MDM connection lost with non-removable MDM profile



every now and then I come across a Mac which stopped communicating with the Jamf server and Apple's MDM.

As our MDM profile is non-removable I have the question how to uninstall it? Sending the MDM-removal command obviously will not work nor jamf removeMDMProfile.

Any ideas?


Contributor III

I assume its not stolen and still in possession of an employee, just remote so you don't have hands on to it?

As if you can still get command line access to the device (SSH or via Jamf Binary/Self Service)? as you could use the profiles command to try to refresh the MDM profile on the device

sudo profiles renew -type enrollment

Hi Gary,

thanks for your reply.

It is a MacBook Pro which uses one of our employees. I did an AnyDesk session with that employee earlier this day and had access to the Terminal.
The Mac seems pretty messed up, the Jamf Framework does not work any more and "jamf recon" quits with a 404 error. The MDM commands sent via Jamf Pro do not work too and the device did not check in and update inventory since August 18th.

I tried a


sudo profiles renew -type enrollment


but that did nothing. Also "jamf manage" or "jamf mdm" did not help and "jamf removeMDMProfile" does not work as the profile is non-removable.

The only way out of this seems a reinstallation of macOS but that cannot be the solution, right?


By the way, of course I ran all commands with "sudo". 😉

Esteemed Contributor

@j_meister  A nuke & re-pave might be extreme, but if it gets the user back up and running (they do have their files backed up right?) then it's a trivial process to follow either with Monterey's Erase All Contents and Settings, or with @grahamrpugh's erase-install script for Catalina or Big Sur.

New Contributor III

I have also seen this on a few of our Mac's lately and do not have a solution.  I have tried all the "jamf" terminal commands, but nothing works.  Ours are actually running jamf policy and recon, profiles just can't be removed or added.

Valued Contributor

This is the guide I used to remove a non-removable MDM profile and re-enroll.

Basically you have to boot the mac to recovery mode, open terminal and follow the guide.

But, I did a much simpler and somewhat automated approach. I create a bash script that ran all these commands, made the script executable, change the extension from .sh to .command and packaged it. Then on the mac boot the mac to recovery mode, go to terminal, disable sip (csrutil disable), reboot the mac, run the script (this requires a reboot for it to complete the mdm removal and to re-enable SIP). That should remove the MDM profile and all config profiles. Then I would run sudo jamf removeframework in terminal to remove the Jamf binary. Then I would sudo profiles renew -type enrollment. 

Valued Contributor

We recently had a case like this. Try to add a new admin account and see whether that can remove the framework and enroll again.

New Contributor

Did anyone ever figure out a solution to this that avoids wiping the computer?

Unfortunately not. Very unsatisfying.

Valued Contributor

Has anybody read my response to this above about using this guide to remove the MDM?

New Contributor

I did see that. I was hoping for a bit more of an elegant solution. We have 8 campuses so its hard to be hands on with every device that has this issue. Need something a little simpler for my technicians to execute. Too risky to have them screwing around in terminal in safe mode with a client computer. Too likely to lead to data loss.

Valued Contributor

Unfortunately, this is the only way. But, the only thing you really need to do is disable SIP. You can create a bash script with those commands in the guide, and make it executable. Then you can log in as the user or anybody that is admin on the computer and run the bash script. Then reboot to complete the removable. That's how I did it. I

New Contributor

That's a good point. You wouldn't happen to have your script handy would you? I would appreciate the time save. No worries if not. I can give it a try later.

Valued Contributor

# ensure running as root
if [ "$(id -u)" != "0" ]; then
exec sudo "$0" "$@"

echo "Removing Jamf MDM Profile"
cd /var/db/ConfigurationProfiles
sudo rm -rf *
sudo mkdir Settings
sudo touch Settings/.profilesAreInstalled
sudo csrutil clear

exit 0