Posted on 03-13-2019 11:24 PM
I did run a jamf removeframework, but afterwards the config profiles are still there and are not removable, even tried a restart
I tried to disable SIP and remove var/db/configurationprofiles, but then it seems then when re-enrolling the "profiles" icon in system preferences is still gone, so new profiles cannot be loaded
So what is the best way of doing this, when the config profiles are stuck ?
Posted on 03-14-2019 01:58 AM
Did you tried this on macOS not in recovery mode :
sudo rm -rf /var/db/ConfigurationProfiles/Store/, if you see profiles then try to re-enroll Mac with URL that should resolve the issue.
Posted on 03-14-2019 04:10 AM
Usually when this happens, re-enrolling immediately and running removeFramework once again will successfully remove all profiles.
Im not sure what restore options you have now SIP has been disabled and the database removed.
Posted on 03-14-2019 04:16 AM
What are you trying to do with this device?
Simply re-enrollment due to issues? Or something else?
Posted on 03-14-2019 10:27 AM
... this is why I still script the removal of all profiles prior to running the removeFramework command.
Posted on 03-14-2019 10:39 AM
This won't necessarily help you for your current situation, but in the future, you can run this command just prior to using the removeFramework flag, and it should remove the main MDM profile, and all other profiles that are tied to it should vanish from the machine as well. This will not apply to any manually installed Config Profiles, if there were any, but those wouldn't be hard to remove later in Terminal using the profiles
command.
sudo jamf removeMdmProfile
I feel as though using the removeFramework command should do this, even though I understand that it doesn't do that today. Since the Jamf MDM profile is really part of the whole Jamf framework, Jamf should make that command also remove the MDM profile and any associated ones when it is run. I suspect it doesn't do this as kind of an oversight, since the removeFramework command has been around a long time, longer than Macs have had MDM available on them. Jamf probably just never updated it to also take care of the profiles.
Posted on 03-15-2019 06:56 AM
@mm2270 hit the nail on the head with this one. If you intend to unenroll, you need to run not only removeFramework, but also removeMdmProfile. This resolves almost all issues with devices that have broken enrollments, or failing enrollments due to previous partial removals in our environment.
Important note, neither of these commands work on DEP enrolled devices if you have made the MDM profile non-removable in your pre-stage. For those, you must either remove them from your pre-stage scope or unassign/disown the device in DEP before going through an erase and install.
Posted on 03-15-2019 07:41 AM
Is it a DEP Mac?
I've seen several instances where the profiles aren't removed when running sudo /usr/local/bin/jamf removeFramework on DEP Macs.
Only way was to either delete it via "Recovery" and sudo rm -rf /var/db/ConfigurationProfiles/Store/ or preferably rebuild it.