iOS MDM Profile is Removable Despite "Prevent Un-enrollment" Policy Active in SOTI MobiControl

Administrators using SOTI MobiControl may find that iOS or iPadOS devices are being unenrolled by end-users, even when the "Prevent Un-enrollment" option is enabled within the applicable Add Devices rule or Enrollment Policy. 

On the SOTI MobiControl server, this action correctly generates alerts such as DeviceUnenrolledByUser, confirming the unenrollment was initiated from the device.

This behavior is not a SOTI MobiControl issue but is the expected outcome when an iOS device does not meet Apple's strict requirements for making an MDM profile non-removable. 

Product: SOTI MobiControl
Device Platform: Apple iOS / iPadOS
Enrollment Method: Apple Automated Device Enrollment (ADE)
Management Portal: Apple Business Manager (ABM) or Apple School Manager (ASM)

• The "Prevent Un-enrollment" option within the SOTI MobiControl iOS Add Devices rule or Enrollment Policy does not work as expected.
• End-users can successfully remove the SOTI MobiControl management profile from their iOS device by navigating to Settings > General > VPN & Device Management
• The SOTI MobiControl server logs contain alerts confirming the unenrollment was initiated by the user, with messages such as DeviceUnenrolledByUser and the device has removed its management profile.

To make sure that the "Prevent Un-enrollment" feature is always enforced immediately upon enrollment, it is crucial to follow the correct provisioning workflow:

• The most effective prevention method is to procure devices through Apple or an authorized reseller who can add the device serial numbers directly into your Apple Business Manager (ABM) portal at the time of purchase. 
• For all devices enrolled via Automated Device Enrollment (ADE), they must be properly configured in ABM before they are activated. Always log in to the ABM portal, locate the new device serial numbers, and assign them to the correct SOTI MobiControl MDM server instance. By assigning the device first, you ensure that when it is unboxed and powered on, it will automatically undergo a supervised enrollment and the management profile will be non-removable from the start (unless the device was added via Apple Configurator, in which case the 30-day grace period applies.

The root cause of this issue is not a failure of the SOTI MobiControl enrollment policy, but rather the device not meeting Apple's specific requirements for enforcing a non-removable management profile, there are two distinct scenarios that lead to this behavior:

The Device is Within Apple's 30-Day Grace Period:

• When an existing device is manually added to Apple Business Manager (ABM) using Apple Configurator, Apple mandates a 30-day grace period. This is an intentional design feature that gives the end-user a window to remove the management profile and opt out of corporate management. During this period, any "Prevent Un-enrollment" policy from an MDM solution is overridden by Apple's grace period rules.
  

The Device is Not Supervised:

• The ability to make a management profile non-removable is a core feature of Apple's Supervision framework. Supervision is applied during the device activation process through Automated Device Enrollment (ADE). For this to occur, the device's serial number must be assigned to the SOTI MobiControl MDM server within the ABM portal before the device is enrolled. If this assignment is not made, the device will activate in a standard, unsupervised state. In this state, the user always retains the right to remove the management profile, and the "Prevent Un-enrollment" policy will have no effect.

https://help.apple.com/configurator/mac/2.5/#/cad99bc2a859