π‘οΈπ§βπΌππGroup - MDM Unenrollment Allowed users
π Why it existsβ
Most users shouldnβt be able to remove MDM enrollment β thatβs why we apply the βοΈπͺπ§βπΌCP - MDM Unenrollment Block.
But sometimes:
- A device needs reprovisioning
- Youβre staging equipment
- Someoneβs in a test lab
Thatβs when this group comes in.
π Configuration overviewβ
| Field | Value |
|---|---|
| Group name | π‘οΈπ§βπΌππGroup - MDM Unenrollment Allowed users |
| Group type | Security |
| Membership type | Assigned |
| Description | Members of this group are allowed to manually remove their device from MDM, overriding the default block policy. |
π Governance tipsβ
- Keep membership tight and documented
- Only add users with written approval
- Clean up regularly (before something breaks)
This group grants the power to unmanage. And unmanaged = unprotected.
π Relatedβ
- βοΈπͺπ§βπΌCP - MDM Unenrollment Block
- βοΈπͺπ§βπΌπCP - MDM Unenrollment Allow
- π§ Blog: Wait... Standard Users Can Do WHAT Now?!
π§ Final wordsβ
This group is like giving someone keys to the Batmobile β cool, but only if they know what they're doing.
Use it wisely. Document everything. And never hand it out just because someone asked nicely over coffee βοΈ.