Unenroll devices

After unenrolling from MDM, you can no longer manage the device through BigFix MCM. MDM policies become ineffective on the unenrolled devices.

Unenrollment through WebUI

To unenroll devices through WebUI:

  1. From the WebUI main page, click Devices.

  2. From the listed devices, select the devices to unenroll.

  3. From the action bar that appears in blue, select Administration > MDM Unenroll.The following page appears.

  4. If you want to change the target, click Edit Devices. Review the information and click Send Command. The device gets unenrolled.
Note:
  • If you have installed BigFix Platform version earlier than 10.0.8, when you unenroll and later re-enroll an MDM device, WebUI and the Console show multiple devices with unique computer IDs. To avoid this, upgrade BigFix Platform version to 10.0.8 or later, which deletes the unenrolled device from the root server, Console, and WebUI.
  • An endpoint that is enrolled with an ODJ policy, when unenrolled, does not get disconnected from Active Directory. To fix this issue, see Endpoint not disconnected from AD after unenrollment.

Unenrollment by device user

Windows
  • By default, MCM allows user-initiated unenrollment on all the enrolled Windows devices.
    • As a device user, to unenroll a Windows device, do the following steps:
      • a. Select Account from the left navigation pane.
      • b. Click the caret symbol next to Connected by
      • c. Click DisconnectAccess work or school and click Disconnect. The device gets unenrolled from MDM service.
      • d. Additionally in Windows 11 devices, to unenroll, click the popup button (that is displayed as a blank line) that appears after clicking Disconnect.

  • If an organization wants to prevent users from unenrolling company-owned devices, that can be done through a custom policy. Add the custom policy to a policy group and deploy onto the MDM server. For code, see Custom policy to restrict device users from unenrolling fully-managed (company-owned) devices.
Apple
DEP:The ability for a user to unenroll themselves is configured in the DEP profile that was applied on the device. While configuring through Configure Automated Device Enrollment Policy page, if the Is MDM Removable option is selected, the Apple device user can unenroll. Otherwise, the option is disabled and the user cannot unenroll. After user-initiated unenrollment, the items under the sections Apps and Restrictions become empty.
To unenroll an iPhone or iPad device:
  1. Open Settings on the device.
  2. Go to General > Device Management.
  3. Select the MDM profile.
  4. Select Remove Management.
To unenroll a macOS device:
  1. Open System Preferences.
  2. Go to the Profiles section.
  3. Select the main MDM profile.
  4. Click the "-" button and follow the prompts to confirm the unenrollment.
BYOD: Apple BYOD devices enrolled through Apple User Enrollment cannot be remotely unenrolled via the WebUI. To unenroll Apple BYOD devices, the user must manually unenroll by signing out from the Managed Account under "Settings" on their device.
Android

Users cannot unenroll company owned devices (New or factory reset devices).

Users can unenroll BYOD Android device by deleting the work profile. To delete your work profile:
  1. Go to Settings > Accounts > Remove work profile.
  2. Tap Delete to confirm the removal of all apps and data within your work profile.
  3. Ensure that the policy app ("Device Policy") is uninstalled and not present on your device.

After the work profile is deleted, all local data on the device within that profile is deleted.

You can also remove all apps and data (both personal and work) by factory-resetting your device.