Best Practices for removing a Profile

Valued Contributor II

I want to completely and entirely jetisson a profile from my managed Macs. Is there a best practices procedure for this operation?

Can I litterally just delete the Profile (and its respective payloads) from the JSS? Or is it better to remove each payload out first, let the clients sync and then nuke the Profile?

I was playing with lock screen settings during my IT POC testing phase, and they accidently went into production. Opps. Actually no big deal, but due to the issues related to bugs and inconsistencies with these particular settings, Im going to bail-out.

I was fairly rough-and-tumble during testing regarding yanking settings on-the-fly. But now that Im "live" in production (with ~300 potenial angry end users), I want to be more surgical - for obvious reasons.

I want to make sure I revert/jettison the Profile in a way that gives back the end users full control over the settings that I was previously managing with JAMF without any conflicts or "sticky bits".


Legendary Contributor III

I'm not 100% certain, but I think best practice is to remove the scope from the Config Profile in the JSS and when prompted at save time if you want to redistribute to all clients, click Yes. This should, I believe, remove said profile entirely from each machine, as they receive the push command.
I think if you simply nuke the profile from the JSS, it might not get removed from the Macs its applied to. I know way back in the day under the older MCX predecessor to profiles, that was the best practice if looking to remove them. When I was very green in using the JSS, I once made the mistake of deleting an MCX setting, thinking it would just remove it from the machines, but it never did. I had to then go back in and manually remove them from each Mac. Ouch.

Valued Contributor II

Thank you. Exactly what I needed to know. Makes logical sense to me. Deleting a Profile "cold turkey" from the JSS and expect the managed clients to respond accordingly would be...magical!

Just curious, how did you end up scrubbing the orphaned Profile from the Mac clients? Did you whip-up a "seek-and-destroy" script (/usr/bin/profiles -R -p XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX) and push it via a Policy or Casper Remote/ARD, etc?