Most people who encounter MDM issues on a used Mac are dealing with one of two things: a standard configuration profile installed by their previous organization's MDM server, or a DEP enrollment that reinstates itself every time the Mac is set up. These two scenarios look similar on the surface but require completely different resolution approaches.
DEP — the Device Enrollment Program — is the piece of Apple's enterprise architecture that most individual Mac owners have never heard of. It is designed to make enterprise device deployment seamless. It also creates the most persistent form of MDM lock a secondhand Mac buyer can encounter.
This explainer covers what DEP is, how it works technically, why organizations use it, how it differs from a standard MDM profile, how to detect it, and what your options are as an individual Mac owner who has encountered it.
What Is Apple DEP?
DEP stands for Device Enrollment Program. Apple launched it in 2012 as a way for organizations to automatically configure and manage Apple devices as part of their standard IT workflow. In 2021, Apple folded DEP into Apple Business Manager (ABM) and Apple School Manager (ASM), and the DEP functionality is now accessed through those portals. The underlying technical mechanism — server-side device registration — is unchanged.
When an organization purchases Macs from Apple or an authorized reseller and has an ABM account, those devices can be automatically assigned to their ABM account before the boxes are even opened. The assignment is based on the device's serial number. No physical interaction with the device is required to create the enrollment record.
Devices can also be added to ABM after purchase using Apple Configurator or by having an IT administrator assign them through the ABM portal. The enrollment record lives on Apple's servers and is associated with the device's serial number permanently — until the organization or Apple removes it.
How DEP Enrollment Works in Practice
The enrollment process is automatic and largely invisible to the end user. Here is what happens when a DEP-enrolled Mac goes through setup:
Mac connects to the internet during setup
Whether it is a new out-of-box setup or a post-erase reinstall, the first thing macOS does during the setup flow is contact Apple's activation servers. This step is not optional and cannot be skipped by the end user.
Apple's DEP server checks the serial number
Apple's activation server checks whether the device's serial number is registered in any ABM or ASM account. If it is, it returns the enrollment configuration associated with that account.
macOS downloads the MDM enrollment payload
Without user interaction, macOS automatically downloads the MDM server address and enrollment certificate specified by the ABM account and begins the MDM enrollment process.
MDM profile is installed
The MDM profile is installed at the system level. On supervised devices, this step cannot be skipped or canceled. The user arrives at the desktop with the organization's MDM already active.
MDM server pushes additional configuration
Once enrolled, the MDM server can push configuration profiles, install software, apply restrictions, and enforce policies — all without further user interaction. This happens in the background as the user begins using the device.
Why Organizations Use DEP
From an enterprise IT perspective, DEP solves a real problem. Deploying hundreds or thousands of Macs to employees requires consistent configuration — the right apps installed, the right security settings enforced, the right certificates and VPN profiles in place. Without DEP, this requires either physical access to each device or complex imaging workflows.
With DEP, IT can ship a Mac directly to an employee's home office. The employee turns it on, connects to Wi-Fi, and the device configures itself automatically. The IT team never touches it physically. This is called zero-touch deployment and it is the primary reason large enterprises adopt DEP.
DEP also gives IT teams confidence that devices cannot be easily deprogrammed. If an employee quits and tries to erase the Mac to remove management, the MDM will reinstall automatically the next time the device connects to the internet. This is the security feature that becomes a problem when the device is legitimately sold to a new owner.
DEP vs Standard MDM: Key Differences
Many people use “DEP” and “MDM” interchangeably, but they are distinct things. DEP is the enrollment mechanism; MDM is the management protocol. A Mac can have MDM without DEP, or it can have both. Here is how they compare on the dimensions that matter most to device owners:
| Aspect | DEP Enrollment | Standard MDM Profile |
|---|---|---|
| Where it lives | Apple's enrollment servers (tied to serial number) | On the Mac (configuration profile) |
| Survives factory erase | Yes | No (usually) |
| Survives macOS reinstall | Yes | No (usually) |
| Who can remove it | ABM account holder or Apple (in disputes) | Enrolling organization or device owner |
| User can skip enrollment | No (on supervised devices) | Sometimes (during setup) |
| Visible in System Settings | Not directly | Yes (Profiles section) |
| Detectable with Terminal | Yes (profiles status -type enrollment) | Yes (profiles list) |
How to Detect DEP Enrollment on Your Mac
Standard MDM profiles are visible in System Settings. DEP enrollment is not directly visible there — you need Terminal or a dedicated checker tool. Three commands give you the key signals:
profiles status -type enrollment
Look for "MDM enrollment: Yes (Device Enrolled)" — this indicates automated enrollment, which is the strongest signal of DEP. "Yes (User Approved)" means manual enrollment (no DEP). "No" means not currently enrolled.
profiles show -type enrollment
If the Mac is DEP-enrolled, this shows the enrollment configuration including the MDM server URL and organization identifier. If not enrolled, it returns no output.
system_profiler SPConfigurationProfileDataType | grep -i "Organization\|DEP\|supervised"
Shows the organization name from installed profiles and supervision state. A supervised Mac with an organization name is very likely DEP-enrolled.
Easier option: The free MDM checker runs all of these checks and more, interprets the results, and tells you in plain language whether you have a DEP lock, a user-space profile, or neither — along with what your options are. No Terminal expertise required. Run it here.
What DEP Means for Used Mac Buyers
The practical implication is straightforward: if a Mac you are buying was previously owned by an organization and registered in ABM, no amount of erasing will make it yours in a meaningful sense. The device will re-enroll in the previous organization's MDM automatically. Whether that organization's MDM server still exists and pushes restrictions depends on their infrastructure — some servers are decommissioned, in which case the enrollment may produce no visible restrictions — but the hardware lock itself remains.
Before buying any Mac from a corporate source, the guide on checking MDM before purchase walks through every step to take while you still have leverage as a buyer. The guide on refurbished Mac MDM risk covers which seller types carry the most risk and what to ask.
If you already own a Mac with a DEP lock and need to understand your options, start with the free checker to confirm the lock type, then read the complete MDM removal guide for the resolution path specific to your situation. For legal context on your rights as a device owner, the legal explainer covers property rights, CFAA, and the right-to-repair framework.
Resolution Options for a DEP-Locked Mac
Contact the previous ABM account holder
Best path when possibleIf you can identify the previous organization and contact their IT department with proof of ownership, requesting an ABM release is the cleanest resolution. The IT team removes the device from their ABM account and the DEP enrollment is gone from Apple's servers.
Contact Apple Support with ownership documentation
Available for documented disputesApple can release devices from ABM in cases where the new owner has clear proof of purchase and the previous organization is unresponsive or out of business. This process requires documentation — a purchase receipt with serial number, proof of the transfer, and in some cases a formal dispute letter.
Return to seller
Appropriate if seller misrepresentedIf a seller represented a Mac as clean and it has an active DEP lock, that is a material misrepresentation. Most jurisdictions support returns in this case. Contact the seller with documentation from the MDM checker showing the enrollment status.
Use MDM Liberator Pro for user-space profile removal
For user-space profiles onlyMDM Liberator Pro addresses user-space MDM profiles that are not DEP-driven. If the free checker shows a user-space profile without a hardware DEP lock, the Pro tools can help. If the check shows a genuine DEP lock, we tell you clearly that our tool addresses the profile layer but cannot remove the ABM server-side registration.