Prevent disabling System Integrity Protection via MDM

Is it possible to disallow users from disabling System Integrity Protection on their Mac machines? We have organisation Mac machines allocated to employees and we would like to keep those machine safe by not allowing users to disable SIP and remove MDM profile or perform any unsafe action. Is it possible? We would be interested even if there is any non-MDM solution can prevent users from disabling SIP.

what you may be looking for is a policy audit & enforcement "endpoint protection" solution; more than likely you want your devices to go offline if the policy audit fails for any reason, so not sure this is the right forum.

It's a bit belt and suspenders, but users (executives) can be quite crafty; however, when google and email stop working and they have to wait to wipe their now untrusted device to get back online, the behavior better matches what you are looking for.

Thanks @const_void for your response. I was looking for a technical way for MDM providers to implement this policy to control whether users are allowed to disable SIP or not. I looked through Apple's list here and could not find anything about controlling SIP. So wanted to understand whether it's even possible or not.

Major MDM providers like JAMF and Intune, do provide an option to create smart groups based on whether SIP is enabled or not. But is there a way to prevent users from disabling SIP. In certain cases, we can not block access to users because some of them are education bodies who control the machines via MDM, not just employees.

Prevent disabling System Integrity Protection via MDM
 
 
Q