation will have JAMF configured just like the other one.

Hosts File

From the new macOS install

• Add the following to the hosts file (/etc/hosts) 0.0.0.0 deviceenrollment.apple.com
0.0.0.0 mdmenrollment.apple.com
0.0.0.0 iprofiles.apple.com


Disable System Integrity Protection

From recovery mode, targeting the new install

• Boot the Mac into Recovery Mode
• Go to the Utilities menu and open Terminal
• Type: csrutil disable and follow the prompts
• Reboot into the OS

Remove Configuration Profiles

From the new install

• Open the Terminal and enter the commands: sudo su cd /var/db/ConfigurationProfiles
rm -rf *
mkdir Settings
touch Settings/.profilesAreInstalled


Remove Jamf

From the new install. Only applicable of JAMF is installed.

• Go to System Settings > Privacy & Security > Full Disk Access.
  • Click the '+' and type in your admin password.
  • Then, navigate to Applications > Utilities and choose Terminal.
• Open Terminal, elevate to root with: sudo -i
• Remove Jamf with: jamf -removeFramework
• Move the old configuration profiles.
cd /var/db/
mv ConfigurationProfiles ConfigurationProfilesOLD

• Remove any traces of MDM login page
rm /usr/local/bin/authchanger
rm /usr/local/lib/pam/pam_saml.so.2
rm -r /Library/Security/SecurityAgentPlugins/JamfConnectLogin.bundle
• In finder, find anything you want to remove in /Library/LaunchAgents

Re-enable System Integrity Protection

From recovery mode, targeting the new install

• Boot the Mac into Recovery Mode
• Go to the Utilities menu and open Terminal
• Type: csrutil enable and follow the prompts.
• Reboot into the OS

Quirks

With FileLocker enabled on the new install, you can get the login screen settings/message of the MDM volume.

The other partition will be mounted automatically, to fix:
Get the UUID of the disk you don't want to mount automatically:
cd /etc
sudo vifs
Add the following line to the end of the file: UUID=<UUID> none apfs rw,noauto

If jamf connects to the internet at any point in the new install, you will need to re-enroll the main partition with: sudo jamf enroll -prompt

Sources

MDM Bypass guide: The hosts file is the useful part here.
Remove profiles: This was required to remove profile configuration.
Removing Jamf: Jamf is the MDM solution in my case.