Overwriting config profile that isnt removable

GabeShack
Valued Contributor III

We have an interesting situation.

Last year we discovered an issue where about 630 of our devices never renewed their mdm profile, and they are now unable to get any management commands or profile updates.  We have a decent solution that takes about 5 min per device to turn of csrutil and then remove the profiles and then re-enroll, however we have also found that one of the profiles is causing issues for testing that is currently going on.  The profile in question adjusts the "Parental Controls" to try to block adult websites with its content blocker.  We turned this one on back in 2020 and it originally allowed parents of students to use the screen time function.  This appears to no longer be necessary since you dont now need this feature on to turn on screen time, but now since the mdm is expired we cannot remove or adjust this setting without many steps.

 

Im hoping someone in the community can tell me a way to write the plist or a defaults command that can supersede the non-removable profile settings so we can turn this feature off and get our testing back on track without having to totally reenroll the machine (after 3 restarts).

Gabe Shackney
Princeton Public Schools
2 ACCEPTED SOLUTIONS

mm2270
Legendary Contributor III

Hey @GabeShack I think I'm a little confused. When you do csrutil disable and remove all the profiles from the Mac, doesn't this "Parental Controls" profile also get removed from the device? If you're doing what I think you're doing, you're wiping out the profiles database, which should bring the Mac back to a clean state where you can re-enroll it. Is that not the case? Or are you doing something different than what I'm thinking?

Edit: Or, are you saying you want to avoid re-enrolling the Mac, meaning not wiping out the profiles, but just overriding that one profile setting? If so, I don't know if even a defaults write  or other command would work. The way most profiles work when installed, especially when installed as System profiles, is they take over that setting and there usually isn't a way to override them even with sudo level Terminal commands. But I may still not be fully understanding your situation.

View solution in original post

GabeShack
Valued Contributor III

All of my testing with a manually installed profile, editing the plist settings, defaults command...came up empty which I also understand because if you could overwrite the profiles from jamf, it would certainly be a security issue.

Gabe Shackney
Princeton Public Schools

View solution in original post

8 REPLIES 8

mm2270
Legendary Contributor III

Hey @GabeShack I think I'm a little confused. When you do csrutil disable and remove all the profiles from the Mac, doesn't this "Parental Controls" profile also get removed from the device? If you're doing what I think you're doing, you're wiping out the profiles database, which should bring the Mac back to a clean state where you can re-enroll it. Is that not the case? Or are you doing something different than what I'm thinking?

Edit: Or, are you saying you want to avoid re-enrolling the Mac, meaning not wiping out the profiles, but just overriding that one profile setting? If so, I don't know if even a defaults write  or other command would work. The way most profiles work when installed, especially when installed as System profiles, is they take over that setting and there usually isn't a way to override them even with sudo level Terminal commands. But I may still not be fully understanding your situation.

GabeShack
Valued Contributor III

@mm2270 Thanks for the response....and yes to the 2nd paragraph.  I can do a 5 min csrutil reenroll that removes the problem profile...but i was looking for an alternative that i could push out before testing to these mdm expired machines just to get the issue overridden until we had more time to touch each one with the full removal and re enrollment.

Gabe Shackney
Princeton Public Schools

GabeShack
Valued Contributor III

All of my testing with a manually installed profile, editing the plist settings, defaults command...came up empty which I also understand because if you could overwrite the profiles from jamf, it would certainly be a security issue.

Gabe Shackney
Princeton Public Schools

mm2270
Legendary Contributor III

Right, I would be surprised if it was that easy to override a Config Profile controlled setting. So I don't think it's going to be possible to do what you're trying to do there, unfortunately.

AJPinto
Honored Contributor II

Disabling SIP does allow you to mess with protected Configuration Profiles. However, if you let your MDM profile lapse you really need to reprovision the Mac. Manually messing with Managed Configuration Profiles can and will break a lot of things.

GabeShack
Valued Contributor III

The part about this that stinks is the MDM profile is supposed to auto renew before it expires, however something caused about 630 of ours to not renew.  We had these set up for us by a 3rd party though that we believe may have screwed up the initial enrollment.  @AJPinto Also removing the full swath of profiles and doing a re-enroll command is perfectly fine....since they were all managed and still getting policy, but just missing the Management Commands, it just then pushes all the outstanding management commands before the re enrollment and then its back to fully mdm controlled.  No issues that we are finding with this process...i was just looking for a faster way to do it without having to do the full csrutil command and rebooting multiple times.

Gabe Shackney
Princeton Public Schools

AJPinto
Honored Contributor II

With non-automated enrollments (ie invite code or web portal) you dont get full management over macOS. Things like pushing macOS updates wont work as apple views these methods as BYOD enrollment and does not allow the admin to manage many functions. If everything you need is working, then problem solved :).

 

I agree the entire MDM function is a glass cannon. If anything goes wrong you are screwed, and it is very fragile, and documented very poorly. Maybe renewing the MDM Profile with the profiles command may have helped as that triggers the enrollment process to happen again.

sudo profiles renew -type enrollment

 

GabeShack
Valued Contributor III

That is the re enrollment command that we used yes.  

Gabe Shackney
Princeton Public Schools