Chose wrong method for un-managing computer, now it's in limbo

macservit
New Contributor II

I was experimenting on a Big Sur M1 MBP enrolled with pre-stage enrollment via DEP. Trying to put together some screenshots to create an end-user support document for migrating from another MDM provider to Jamf. The Mac was already enrolled in Jamf and I had hoped to simply remove the enrollment and then re-run the sudo profiles command to pop the user dialogs for re-enrolling. Where I messed up was choosing Delete in Jamf instead of running the management command to remove the MDM profile. What I'm left with is non-removable profiles on the Mac, an "Unmanaged" status in Jamf Pro (cloud) and an empty Management Commands section for the device. Oddly, it is still checking in to Jamf as expected. What are my options, I'd prefer not to wipe. I could assign it to a different MDM platform in ABM and run the profiles command, but I don't know if that will fail since there is already a profile installed. Is there a terminal command I could run locally on the Mac to get it back to a Managed state? Thanks!

6 REPLIES 6

JoeA2
New Contributor II

I'm in the same boat with an iPad. 

Ipads are even less forgiving. That'll need to be wiped

JoeA2
New Contributor II
I ended up realizing they were looking for my credentials used for ABM. Odd thing is that I never entered that in Jamf so I'm not sure how it knew those credentials existed. Only thing I can figure is that it was those credentials that were used in ABM to make Jamf the MDM. That's going to be a nightmare since they require different credentials for all admins as people come and go over the years.

Thanks,

Joe

walt
Contributor III

have you tried running this command on the Mac:

 

sudo profiles renew -type enrollment

 

to enroll in your existing MDM, I believe even if you reassign the device in ABM to another MDM those profiles are stuck. On Intel macs you'd have to disable SIP and run a few commands but those did not always work.

NYC-Lights
New Contributor

Since you have sudo access, you're actually in luck. Reboot your computer into recovery mode, open a terminal and turn off SIP by running 'csrutil disable'. Reboot and log into your desktop session. From there, open up terminal and run 'sudo rm -R /var/db/ConfigurationProfiles/Settings/*', repeat for /var/db/ConfigurationProfiles/Store/*', and '/Library/Managed\ Preferences/'. Reboot into recovery mode, enable SIP, reboot and sign into your desktop session once more. Confirm the device is assigned to the correct MDM server in apple business manager, and finally run 'sudo profiles renew -type enrollment' we mentioned above to trigger a DEP enrollment notification.

mainelysteve
Valued Contributor

You can do the above in the recovery partition. No need to turn SIP off. Just ensure you cd into /Volumes/Macintosh HD/ in terminal. You may in some circumstances need to remove /Library/Keychains/apsd.keychain as well.