Fix mdm profiles (DEP and user-initiated)

rstasel
Valued Contributor

We have about 120 computers in our instance (1600 computers) that show the primary MDM profile isn't verified (via EA). Between the "Renew MDM" command, and the "trustjss" command, we've fixed probably 130 (we started with probably 250), but we're now down to 120 or so that refuse to play along.

Support indicates our fix is "removeMDMprofile" then "mdm" to get the machine to reinstall the management profile. For User initiated this is annoying since it's gonna prompt users, so we'll need to bomgar to remediate probably.

For the ADE machines, though, this isn't an option. I have NO idea how it broke on the ADE machines (thankfully it's only about 8), but for those 8, the fix is to disable sip, rip out MDM, then "profiles renew -type enrollment".

Has anyone else seen this? Anyone have better solutions? COVID makes remediation pretty difficult...

2 REPLIES 2

Garci4
New Contributor III

I think there isn't a better way if you ok with the risks of disabling SIP besides OS reinstall. I'm guessing these are non-removeable MDM profiles? I've seen this with users that use Migration Assistant (against my advice). Read this a while back - http://rachelviniar.com/non-removable-mdm/ , this part scared me enough not consider it as an option:

This comes with a whole bucket of risks, though, some of which I’m not sure we’re willing to take. The machine needs to be able to connect to the internet in order to re-enroll, and I’ve seen and heard stories of things going wrong with SIP disabled even for a few minutes with minimal action taken - corrupt System keychains and entire System Preferences functions breaking are just two examples I’ve encountered while trying to execute this fix post-Migration Assistant that have led to wiping the entire machine and setting it up fresh for the user anyway.

rstasel
Valued Contributor

yeah, I've had to do it on a few DEP machines. Disable sip, delete stuff, enable sip, "profiles renew -type enrollment". It fixes, but it's SUUUUUUUPER sketch.

What I find annoying is that Migration Assistant does this. DEP SHOULD be unharmable. The fact Apple's tool basically borks it is super frustrating.

We do use migration assistant pretty frequently, but only to migrate users. But if someone flubs it, or if an end user runs it themselves, boom. borked. Guessing what borks is Migration Assistant is replacing the apsd.keychain... since I'm guessing SIP isn't specifically protecting that. Stuff in /var/db/ConfigurationProfiles should be SIP protected (at least, you have to disable SIP to remove).

Frustrating as hell.