We deploy different mail configurations via Self Service which works fine. But in some cases the user wants to remove a profile again. I know that all MDM delivered accounts are listed under Settings -> General -> Profiles -> MDM Profile -> Accounts. But there is no option to remove the profile.
In Jamf i enabled the removal of the profile.
Also i didn't found any option in jamf to remove specific profiles. Is this also not possible?
Thank you all!
Maybe this thread can help?
Or did you already do this when you stated "In Jamf i enabled the removal of the profile."? If so, I'm wondering exactly what the question or request is here?
Maybe what used to work doesn't work anymore then. I'm pretty sure I tried this out, and it even worked with a profile that was pushed silently. After changing the profile option to install over Self Service and checking that option for removal, it showed up in Self Service with an uninstall or remove button.
But.... I just noticed something! In your screenshot above, the option I see in it is labeled "Security Controls when the profile can be removed". What version of Jamf Pro are you using? Because on my 10.18.0 instance, the option looks different. See what I mean below
In mine it says "Allow removal - Allow users to remove the profile using Self Service"
So there's some difference between what you're seeing and what I'm seeing that I don't quite understand.
I have 'your' look only within macOS profiles. With iOS profiles i only have the options displayed in 'mine' screenshot...
I am really confused. Since there is an option to make it removeable, but there is no way to remove it...
Would this process work to unsign, update the removal key/value pair, and then resign the profile with the JSS CA?
Really strange, that they still didn't implant this feature. Seems like such a no-brainer...
Some time ago the support team told me the following:
That is correct, there is no option for removing a profile on an iOS device in Self Service. I have raised this with the Support Team, they are taking it into consideration for a feature request. There is no workaround at the moment I'm afraid, besides moving the device out of scope, which you already mentioned.
My response from support:
It does look like this is a current Product Issue, and I have tied this case to that Product Issue. This is PI-008020. The current workaround for this on enrolled machines is to change distribution method to 'Make Available in Self Service' and select 'Yes' for 'Allow Removal - Allow users to remove the profile using Self Service'. This would then need to go to Self Service to allow this to be removed. Our development team is aware of this Product Issue and a fix should be available in a future version of Jamf Pro.
You could add the device/s to the exclusions section under 'scope' for the configuration profile. Then the configuration profile will disappear from the users device the next time the device checks in with the Jamf Pro server.
Be careful to always unscope a configuration profile first, before you delete it from Jamf Pro. And give time for machines to check-in and remove it, before you delete it. if you do not, your devices can get into a race condition with the server. They recieve the removal/deletion command the next time they check-in but the configuration profile has already been deleted from jamf pro. This results in a repeated failed MDM command (to infinity) on any affected clients - the configuration profile does not exist. MDM Error:89
Only deleting the config file record from the backend database can clear the failed MDM commands from repeating on all your affected clients.
I found this out the hard way. Now I'm careful to unscope config files first on the server before deletion.
Yes that will work too. Remove all users/computers from the TARGETS section of Scope. Make sure 'target computers' and 'target users' drop down menus are set to 'Specific Computers' and 'Specific Users'. Then delete any targets so the bottom list says 'None'. Save your changes and all devices will start removing the configuration profile the next time they check in with jamf Pro.
I previosuly assumed you only wanted to remove it from one or more devices by excluding said devices or users from the scope. You can ofcourse remove all devices and users if you so wish in the target section.