MDM connection lost with non-removable MDM profile

j_meister
Contributor II

Hi,

every now and then I come across a Mac which stopped communicating with the Jamf server and Apple's MDM.

As our MDM profile is non-removable I have the question how to uninstall it? Sending the MDM-removal command obviously will not work nor jamf removeMDMProfile.

Any ideas?

14 REPLIES 14

garybidwell
Contributor III

I assume its not stolen and still in possession of an employee, just remote so you don't have hands on to it?

As if you can still get command line access to the device (SSH or via Jamf Binary/Self Service)? as you could use the profiles command to try to refresh the MDM profile on the device

sudo profiles renew -type enrollment

Hi Gary,

thanks for your reply.

It is a MacBook Pro which uses one of our employees. I did an AnyDesk session with that employee earlier this day and had access to the Terminal.
The Mac seems pretty messed up, the Jamf Framework does not work any more and "jamf recon" quits with a 404 error. The MDM commands sent via Jamf Pro do not work too and the device did not check in and update inventory since August 18th.

I tried a

 

sudo profiles renew -type enrollment

 

but that did nothing. Also "jamf manage" or "jamf mdm" did not help and "jamf removeMDMProfile" does not work as the profile is non-removable.

The only way out of this seems a reinstallation of macOS but that cannot be the solution, right?

 

By the way, of course I ran all commands with "sudo". 😉

sdagley
Esteemed Contributor II

@j_meister  A nuke & re-pave might be extreme, but if it gets the user back up and running (they do have their files backed up right?) then it's a trivial process to follow either with Monterey's Erase All Contents and Settings, or with @grahamrpugh's erase-install script for Catalina or Big Sur.

dlbrabb
New Contributor III

I have also seen this on a few of our Mac's lately and do not have a solution.  I have tried all the "jamf" terminal commands, but nothing works.  Ours are actually running jamf policy and recon, profiles just can't be removed or added.

junjishimazaki
Valued Contributor

This is the guide I used to remove a non-removable MDM profile and re-enroll. 

http://www.whoopis.com/core/mac-related/removing-a-non-removable.html

Basically you have to boot the mac to recovery mode, open terminal and follow the guide.

But, I did a much simpler and somewhat automated approach. I create a bash script that ran all these commands, made the script executable, change the extension from .sh to .command and packaged it. Then on the mac boot the mac to recovery mode, go to terminal, disable sip (csrutil disable), reboot the mac, run the script (this requires a reboot for it to complete the mdm removal and to re-enable SIP). That should remove the MDM profile and all config profiles. Then I would run sudo jamf removeframework in terminal to remove the Jamf binary. Then I would sudo profiles renew -type enrollment. 

mschroder
Valued Contributor

We recently had a case like this. Try to add a new admin account and see whether that can remove the framework and enroll again.

njablonskinvcc
New Contributor

Did anyone ever figure out a solution to this that avoids wiping the computer?

Unfortunately not. Very unsatisfying.

junjishimazaki
Valued Contributor

Has anybody read my response to this above about using this guide http://www.whoopis.com/core/mac-related/removing-a-non-removable.html to remove the MDM?

njablonskinvcc
New Contributor

I did see that. I was hoping for a bit more of an elegant solution. We have 8 campuses so its hard to be hands on with every device that has this issue. Need something a little simpler for my technicians to execute. Too risky to have them screwing around in terminal in safe mode with a client computer. Too likely to lead to data loss.

junjishimazaki
Valued Contributor

Unfortunately, this is the only way. But, the only thing you really need to do is disable SIP. You can create a bash script with those commands in the guide, and make it executable. Then you can log in as the user or anybody that is admin on the computer and run the bash script. Then reboot to complete the removable. That's how I did it. I

njablonskinvcc
New Contributor

That's a good point. You wouldn't happen to have your script handy would you? I would appreciate the time save. No worries if not. I can give it a try later.

junjishimazaki
Valued Contributor

#!/bin/sh
# ensure running as root
if [ "$(id -u)" != "0" ]; then
exec sudo "$0" "$@"
fi

echo "Removing Jamf MDM Profile"
cd /var/db/ConfigurationProfiles
sudo rm -rf *
sudo mkdir Settings
sudo touch Settings/.profilesAreInstalled
sudo csrutil clear

exit 0

A-bomb
Contributor

I can't believe it. I finally got something to work for broken MDM on a Mac which was initially setup with DEP and the profile was not removable! I fully understand that step 1 may not be possible in all situations but we didn't have to do a return to service and fully wipe the Mac to get MDM working again.

  1. Login as the local admin account that initially enrolled at first boot (jamfadmin in our case).
  2. Run these commands:
    • jamf removeMdmProfile -verbose
    • jamf removeMdmProfile -verbose (yes, run again)
    • sudo profiles renew -type enrollment