Help

Chose wrong method for un-managing computer, now it's in limbo

macservit
New Contributor III

Posted on ‎07-29-2021 03:04 PM

I was experimenting on a Big Sur M1 MBP enrolled with pre-stage enrollment via DEP. Trying to put together some screenshots to create an end-user support document for migrating from another MDM provider to Jamf. The Mac was already enrolled in Jamf and I had hoped to simply remove the enrollment and then re-run the sudo profiles command to pop the user dialogs for re-enrolling. Where I messed up was choosing Delete in Jamf instead of running the management command to remove the MDM profile. What I'm left with is non-removable profiles on the Mac, an "Unmanaged" status in Jamf Pro (cloud) and an empty Management Commands section for the device. Oddly, it is still checking in to Jamf as expected. What are my options, I'd prefer not to wipe. I could assign it to a different MDM platform in ABM and run the profiles command, but I don't know if that will fail since there is already a profile installed. Is there a terminal command I could run locally on the Mac to get it back to a Managed state? Thanks!

Reply
6 REPLIES 6

JoeA2
New Contributor II

Posted on ‎07-29-2021 03:58 PM

I'm in the same boat with an iPad. 

0 Kudos
Reply

NYC-Lights
New Contributor
In response to JoeA2

Posted on ‎07-30-2021 05:18 AM

Ipads are even less forgiving. That'll need to be wiped

Reply

JoeA2
New Contributor II
In response to NYC-Lights

Posted on ‎07-30-2021 08:43 AM

I ended up realizing they were looking for my credentials used for ABM. Odd thing is that I never entered that in Jamf so I'm not sure how it knew those credentials existed. Only thing I can figure is that it was those credentials that were used in ABM to make Jamf the MDM. That's going to be a nightmare since they require different credentials for all admins as people come and go over the years.

Thanks,

Joe
0 Kudos
Reply

walt
Contributor III

‎07-29-2021 10:04 PM - edited ‎07-29-2021 10:15 PM

have you tried running this command on the Mac:

 

sudo profiles renew -type enrollment

 

to enroll in your existing MDM, I believe even if you reassign the device in ABM to another MDM those profiles are stuck. On Intel macs you'd have to disable SIP and run a few commands but those did not always work.

0 Kudos
Reply

NYC-Lights
New Contributor

Posted on ‎07-29-2021 10:37 PM

Since you have sudo access, you're actually in luck. Reboot your computer into recovery mode, open a terminal and turn off SIP by running 'csrutil disable'. Reboot and log into your desktop session. From there, open up terminal and run 'sudo rm -R /var/db/ConfigurationProfiles/Settings/*', repeat for /var/db/ConfigurationProfiles/Store/*', and '/Library/Managed\ Preferences/'. Reboot into recovery mode, enable SIP, reboot and sign into your desktop session once more. Confirm the device is assigned to the correct MDM server in apple business manager, and finally run 'sudo profiles renew -type enrollment' we mentioned above to trigger a DEP enrollment notification.

0 Kudos
Reply

mainelysteve
Valued Contributor II

Posted on ‎07-30-2021 05:07 AM

You can do the above in the recovery partition. No need to turn SIP off. Just ensure you cd into /Volumes/Macintosh HD/ in terminal. You may in some circumstances need to remove /Library/Keychains/apsd.keychain as well.

0 Kudos
Reply