I had a Mac that lost its connection with JAMF. I ran the following command on the machine, sudo Jamf enroll -prompt, and the machine started reporting into JAMF. The issue is that it will not push down any new Configuration Profiles and the "Management Commands" option is missing. I have tried to run the following commands to see if I could resolve any of these issues but nothing helped.
I also tried to do a manual enrollment but since the old "MDM Profile" is still on the machine it will not install a new one and I can't remove the old "MDM Profile" since it was enrolled with DEP.
Is the only option I have is wipe the device?
Best answer by junjishimazaki
I used this method to remove a non-removable MDM. This requires to be hands on the machine and booting the recovery mode and disabling SIP.
Boot the Mac to Recovery Mode. If the mac is filevault enabled, then either have the user log In or have another user account that is able to bypass the login in the recovery mode.
Open the Terminal application from utility menu
In Terminal, run csrutil disable to disable System Integrity Protection
Restart the Mac into Recovery Mode again
Open Disk Utility, right click on Macintosh HD, and mount the disk. If the disk is FileVault-protected, you will need to select a FV-enabled account and unlock the disk with the password.
Open Terminal, and navigate to Volumes: cd /Volumes
Run ls to display the list of drives. By default it would be labeled Macintosh HD
Navigate into the drive with cd Macintosh\\ HD
Navigate to the ConfigurationProfiles folder withcd var/db/ConfigurationProfiles
Run pwd to confirm that you are in the directory /Volumes/Macintosh HD/var/db/ConfigurationProfiles
Run rm -rf * to delete all files and folders in ConfigurationProfiles
Run mkdir Settings to re-create the required Settings folder
Run touch Settings/.profilesAreInstalled to re-create the required file
Run csrutil enableto re-enable System Integrity Protection
Reboot to the user’s desktop
Open Terminal and run sudo profiles renew -type enrollment
You can either run the above to enroll or user-initiate enroll.
I used this method to remove a non-removable MDM. This requires to be hands on the machine and booting the recovery mode and disabling SIP.
Boot the Mac to Recovery Mode. If the mac is filevault enabled, then either have the user log In or have another user account that is able to bypass the login in the recovery mode.
Open the Terminal application from utility menu
In Terminal, run csrutil disable to disable System Integrity Protection
Restart the Mac into Recovery Mode again
Open Disk Utility, right click on Macintosh HD, and mount the disk. If the disk is FileVault-protected, you will need to select a FV-enabled account and unlock the disk with the password.
Open Terminal, and navigate to Volumes: cd /Volumes
Run ls to display the list of drives. By default it would be labeled Macintosh HD
Navigate into the drive with cd Macintosh\\ HD
Navigate to the ConfigurationProfiles folder withcd var/db/ConfigurationProfiles
Run pwd to confirm that you are in the directory /Volumes/Macintosh HD/var/db/ConfigurationProfiles
Run rm -rf * to delete all files and folders in ConfigurationProfiles
Run mkdir Settings to re-create the required Settings folder
Run touch Settings/.profilesAreInstalled to re-create the required file
Run csrutil enableto re-enable System Integrity Protection
Reboot to the user’s desktop
Open Terminal and run sudo profiles renew -type enrollment
You can either run the above to enroll or user-initiate enroll.
