make profile removal password protected without enrolling with DEP
This was previously declined in 2018, here: https://suggestions.simplemdm.com/forums/204404-suggestions/suggestions/34296127-make-profile-removal-password-protected-without-en
I suspect the answer was wrong then, but it is definitely wrong now, in December 2019, for macOS 10.15.2.
I created a one-time enrollment, downloaded the mobileconfig, stripped the signature, added a RemovalPassword via Configurator (v2.11), and installed the profile. My device then connected to SimpleMDM and downloaded the rest of the config. This is presented in the 10.15.2 Profiles Pane UI as a set of distinct profiles (1 per profile configured in SimpleMDM). None of those "mini profiles" are removable but the top level one is. When removing it, it requires that the removal password be supplied per the settings I supplied in Configurator.
In a default Catalina (and I believe Mojave, but not tested), with SIP, it is not possible to extract the password after the mobileconfig is installed. Of course it is possible to extract the password as the config is delivered.
1) I was unable to push this profile as a custom profile in the simpleMDM UI because while that profile does get pushed, it is a "sub profile" and does not affect the top level profile, which can still be removed. The Profiles Pane UI does a horrible job in that it shows all the profiles at equal hierarchy but actually there is a parent/child relationship among them.
2) I loaded the profile on my test device via a web server, not file file import. Not sure that matters one way or another.
The top level profile indicates "unsigned" in the Profiles Pane, which sucks, but that's easily fixed by signing it myself.
The benefit of having simpleMDM do this instead of doing it manually like this is that simpleMDM could set a unique password per download of the mobileconfig, thus allowing group deployment. I mean you could do this anyway with a single password but then any one user can get the removal password for all devices using that profile simply by retrieving the mobileconfig again. Also simpleMDM can record the unique password somewhere for inspection by an admin later.