You may have encountered Macs with broken profiles that are not removable no matter what you do. When profiles break, management communication between the Jamf Pro server and a Mac has been lost and the profiles that have been previously set become stuck, basically preventing you from re-enrolling a Mac to Jamf Pro (or any other MDM server). The only solution up until now was to wipe a Mac clean and starting from scratch. With many end-users working remotely, this was not a viable solution. Below is what I have done to fix the issue, I hope this helps!
How to Fix Corrupt MDM Profiles
Note: If the end-user is working remotely, then they will need to be local admins on the Mac in order to disable SIP.
1) Disable SIP (System Integrity Protection)
a. Boot the problematic Mac into Recovery Mode (CMD+R), open Terminal (Utilities-> Terminal).
b. Type: csrutil disable
c. Hit Enter then restart the Mac normally
2) Have the user connect to VPN (If they are remote)
3) SSH to the user’s Mac via Terminal from your own computer
a. Once connected to the user’s Mac, change directory as follows: cd /var/db/
b. Now delete the MDM configuration folder: sudo rm -rf /var/db/ConfigurationProfiles
c. Now type the following and hit Enter: sudo jamf removeMdmProfile
d. Close Terminal and restart/boot back into Recovery mode
i. Enable SIP by typing: csrutil enable
ii. Restart normally
4) Download and reinstall the OS that’s currently installed (or you can upgrade to Catalina if the user is still on an older OS version). Once done, proceed to final steps…
5) Run your Jamf Pro’s QuickAdd package and approve MDM profile (In System Preferences -> Profiles)
6) Change the FileVault Recovery Key (FVRK)
a. Reconnect to the user’s Mac on VPN and SSH back in, open Terminal and run: sudo fdesetup changerecovery -personal -user <username here>
b. Now type the end-user’s password and hit enter. A new FVRK will be generated.
c. Now recon so that the FVRK can be escrowed into Jamf Pro: sudo jamf recon