Jamf Nation Community

BrandonMaher · ‎07-30-2021

We had a device that was not able to be managed, so we tried to delete the device and remove the profile to re-enroll. We are not allowed to remove the MDM profile, and reinstalling the profile through self enrollment fails, stating "New profile does not meet criteria to replace existing profile".

For additional info, this computer was part of a pre-stage enrollment originally.

DBrowning · ‎07-30-2021

Try using the Management command for Remove MDMProfile. I'm going to guess that in your pre-stage you have "Allow MDM Profile Removal" unchecked. If that doesn't work, you may need to wipe and start over.

mm2270 · ‎07-30-2021

This is one of those "gotcha" scenarios that you have to be ultra careful about. If the profile is installed via MDM and like mentioned has the Allow MDM Profile Removal option disabled, then the profile is locked after installation, and can't be removed through normal means in the OS, no matter how many sudos you throw at it. It can only be removed from the MDM that installed it in the first place. Since it sounds like you deleted the machine from your MDM/Jamf, you might be stuck with wiping and reinstalling at this stage, since I don't think you'll be able to send a remote MDM command to it to unenroll. If it's not in the console to send a command to, you might not have any other choice.

The only other possibility is maybe all profiles can be wiped when booting to Recovery and navigating to the place where they live and rm'ing the whole shebang from there. I can't say I've had a need to try that at all, and I actually forget now the exact path the profile db lives in, but I think it's in /private/var/db/ConfigurationProfiles/. But if you search around you might find it. It's worth a try that way. Might not work though.

c_archibald · ‎07-30-2021

Did you use in Terminal? Try first:
sudo jamf removeMdmProfile

Then:
sudo jamf removeFramework

For us, the last one removes the JAMF framework & uninstalls the MDM & other Profiles added by JAMF.

jasonh2589 · ‎03-02-2022

This worked for us. And then you can manually re enroll it to get the right certs and profiles on the machine.

MacJunior · ‎08-01-2021

@c_archibald I had a similar situation and I was about to wipe & reinstall until someone gave me the method mentioned above to wipe only config profiles from that machine :

You need to boot into macOS recovery, make sure Macintosh HD is Mounted then from Terminal :

Sudo rm -rf /var/db/ConfigurationProfiles/Store/

restart and all profiles should be removed from the machine.

dbrundage · ‎08-02-2021

You can try this first:

sudo /usr/bin/profiles -D

If that does not work, try this:

In Recovery mode, select Utilities-> Terminal from the menu bar.
Type csrutil disable and reboot the Mac. This will disable System Integrity Protection (SIP).
Once you have logged in to the Mac, open Terminal and run the following command:
sudo /bin/rm -rf /var/db/ConfigurationProfiles/Store/*
(This will remove all profiles)
Exit Terminal & reboot the Mac.
Once the Mac has rebooted open System Preferences-> Profiles.
You should now be able to remove all of the profiles in the profiles utility. If the Profiles utility is missing, there are no profiles.
Go back in to Recovery mode -> Terminal & type csrutil enable. This will enable SIP again.

This is what worked for me on a few machines that had locked profiles from a previous MDM. After this I was able to enroll the machine in to JAMF without the need to wipe the machine.

Update:
This method is a little different, but seems to work on Big Sur & above.
https://graffino.com/til/UmkCdmEx7v-remove-a-non-removable-mdm-profile-from-macos-without-a-complete...

fernando_gonzal · ‎01-18-2022

Thanks! This worked like a charm to manually remove the profiles for a Mac that had stopped processing MDM commands from our Jamf server.

ukmercenary · ‎01-20-2022

Didn't work for me I get the error " no matches found "

fernando_gonzal · ‎01-20-2022

Oh, sorry I should have specified that I did have to work through something as I got a similar error.

You'll need to do a sudo -s first as I don't think it can find matches due to permissions since the account is not elevated yet (even if you put sudo in front of rm):

So basically

sudo -s
/bin/rm -rf /var/db/ConfigurationProfiles/Store/*

One thing I did find afterwards for one case I did was that when I tried to re-enable SIP I encountered an issue where it asked for the Recovery Key at Recovery Mode instead of presenting accounts that can unlock the drive.

In my case this Mac, apart from having trouble processing MDM commands, had also not escrowed the Recovery Key in Jamf so I had no recovery key to enter. I had to reboot back into normal mode and create a new recovery key plus reboot a couple of times so that I could enter the recovery key it was asking for.

Creating a new recovery key:

sudo fdesetup changerecovery -personal

aledesma · ‎10-27-2022

Thank you! Your method worked. I followed along with this guide
Remove non-removable Profiles
on and tested on a macOS Ventura laptop that was in DEP.

Had issues on someones macbook where we removed jamf via
```sudo jamf removeFramwork```

Kept getting errors thrown at us that said
"Enrolling with management server failed. Update to MDM profile contains different server URL."

I appreciate you posting this solution!

ukmercenary · ‎01-20-2022

I actually deleted the folder manually which (so likely my bad syntax) but everything else worked like a dream..you made my day thanks mate !

msergi · ‎12-08-2022

Thanks so much for posting this, I ahve been looking for a method to re-enroll devices that stop communicating without wiping for a long time now. the article you linked worked perfectly with the small amendment that you need to use sudo elevation for the deletion and mkdir

diegoFA · ‎02-17-2023

Thank you 😁

Jamf Nation Community

Cannot Remove Profile