Cannot Remove Profile

BrandonMaher
New Contributor II

We had a device that was not able to be managed, so we tried to delete the device and remove the profile to re-enroll. We are not allowed to remove the MDM profile, and reinstalling the profile through self enrollment fails, stating "New profile does not meet criteria to replace existing profile".

 

For additional info, this computer was part of a pre-stage enrollment originally.

 

Screen Shot 2021-07-30 at 3.16.49 PM.png

10 REPLIES 10

DBrowning
Valued Contributor II

Try using the Management command for Remove MDMProfile.  I'm going to guess that in your pre-stage you have "Allow MDM Profile Removal" unchecked.  If that doesn't work, you may need to wipe and start over.

mm2270
Legendary Contributor II

This is one of those "gotcha" scenarios that you have to be ultra careful about. If the profile is installed via MDM and like mentioned has the Allow MDM Profile Removal option disabled, then the profile is locked after installation, and can't be removed through normal means in the OS, no matter how many sudos you throw at it. It can only be removed from the MDM that installed it in the first place. Since it sounds like you deleted the machine from your MDM/Jamf, you might be stuck with wiping and reinstalling at this stage, since I don't think you'll be able to send a remote MDM command to it to unenroll. If it's not in the console to send a command to, you might not have any other choice.

The only other possibility is maybe all profiles can be wiped when booting to Recovery and navigating to the place where they live and rm'ing the whole shebang from there. I can't say I've had a need to try that at all, and I actually forget now the exact path the profile db lives in, but I think it's in /private/var/db/ConfigurationProfiles/. But if you search around you might find it. It's worth a try that way. Might not work though.

c_archibald
Contributor II

Did you use in Terminal? Try first:
sudo jamf removeMdmProfile

Then:
sudo jamf removeFramework

For us, the last one removes the JAMF framework & uninstalls the MDM & other Profiles added by JAMF.

This worked for us. And then you can manually re enroll it to get the right certs and profiles on the machine. 

MacJunior
Contributor

@c_archibald  I had a similar situation and I was about to wipe & reinstall until someone gave me the method mentioned above to wipe only config profiles from that machine : 

You need to boot into macOS recovery, make sure Macintosh HD is Mounted then from Terminal :

Sudo rm -rf /var/db/ConfigurationProfiles/Store/

restart and all profiles should be removed from the machine. 

dbrundage
New Contributor II

You can try this first:

sudo /usr/bin/profiles -D

If that does not work, try this:

  1. In Recovery mode, select Utilities-> Terminal from the menu bar.
  2. Type csrutil disable and reboot the Mac. This will disable System Integrity Protection (SIP).
  3. Once you have logged in to the Mac, open Terminal and run the following command:
    sudo /bin/rm -rf /var/db/ConfigurationProfiles/Store/*
    (This will remove all profiles)
  4. Exit Terminal & reboot the Mac.
  5. Once the Mac has rebooted open System Preferences-> Profiles.
    You should now be able to remove all of the profiles in the profiles utility. If the Profiles utility is missing, there are no profiles.
  6. Go back in to Recovery mode -> Terminal & type csrutil enable.  This will enable SIP again.

This is what worked for me on a few machines that had locked profiles from a previous MDM. After this I was able to enroll the machine in to JAMF without the need to wipe the machine.

 

Thanks! This worked like a charm to manually remove the profiles for a Mac that had stopped processing MDM commands from our Jamf server.

Didn't work for me I get the error " no matches found "

Oh, sorry I should have specified that I did have to work through something as I got a similar error.

You'll need to do a sudo -s first as I don't think it can find matches due to permissions since the account is not elevated yet (even if you put sudo in front of rm):

So basically

sudo -s
/bin/rm -rf /var/db/ConfigurationProfiles/Store/*

 

One thing I did find afterwards for one case I did was that when I tried to re-enable SIP I encountered an issue where it asked for the Recovery Key at Recovery Mode instead of presenting accounts that can unlock the drive.

Screen Shot 2022-01-20 at 8.58.40 AM.png

In my case this Mac, apart from having trouble processing MDM commands, had also not escrowed the Recovery Key in Jamf so I had no recovery key to enter. I had to reboot back into normal mode and create a new recovery key plus reboot a couple of times so that I could enter the recovery key it was asking for. 

Creating a new recovery key:

sudo fdesetup changerecovery -personal

 Screen Shot 2022-01-19 at 11.49.37 AM copy.png

I actually deleted the folder manually which (so likely my bad syntax) but everything else worked like a dream..you made my day thanks mate !