We had a device that was not able to be managed, so we tried to delete the device and remove the profile to re-enroll. We are not allowed to remove the MDM profile, and reinstalling the profile through self enrollment fails, stating "New profile does not meet criteria to replace existing profile".
For additional info, this computer was part of a pre-stage enrollment originally.
This is one of those "gotcha" scenarios that you have to be ultra careful about. If the profile is installed via MDM and like mentioned has the Allow MDM Profile Removal option disabled, then the profile is locked after installation, and can't be removed through normal means in the OS, no matter how many sudos you throw at it. It can only be removed from the MDM that installed it in the first place. Since it sounds like you deleted the machine from your MDM/Jamf, you might be stuck with wiping and reinstalling at this stage, since I don't think you'll be able to send a remote MDM command to it to unenroll. If it's not in the console to send a command to, you might not have any other choice.
The only other possibility is maybe all profiles can be wiped when booting to Recovery and navigating to the place where they live and rm'ing the whole shebang from there. I can't say I've had a need to try that at all, and I actually forget now the exact path the profile db lives in, but I think it's in /private/var/db/ConfigurationProfiles/. But if you search around you might find it. It's worth a try that way. Might not work though.
@c_archibald I had a similar situation and I was about to wipe & reinstall until someone gave me the method mentioned above to wipe only config profiles from that machine :
You need to boot into macOS recovery, make sure Macintosh HD is Mounted then from Terminal :
Sudo rm -rf /var/db/ConfigurationProfiles/Store/
restart and all profiles should be removed from the machine.
You can try this first:
sudo /usr/bin/profiles -D
If that does not work, try this:
This is what worked for me on a few machines that had locked profiles from a previous MDM. After this I was able to enroll the machine in to JAMF without the need to wipe the machine.
This method is a little different, but seems to work on Big Sur & above.
Oh, sorry I should have specified that I did have to work through something as I got a similar error.
You'll need to do a sudo -s first as I don't think it can find matches due to permissions since the account is not elevated yet (even if you put sudo in front of rm):
sudo -s /bin/rm -rf /var/db/ConfigurationProfiles/Store/*
One thing I did find afterwards for one case I did was that when I tried to re-enable SIP I encountered an issue where it asked for the Recovery Key at Recovery Mode instead of presenting accounts that can unlock the drive.
In my case this Mac, apart from having trouble processing MDM commands, had also not escrowed the Recovery Key in Jamf so I had no recovery key to enter. I had to reboot back into normal mode and create a new recovery key plus reboot a couple of times so that I could enter the recovery key it was asking for.
Creating a new recovery key:
sudo fdesetup changerecovery -personal
Thank you! Your method worked. I followed along with this guide
Remove non-removable Profiles
on and tested on a macOS Ventura laptop that was in DEP.
Had issues on someones macbook where we removed jamf via
```sudo jamf removeFramwork```
Kept getting errors thrown at us that said
"Enrolling with management server failed. Update to MDM profile contains different server URL."
I appreciate you posting this solution!