Users are able to delete configuration profiles on their iOS devices. Can this be prevented?
First seen in
Sophos Mobile Control
What To Do
You can protect configuration profiles with a password. To do so, configure the profile as follows:
- User can remove profile: with authentication
- Authentication password: <password>
This said, there's a limitation: There is no way to apply this protection to the MDM enrollment profile (bootstrap). This is due to a limitation of the MDM protocol by Apple and cannot be circumvented.
The user will always be able to remove the MDM enrollment profile and with this any other installed profile based on it.
As a device will then be no longer managed, it will also be no longer compliant and can no longer perform any Exchange Active Sync.