Jamf Nation Community

BrandonMaher · ‎07-30-2021

We had a device that was not able to be managed, so we tried to delete the device and remove the profile to re-enroll. We are not allowed to remove the MDM profile, and reinstalling the profile through self enrollment fails, stating "New profile does not meet criteria to replace existing profile".

For additional info, this computer was part of a pre-stage enrollment originally.

DBrowning · ‎07-30-2021

Try using the Management command for Remove MDMProfile. I'm going to guess that in your pre-stage you have "Allow MDM Profile Removal" unchecked. If that doesn't work, you may need to wipe and start over.

mm2270 · ‎07-30-2021

This is one of those "gotcha" scenarios that you have to be ultra careful about. If the profile is installed via MDM and like mentioned has the Allow MDM Profile Removal option disabled, then the profile is locked after installation, and can't be removed through normal means in the OS, no matter how many sudos you throw at it. It can only be removed from the MDM that installed it in the first place. Since it sounds like you deleted the machine from your MDM/Jamf, you might be stuck with wiping and reinstalling at this stage, since I don't think you'll be able to send a remote MDM command to it to unenroll. If it's not in the console to send a command to, you might not have any other choice.

The only other possibility is maybe all profiles can be wiped when booting to Recovery and navigating to the place where they live and rm'ing the whole shebang from there. I can't say I've had a need to try that at all, and I actually forget now the exact path the profile db lives in, but I think it's in /private/var/db/ConfigurationProfiles/. But if you search around you might find it. It's worth a try that way. Might not work though.

c_archibald · ‎07-30-2021

Did you use in Terminal? Try first:
sudo jamf removeMdmProfile

Then:
sudo jamf removeFramework

For us, the last one removes the JAMF framework & uninstalls the MDM & other Profiles added by JAMF.

jasonh2589 · ‎03-02-2022

This worked for us. And then you can manually re enroll it to get the right certs and profiles on the machine.

tmehary · ‎02-14-2024

Genius, I have been trying to figure that out for months

pmgdewit · ‎07-08-2024

“sudo jamf remove MdmProfile” results in “sudo: jamf: command not found”?

MacJunior · ‎08-01-2021

@c_archibald I had a similar situation and I was about to wipe & reinstall until someone gave me the method mentioned above to wipe only config profiles from that machine :

You need to boot into macOS recovery, make sure Macintosh HD is Mounted then from Terminal :

Sudo rm -rf /var/db/ConfigurationProfiles/Store/

restart and all profiles should be removed from the machine.

dbrundage · ‎08-02-2021

You can try this first:

sudo /usr/bin/profiles -D

If that does not work, try this:

In Recovery mode, select Utilities-> Terminal from the menu bar.
Type csrutil disable and reboot the Mac. This will disable System Integrity Protection (SIP).
Once you have logged in to the Mac, open Terminal and run the following command:
sudo /bin/rm -rf /var/db/ConfigurationProfiles/Store/*
(This will remove all profiles)
Exit Terminal & reboot the Mac.
Once the Mac has rebooted open System Preferences-> Profiles.
You should now be able to remove all of the profiles in the profiles utility. If the Profiles utility is missing, there are no profiles.
Go back in to Recovery mode -> Terminal & type csrutil enable. This will enable SIP again.

This is what worked for me on a few machines that had locked profiles from a previous MDM. After this I was able to enroll the machine in to JAMF without the need to wipe the machine.

Update:
This method is a little different, but seems to work on Big Sur & above.
https://graffino.com/til/UmkCdmEx7v-remove-a-non-removable-mdm-profile-from-macos-without-a-complete...

fgonzale · ‎01-18-2022

Thanks! This worked like a charm to manually remove the profiles for a Mac that had stopped processing MDM commands from our Jamf server.

ukmercenary · ‎01-20-2022

Didn't work for me I get the error " no matches found "

fgonzale · ‎01-20-2022

Oh, sorry I should have specified that I did have to work through something as I got a similar error.

You'll need to do a sudo -s first as I don't think it can find matches due to permissions since the account is not elevated yet (even if you put sudo in front of rm):

So basically

sudo -s
/bin/rm -rf /var/db/ConfigurationProfiles/Store/*

One thing I did find afterwards for one case I did was that when I tried to re-enable SIP I encountered an issue where it asked for the Recovery Key at Recovery Mode instead of presenting accounts that can unlock the drive.

In my case this Mac, apart from having trouble processing MDM commands, had also not escrowed the Recovery Key in Jamf so I had no recovery key to enter. I had to reboot back into normal mode and create a new recovery key plus reboot a couple of times so that I could enter the recovery key it was asking for.

Creating a new recovery key:

sudo fdesetup changerecovery -personal

aledesma · ‎10-27-2022

Thank you! Your method worked. I followed along with this guide
Remove non-removable Profiles
on and tested on a macOS Ventura laptop that was in DEP.

Had issues on someones macbook where we removed jamf via
```sudo jamf removeFramwork```

Kept getting errors thrown at us that said
"Enrolling with management server failed. Update to MDM profile contains different server URL."

I appreciate you posting this solution!

dugnl · ‎06-29-2023

We ran the commands to remove the profilestore and the one in the link in the document to remove the commands. The profiles all stayed locked. Did it a second time with Sudo -s and this time the profiles removed. Saved us a full wipe and reload. Thanks for adding that.

aledesma · ‎06-29-2023

Definitely. I appreciate helpful guides like this that have tiny variables. Glad you avoided the full wipe!

ukmercenary · ‎01-20-2022

I actually deleted the folder manually which (so likely my bad syntax) but everything else worked like a dream..you made my day thanks mate !

msergi · ‎12-08-2022

Thanks so much for posting this, I ahve been looking for a method to re-enroll devices that stop communicating without wiping for a long time now. the article you linked worked perfectly with the small amendment that you need to use sudo elevation for the deletion and mkdir

diegoFA · ‎02-17-2023

Thank you 😁

rzoppi · ‎01-18-2024

Thank you so much! Simple and straightforward fix.

daveSoupy · ‎09-09-2024

Still works for me in 2024

jttavares · ‎07-11-2023

Question on this. If I have created profiles using Configurator or Imazing for Macs and had the

"PayloadRemovalDisallowed" set to true and pushed the profile out with Jamf. Can I still remove it with Jamf? Not using DEP. I assumed the PayloadRemovalDisallowed was only for users to not remove the profile locally. thanks

aledesma · ‎07-12-2023

If your "PayloadRemovalDisallowed" profile is visible in your Jamf menu, you can certainly remove it with Jamf.

Jamf's documentation states that:

TheOtherOne · ‎07-12-2023

Do you know if you can overwrite that profile? If the profile is modified and pushed out, will it overwrite the existing? I have same question. Inherited a Jamf project and want to modify some profiles already out there. I just want to push them out again and go over the existing since same IDs instead of removing and them pushing out again.

aledesma · ‎01-18-2024

Sorry for the late reply and hope you found out that it is definitely possible to update a profile. As soon as you make a change and attempt to save, Jamf should prompt you to apply to profile that is already distributed or only to newly enrolled machines. Selecting the first option to distribute to machines that already have the profile will make the changes you are looking for.

DennisSc · ‎07-09-2024

I followed the instructions through csrutil enable.

I received the error message, "Failed to update security configuration for "Macintosh HD": The signing server declined the personalization request."

Sounds like I'll have to back up the data and wipe the drive.

Jamf Nation Community

Cannot Remove Profile