alt Hacker NewsYeah, your point about implementation is correct -- much of the MDM functionality runs within macOS.
But, eh, I still think it's fair to describe it as a feature of the firmware. The enrollment and prevention of removal have firmware-level components through Apple's Secure Boot and System Integrity Protection. A user can't simply disable MDM because these firmware-level protections prevent tampering with the enrollment.
Case in point, getting Linux installed in the first place would be blocked by firmware-level boot policies, right? I'm not too knowledge about this, and maybe you are more so.
I think it's important to make a distinction between secure boot features that are local-only, and remote management features. The "Remote Device Management baked into firmware" claim above carries with it some pretty important implications that are, as far as I can tell, not actually true.
It's not too different from scaremongering about Intel ME/AMT which is often maligned even in the context of computers that don't have the necessary Intel NICs for the remote management features.