Cannot Remove Profile

BrandonMaher
New Contributor II

We had a device that was not able to be managed, so we tried to delete the device and remove the profile to re-enroll. We are not allowed to remove the MDM profile, and reinstalling the profile through self enrollment fails, stating "New profile does not meet criteria to replace existing profile".

 

For additional info, this computer was part of a pre-stage enrollment originally.

 

Screen Shot 2021-07-30 at 3.16.49 PM.png

21 REPLIES 21

DBrowning
Valued Contributor II

Try using the Management command for Remove MDMProfile.  I'm going to guess that in your pre-stage you have "Allow MDM Profile Removal" unchecked.  If that doesn't work, you may need to wipe and start over.

mm2270
Legendary Contributor III

This is one of those "gotcha" scenarios that you have to be ultra careful about. If the profile is installed via MDM and like mentioned has the Allow MDM Profile Removal option disabled, then the profile is locked after installation, and can't be removed through normal means in the OS, no matter how many sudos you throw at it. It can only be removed from the MDM that installed it in the first place. Since it sounds like you deleted the machine from your MDM/Jamf, you might be stuck with wiping and reinstalling at this stage, since I don't think you'll be able to send a remote MDM command to it to unenroll. If it's not in the console to send a command to, you might not have any other choice.

The only other possibility is maybe all profiles can be wiped when booting to Recovery and navigating to the place where they live and rm'ing the whole shebang from there. I can't say I've had a need to try that at all, and I actually forget now the exact path the profile db lives in, but I think it's in /private/var/db/ConfigurationProfiles/. But if you search around you might find it. It's worth a try that way. Might not work though.

c_archibald
Contributor II

Did you use in Terminal? Try first:
sudo jamf removeMdmProfile

Then:
sudo jamf removeFramework

For us, the last one removes the JAMF framework & uninstalls the MDM & other Profiles added by JAMF.

This worked for us. And then you can manually re enroll it to get the right certs and profiles on the machine. 

Genius, I have been trying to figure that out for months

MacJunior
Contributor III

@c_archibald  I had a similar situation and I was about to wipe & reinstall until someone gave me the method mentioned above to wipe only config profiles from that machine : 

You need to boot into macOS recovery, make sure Macintosh HD is Mounted then from Terminal :

Sudo rm -rf /var/db/ConfigurationProfiles/Store/

restart and all profiles should be removed from the machine. 

dbrundage
New Contributor II

You can try this first:

sudo /usr/bin/profiles -D

If that does not work, try this:

  1. In Recovery mode, select Utilities-> Terminal from the menu bar.
  2. Type csrutil disable and reboot the Mac. This will disable System Integrity Protection (SIP).
  3. Once you have logged in to the Mac, open Terminal and run the following command:
    sudo /bin/rm -rf /var/db/ConfigurationProfiles/Store/*
    (This will remove all profiles)
  4. Exit Terminal & reboot the Mac.
  5. Once the Mac has rebooted open System Preferences-> Profiles.
    You should now be able to remove all of the profiles in the profiles utility. If the Profiles utility is missing, there are no profiles.
  6. Go back in to Recovery mode -> Terminal & type csrutil enable.  This will enable SIP again.

This is what worked for me on a few machines that had locked profiles from a previous MDM. After this I was able to enroll the machine in to JAMF without the need to wipe the machine.

Update:
This method is a little different, but seems to work on Big Sur & above.
https://graffino.com/til/UmkCdmEx7v-remove-a-non-removable-mdm-profile-from-macos-without-a-complete... 

Thanks! This worked like a charm to manually remove the profiles for a Mac that had stopped processing MDM commands from our Jamf server.

Didn't work for me I get the error " no matches found "

Oh, sorry I should have specified that I did have to work through something as I got a similar error.

You'll need to do a sudo -s first as I don't think it can find matches due to permissions since the account is not elevated yet (even if you put sudo in front of rm):

So basically

sudo -s
/bin/rm -rf /var/db/ConfigurationProfiles/Store/*

 

One thing I did find afterwards for one case I did was that when I tried to re-enable SIP I encountered an issue where it asked for the Recovery Key at Recovery Mode instead of presenting accounts that can unlock the drive.

Screen Shot 2022-01-20 at 8.58.40 AM.png

In my case this Mac, apart from having trouble processing MDM commands, had also not escrowed the Recovery Key in Jamf so I had no recovery key to enter. I had to reboot back into normal mode and create a new recovery key plus reboot a couple of times so that I could enter the recovery key it was asking for. 

Creating a new recovery key:

sudo fdesetup changerecovery -personal

 Screen Shot 2022-01-19 at 11.49.37 AM copy.png

Thank you! Your method worked. I followed along with this guide
Remove non-removable Profiles 
on and tested on a macOS Ventura laptop that was in DEP.

Had issues on someones macbook where we removed jamf via
```sudo jamf removeFramwork``` 

Kept getting errors thrown at us that said
"Enrolling with management server failed. Update to MDM profile contains different server URL." 

I appreciate you posting this solution! 

We ran the commands to remove the profilestore and the one in the link in the document to remove the commands.  The profiles all stayed locked.  Did it a second time with Sudo -s and this time the profiles removed.  Saved us a full wipe and reload.  Thanks for adding that.

aledesma
New Contributor II

Definitely. I appreciate helpful guides like this that have tiny variables. Glad you avoided the full wipe! 

I actually deleted the folder manually which (so likely my bad syntax) but everything else worked like a dream..you made my day thanks mate ! 

msergi
New Contributor III

Thanks so much for posting this, I ahve been looking for a method to re-enroll devices that stop communicating without wiping for a long time now. the article you linked worked perfectly with the small amendment that you need to use sudo elevation for the deletion and mkdir

diegoFA
New Contributor II

Thank you 😁

rzoppi
New Contributor III

Thank you so much! Simple and straightforward fix.

jttavares
New Contributor III

Question on this.  If I have created profiles using Configurator or Imazing for Macs and had the 

"PayloadRemovalDisallowed" set to true and pushed the profile out with Jamf.  Can I still remove it with Jamf?  Not using DEP.   I assumed the PayloadRemovalDisallowed was only for users to not remove the profile locally.   thanks

aledesma
New Contributor II

If your "PayloadRemovalDisallowed" profile is visible in your Jamf menu, you can certainly remove it with Jamf. 

Jamf's documentation states that:

screenshot.png

Do you know if you can overwrite that profile?  If the profile is modified and pushed out, will it overwrite the existing?  I have same question.  Inherited a Jamf project and want to modify some profiles already out there.  I just want to push them out again and go over the existing since same IDs instead of removing and them pushing out again.   

 

Sorry for the late reply and hope you found out that it is definitely possible to update a profile. As soon as you make a change and attempt to save, Jamf should prompt you to apply to profile that is already distributed or only to newly enrolled machines. Selecting the first option to distribute to machines that already have the profile will make the changes you are looking for.