{"id":51128782,"url":"https://github.com/mateussiqueira/unleash","last_synced_at":"2026-06-25T10:30:41.816Z","repository":{"id":366156683,"uuid":"1267555222","full_name":"mateussiqueira/unleash","owner":"mateussiqueira","description":"Single-script MDM bypass for macOS. Bypass, suppress, monitor, and audit MDM enrollment from Recovery. Apple Silicon + Intel.","archived":false,"fork":false,"pushed_at":"2026-06-20T15:14:30.000Z","size":26,"stargazers_count":6,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-20T15:15:26.915Z","etag":null,"topics":["apple-silicon","device-enrollment-program","macos","mdm","mdm-bypass"],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mateussiqueira.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-06-12T16:41:02.000Z","updated_at":"2026-06-20T15:14:34.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/mateussiqueira/unleash","commit_stats":null,"previous_names":["mateussiqueira/unleash"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/mateussiqueira/unleash","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mateussiqueira%2Funleash","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mateussiqueira%2Funleash/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mateussiqueira%2Funleash/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mateussiqueira%2Funleash/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mateussiqueira","download_url":"https://codeload.github.com/mateussiqueira/unleash/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mateussiqueira%2Funleash/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34771660,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-25T02:00:05.521Z","response_time":101,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["apple-silicon","device-enrollment-program","macos","mdm","mdm-bypass"],"created_at":"2026-06-25T10:30:41.178Z","updated_at":"2026-06-25T10:30:41.809Z","avatar_url":"https://github.com/mateussiqueira.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"docs/icon.svg\" width=\"120\" alt=\"unleash logo\"\u003e\n\u003c/p\u003e\n\n# unleash\n\nSingle-script MDM bypass for macOS. Works from Recovery mode on Apple Silicon and Intel.\n\nI started this because the original bypass-mdm project had five different scripts (v2, v3, express, dualboot.sh, verify.sh), each with slightly different options and none of them handling the full problem after Migration Assistant. This replaces all of them in one file.\n\n## Quick start\n\n1. Copy the `unleash` folder to an external SSD (FAT32, APFS, or exFAT)\n2. Boot to Recovery:\n   - **Apple Silicon**: hold the power button until you see \"Loading Startup Options\", then click Options → Continue\n   - **Intel**: Cmd+R at the startup chime\n3. Open Terminal from the Utilities menu\n4. Run:\n\n```bash\nchmod +x \"/Volumes/YourSSD/unleash/unleash\"\n\"/Volumes/YourSSD/unleash/unleash\"\n```\n\nPick \"Full bypass\" from the menu. Or if you know what you want:\n\n```bash\n\"/Volumes/YourSSD/unleash/unleash\" bypass\n```\n\nNo internet needed. No SIP to disable. No typing long URLs.\n\nIf you do have internet in Recovery:\n\n```bash\ncurl -L https://raw.githubusercontent.com/mateussiqueira/unleash/main/unleash -o /tmp/unleash\nchmod +x /tmp/unleash \u0026\u0026 /tmp/unleash bypass\n```\n\n---\n\n## Commands\n\n### bypass — Full MDM bypass (Recovery only)\n\n```bash\n./unleash bypass\n```\n\nCreates a temporary admin account and suppresses MDM. What it does:\n\n1. Finds and mounts the macOS Data volume\n2. Unlocks FileVault if needed (asks for password)\n3. Creates an admin user (default Apple / 1234)\n4. Removes DEP activation records\n5. Blocks 13+ Apple MDM domains plus your org's MDM host\n6. Disables 4 enrollment daemons\n7. Cleans user-level MDM artifacts from all home directories\n8. Sets .AppleSetupDone so Setup Assistant is skipped\n\n### suppress — Silence enrollment, no user\n\n```bash\n./unleash suppress\n```\n\nSame as bypass minus the user creation. Useful after a clean bypass breaks from a macOS update.\n\n### heal — Check and re-apply\n\n```bash\nsudo ./unleash heal       # from booted system\n./unleash heal            # from Recovery\n```\n\nChecks if suppression is still intact. If any piece (DEP markers, hosts block, daemon disable) has been reset, it re-applies it. Safe to run repeatedly.\n\n### persist — Boot-time auto-heal\n\n```bash\nsudo ./unleash persist\n```\n\nInstalls a LaunchDaemon at `/Library/LaunchDaemons/com.unleash.heal.plist` that runs `unleash heal` on every boot and every 24 hours after that. Logs go to `/var/log/unleash-heal.log`.\n\nUse this before a macOS upgrade. When the update finishes and reboots, heal runs automatically and re-applies anything the update reset.\n\n### unpersist — Remove auto-heal\n\n```bash\nsudo ./unleash unpersist\n```\n\nRemoves the LaunchDaemon and unloads it.\n\n### firewall — Kernel-level MDM block\n\n```bash\nsudo ./unleash firewall\n```\n\nCreates pf firewall rules that drop traffic to Apple's MDM IP ranges (17.0.0.0/8 and 17.128.0.0/10). pf works below DNS — DNS-over-HTTPS cannot bypass it.\n\n**Warning**: this blocks all Apple services. iCloud, App Store, and system updates will not work while the firewall is active. Use `whitelist` instead if you need those.\n\n### firewall-off — Remove firewall\n\n```bash\nsudo ./unleash firewall-off\n```\n\nFlushes the Unleash pf anchor and restores pf.conf.\n\n### whitelist — Block only MDM, keep iCloud\n\n```bash\nsudo ./unleash whitelist\n```\n\nAlternative to `firewall` that resolves only the essential MDM domains (mdmenrollment.apple.com, deviceenrollment.apple.com, iprofiles.apple.com) to IPs and blocks those, leaving everything else untouched. iCloud, App Store, and updates should work normally.\n\n### harden — Live cleanup from booted system\n\n```bash\nsudo ./unleash harden\n```\n\nRuns from the logged-in desktop after bypass. Does:\n\n1. Kills ManagedClient, mdmclient, activationd\n2. Forces profile removal\n3. Scans and removes MDM LaunchAgents per user\n4. Flushes DNS cache, restarts mDNSResponder\n5. Checks keychain for MDM identity certs\n6. Looks for JAMF/Intune/Workspace ONE agents\n7. Disables iCloud Private Relay (a DoH loophole)\n\n### audit — Deep system scan\n\n```bash\nsudo ./unleash audit\n```\n\nComprehensive scan that checks: installed profiles, enrollment state, keychain certificates, user LaunchAgents, system LaunchDaemons, running processes, MDM agent binaries, pf firewall status. Ends with a risk score (LOW / MEDIUM / HIGH / CRITICAL).\n\n### status — MDM health check (Recovery only)\n\n```bash\n./unleash status\n```\n\nShows DEP markers, hosts block, daemon overrides, profile enrollment, and backup status. Only works from Recovery because that's where the Data volume is cleanly accessible.\n\n### check — Pre-format / pre-upgrade assessment\n\n```bash\nsudo ./unleash check\n```\n\nAnswers: **\"If I wipe this Mac, will it lock?\"** Checks DEP records, profiles, enrollment state, firewall, and persistence. Also does an upgrade safety check — tells you if `persist` and `firewall` are installed before you upgrade macOS.\n\nReturns one of two verdicts:\n\n- **SAFE TO FORMAT** — no MDM enrollment detected\n- **MDM DETECTED** — this Mac will lock after a wipe. Run bypass from Recovery afterward.\n\n### monitor — Background MDM watcher\n\n```bash\nsudo ./unleash monitor\n```\n\nStarts a daemon that checks MDM state every 5 minutes. If it detects MDM trying to re-enroll (DEP record appears, hosts block missing, enrollment becomes active), it auto-heals and sends a macOS notification.\n\n```bash\nsudo ./unleash monitor-stop      # stop it\nsudo ./unleash monitor-status    # check if it's running\n```\n\nLogs everything to `/var/log/unleash-monitor.log`. The daemon does not survive a reboot on its own — combine with `persist` for persistence.\n\n### backup / restore — State save\n\n```bash\n./unleash backup\n./unleash restore\n```\n\nBackup saves hosts, config profiles, and launchd override to `.unleash-backup/`. Restore reverts them.\n\n### dualboot — External volume target\n\n```bash\nsudo ./unleash dualboot\n```\n\nSame as bypass but lets you pick which volume to target (for external macOS installs or dual-boot setups). Prompts for system and data volume names.\n\n### version / help\n\n```bash\n./unleash version\n./unleash help\n```\n\n---\n\n## Aliases\n\nEvery command has a shorter alias:\n\n| Alias | Full command |\n|-------|-------------|\n| `by` | bypass |\n| `sv` | suppress |\n| `st`, `ls` | status |\n| `fw` | firewall |\n| `fw-off` | firewall-off |\n| `wl` | whitelist |\n| `mn` | monitor |\n| `mn-stop` | monitor-stop |\n| `mn-st` | monitor-status |\n\n---\n\n## Options\n\nGlobal options that can go before any command:\n\n| Option | Effect |\n|--------|--------|\n| `--verbose` | Show debug messages |\n| `--log-file \u003cpath\u003e` | Write log output to file |\n\nExample:\n```bash\nsudo ./unleash --verbose --log-file /tmp/unleash.log heal\n```\n\n---\n\n## How it works\n\nMDM enrollment on macOS sits on four layers. Unleash addresses each one.\n\n### Layer 1: DEP activation record\n\nWhen an organization assigns a device in Apple Business Manager, macOS creates marker files at:\n\n```\n/private/var/db/ConfigurationProfiles/Settings/\n  .cloudConfigHasActivationRecord   ← \"this serial has DEP\"\n  .cloudConfigRecordFound           ← \"enrollment was triggered\"\n  .cloudConfigTimerCheck            ← \"check again later\"\n```\n\nUnleash removes these and creates decoy files (`.cloudConfigRecordNotFound`, `.cloudConfigProfileInstalled`) that signal \"no enrollment needed.\"\n\n### Layer 2: Network blocking\n\nThe enrollment client contacts Apple servers to download the MDM profile. Without network access, it cannot complete enrollment.\n\nUnleash blocks via `/etc/hosts`:\n\n- `iprofiles.apple.com` — profile delivery\n- `deviceenrollment.apple.com` — DEP service\n- `mdmenrollment.apple.com` — MDM service\n- `acmdm.apple.com` — Apple Configurator MDM\n- `axm-adm-mdm.apple.com` — ACM enrollment\n- `albert.apple.com` — ABM device assignment\n- `gdmf.apple.com` — MDM framework\n- `configuration.apple.com` — config service\n- `xp.apple.com` — device management\n- `gs.apple.com` — device enrollment\n- `tb.apple.com` — device trust\n- `vpp.itunes.apple.com` — volume purchase\n- Your org's MDM host (extracted from the DEP record)\n\nBoth IPv4 (0.0.0.0) and IPv6 (::) entries are added.\n\n### Layer 3: Launchd daemon override\n\nmacOS registers enrollment daemons that run at boot:\n\n| Daemon | What it does |\n|--------|-------------|\n| `com.apple.ManagedClient.enroll` | Main enrollment |\n| `com.apple.ManagedClient.cloudConfiguration` | Cloud config |\n| `com.apple.mdmclient.daemon.runatboot` | MDM client |\n| `com.apple.activationd` | Device activation |\n\nUnleash disables them via the launchd override at `/private/var/db/com.apple.xpc.launchd/disabled.plist`.\n\n### Layer 4: User-level cleanup\n\nHome directories carry MDM artifacts that trigger re-enrollment after login:\n\n```\n~/Library/Preferences/com.apple.mdm.*\n~/Library/Preferences/com.apple.ManagedClient.*\n~/Library/Application Support/com.apple.ManagedClient*/\n~/Library/LaunchAgents/com.apple.mdm.*\n```\n\nUnleash removes these from every home directory on the Data volume. This is the step most scripts miss — and the reason MDM comes back after Migration Assistant.\n\n### Layer 5: pf firewall (optional)\n\nThe hosts file can be bypassed by DNS-over-HTTPS or cached DNS. pf (packet filter) operates at the kernel level and is immune to both. Unleash installs pf rules that either:\n\n- **firewall**: blocks Apple's entire IP range (17.0.0.0/8 + 17.128.0.0/10) — aggressive but 100% effective\n- **whitelist**: resolves only MDM domains to IPs and blocks those specifically — keeps iCloud working\n\n## Intel vs Apple Silicon\n\n| | Intel T2 | Apple Silicon |\n|---|---|---|\n| Recovery | Cmd+R at boot | Hold power button |\n| System volume | Writable with SIP disabled | Cryptographically signed (SSV) — read-only |\n| FileVault unlock | diskutil apfs unlockVolume | Same, but needs user password or recovery key |\n| Enrollment daemons | Fewer | activationd + cloudConfig |\n| NVRAM flags | Some | More firmware-level flags |\n| Migration Assistant | Less risky | **Carries MDM state** — see below |\n\nOn Apple Silicon, all writes target the Data volume. The system volume is never modified. SIP does not need to be disabled.\n\n## Migration Assistant failure\n\nThis is the most common reason MDM comes back.\n\nWhen you migrate from an Intel Mac to Apple Silicon (or between AS Macs), Migration Assistant copies:\n\n- DEP activation records\n- Enrolled configuration profiles\n- User-level MDM preferences and caches\n- Launch agents that re-trigger enrollment\n- Keychain identity certificates\n\nThe old bypass scripts only clean system-level artifacts (DEP markers, hosts, launchd). The user-level stuff gets copied over and re-establishes enrollment on every login.\n\n### Symptoms\n\n- Remote Management screen appears after the first reboot\n- Running suppress makes it go away temporarily\n- MDM profile returns within about a minute of login\n\n### Solution\n\n**From Recovery**: run `unleash bypass` (or `suppress`). This cleans both system-level and user-level artifacts.\n\n**If MDM still comes back**: boot normally, run `sudo ./unleash harden` immediately after login. This kills active MDM processes and removes profiles before they can re-establish.\n\n**For prevention**: run `sudo ./unleash persist` and `sudo ./unleash whitelist` before Migration Assistant. The LaunchDaemon + pf rules survive the migration and catch anything that slips through.\n\n## Hard lock: DFU / IPSW restore\n\nIf MDM is unbreakable — even from Recovery — the device may need a full firmware restore. This applies to Apple Silicon Macs only.\n\n**You need**: a second Mac with Apple Configurator 2 (free from App Store), a USB-C cable, and the correct IPSW file for your Mac model.\n\n**Steps**:\n1. On the helper Mac, open Apple Configurator 2\n2. Connect the locked Mac via USB-C while holding the power button\n   - M1/M2: hold power 10s, keep holding while connecting USB-C\n   - M3/M4: hold power + volume down 10s while connecting\n3. The locked Mac appears as a DFU device in Configurator\n4. Right-click → Advanced → Restore (pick the IPSW file)\n5. Wait 10-30 minutes for restore to finish\n6. Mac reboots to Setup Assistant — **do not connect to Wi-Fi**\n7. Immediately boot to Recovery (hold power) and run `unleash bypass`\n\n**This erases all data.** IPSW files are available at [ipsw.me](https://ipsw.me).\n\n## Logging\n\nAll commands now log with timestamps and levels:\n\n```\n[INF] Data volume: /Volumes/Macintosh HD - Data\n[ OK] Admin 'apple' created (UID 501)\n[WRN] DEP activation record present\n[ERR] Firewall needs sudo: sudo ./unleash firewall\n[STP] Locating Data volume by APFS role...\n[DBG] Checking pfctl availability\n```\n\nUse `--verbose` to see debug messages and `--log-file \u003cpath\u003e` to write everything to a file.\n\n## Files\n\n```\nunleash/\n├── unleash                   # Main script (entry point)\n├── lib/\n│   ├── colors.sh             # Logging, colors, prompts\n│   ├── detect.sh             # Recovery detection, volume mounting\n│   ├── validate.sh           # Username/password validation\n│   ├── dscl.sh               # Directory Services (user CRUD)\n│   ├── suppress.sh           # DEP removal, hosts, daemon disable\n│   ├── backup.sh             # Backup and restore\n│   ├── status.sh             # Health check and audit\n│   ├── heal.sh               # Auto-heal + LaunchDaemon persist\n│   ├── firewall.sh           # pf rules management\n│   ├── harden.sh             # Live-OS hardening\n│   ├── whitelist.sh          # Selective iCloud-safe block\n│   ├── check.sh              # Pre-format assessment\n│   └── monitor.sh            # Background MDM watcher\n├── README.md\n├── CONTRIBUTING.md\n├── CODE_OF_CONDUCT.md\n├── SECURITY.md\n├── CHANGELOG.md\n└── LICENSE (MIT)\n```\n\nThe standalone variant (`unleash-standalone.sh`) bundles everything into one file. Build it with `bash examples/build-standalone.sh`.\n\n## Limitations\n\n- **Your serial stays in ABM.** Only the organization can remove it. If the device ever connects to the internet with all protections removed, it will re-enroll.\n- **A full wipe requires re-running.** Clean installs clear the Data volume. Boot to Recovery and run bypass again afterward.\n- **macOS updates can reset daemons.** Always run `persist` before an update so `heal` runs automatically after.\n- **`profiles status` may show enrollment.** This is cosmetic — the SSV stores profile state read-only. DEP markers and daemon disable take precedence.\n- **The hosts file can be bypassed.** DNS-over-HTTPS and cached DNS bypass `/etc/hosts`. Use `firewall` or `whitelist` for the kernel-level fix.\n\n## Safety\n\nUnleash is designed to be safe:\n\n- **No SSV writes** — all changes target the Data volume\n- **Reversible** — `backup` saves state, `restore` reverts\n- **No data erasure** — never runs `profiles renew` or erase commands\n- **Idempotent** — running multiple times is harmless\n- **Prompts for confirmation** before destructive actions\n\n## Troubleshooting\n\n### MDM comes back after reboot\nRun `unleash suppress` from Recovery. If it still returns, you have Migration Assistant artifacts. Run `unleash harden` from the booted system.\n\n### profiles shows enrollment\nCosmetic. The SSV stores profile state but the enrollment daemons are disabled. Run `unleash status` to check the actual state on the Data volume.\n\n### FileVault unlock fails\nYou need a user password or the FileVault recovery key. If neither is available, the Data volume cannot be mounted from Recovery.\n\n### \"Not a macOS Data volume\"\nUnleash checks for `/private/var/db/dslocal/nodes/Default` on the mounted volume. If it's missing, you mounted the wrong disk. Run `diskutil list` to find the correct one.\n\n### macOS 27 (or future version)\nUnleash should work on any macOS version that uses the same MDM enrollment mechanism. If a new macOS changes the enrollment daemons or DEP markers, open an issue.\n\n### Monitor won't start\nCheck if it's already running (`monitor-status`). Check permissions — it needs root. Check logs at `/var/log/unleash-monitor.log`.\n\n## FAQ\n\n**What macOS versions are supported?**\n12.x (Monterey) through 15.x (Sequoia), 26.x (Tahoe), and 27.x. Tested on Intel T2, M1, M2, M3, M4, M5.\n\n**Do I need to disable SIP?**\nNo. All writes target the Data volume.\n\n**Will this survive an OS reinstall?**\nNo. Clean install wipes the Data volume. Re-run after reinstalling.\n\n**Can the organization track this?**\nThe serial stays in ABM. If the device connects to the internet with enrollment daemons re-enabled, it will re-enroll.\n\n**What if I need iCloud?**\nUse `whitelist` instead of `firewall` or `suppress`. It blocks only MDM endpoints.\n\n**Why does MDM come back after Migration Assistant?**\nMA copies user-level caches, preferences, and launch agents. Unleash handles this — run `bypass` or `suppress` from Recovery after migrating.\n\n## Contributing\n\nSee CONTRIBUTING.md. PRs welcome, especially for:\n\n- New macOS version compatibility\n- Additional MDM domains or daemon labels\n- Migration Assistant detection\n- iCloud / MDM domain research\n\n## License\n\nMIT.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmateussiqueira%2Funleash","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmateussiqueira%2Funleash","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmateussiqueira%2Funleash/lists"}