Jamf Nation Community

We've had to do the same thing in our environment, and I found the uninstall has to be formatted like:

profiles -R -p com.apple.mdm.server.corp.company.com.123af456-78e9-112-123a-123a456789.alacarte

...and like @nessts said, you'll need to get that whole identifier string from the

```
profiles -P
``` command. If you have a password required to uninstall the profile, that'll still be necessary from the command line, like it would through the gui. Hope that helps!

Is there a way to remove user level MDMs from multiple users (Like SCEP or AD Certs)?

From what I have found out, apparently not. I am looking for the same thing myself. An woeful omittance on behalf of Apple i think.

Has anyone read about changes in 10.10 that might make this more versatile? Just curious. No NDA breakage, just wondering if anyone has read anything about it?

This is what I wrote to remove a MDM based on the name. Profile name being the fourth variable passed.

#!/bin/bash

## Get UUID of requested MDM Profile
MDMUUID=`profiles -Lv | grep "name: $4" -4 | awk -F": " '/attribute: profileIdentifier/{print $NF}'`

## Remove said profile, identified by UUID
if [[ $MDMUUID ]]; then
    profiles -R -p $MDMUUID
else
    echo "No Profile Found"
fi

sleep 5

Just because I needed it today...
I have created a script to look for a profile name starting with MDM (which seems to be what our evnironment has), it then removes it and runs jamf manage to get it back again.
I have set this in Self Service as a way for people who for whatever reason weren't getting updated policies.
It's not particularly elegant and would probably remove the first profile starting with MDM, so if you have other policies so named it's probably not for you...

#!/bin/bash
echo

MDM_UUID=$(profiles -Lv | awk '/attribute: name: MDM/,/attribute: profileUUID:/' | awk '/attribute: profileUUID:/ {print $NF}')
echo $MDM_UUID
if [ -z "$MDM_UUID" ]
then
echo "-MDM profile NOT found. Attempting to manage-"
jamf manage
else
echo "-MDM profile found. Removing MDM before attempting to manage-"
profiles -R -p "$MDM_UUID"
sleep 5
jamf manage
fi

echo
exit 0

Even as a root/admin user the profiles cannot be removed. Any suggestions?

_computerlevel[1] attribute: profileIdentifier: 00000000-0000-0000-A000-3A414D460003
>>profiles -v -R -p 00000000-0000-0000-A000-3A414D460004
profiles: verbose mode ON
profiles uninstall for identifier:'00000000-0000-0000-A000-3A414D460004' and user:'root' returned -205 (Unable to locate configuration profile.)
profiles: returned error: -205

@Jand99 I'm having the same issue. Running into error -205. Did you find a solution??

Thanks,
R

Solution is simple if you have admin rights.
Assuming that "sudo jamf removeFramework" did not work you can try this:
Start terminal and type:
sudo -i
cd /var/db/
mv ConfigurationProfiles ConfigurationProfilesOLD

then reboot. A new empty ConfigurationProfiles folder will be created automatically.

NOTE: If you need to keep some special configuration profiles in that folder it may be better to only delete the file in /var/db/ConfigurationProfiles/MDM_ComputerPrefs.plist file.

Well i actually have a config profile that is for wi-fi access. We manually packaged it and installed via script. However, i can't remove it. I keep getting the -205 error. I'm running the simple command

#!/bin/sh

profiles -R -p UUID (of the file in question)

passcode protected?

Related question: When a configuration profile has been removed from a JAMF Managed Mac manaully (command or script), will the profile get reinstalled automatically via MDM at some point (assuming the target Mac is still scoped for that particular profile etc)?

@dstranathan will until out of scope

@Jand99 You're a genius, that was the answer I was looking for. I ran your commands after doing -removeFramework and then re-enrolled with a QuickAdd and WIN!

Thanks a bunch.

+1 for @Bauer from way-back-when, had a manually- (not JAMF-) distributed config profile which just wouldn't go away. Syntax is everything!

Just to clear up a question I had when reading this post all this time later. For those using secured, manually installed profiles. Removal of such a profile using a command:

sudo profiles -R -F /tmp/profilename.mobileconfig

requires the profilename.mobileconfig to be loaded into /tmp/ again. For most of you, this is totally obvious as the command calls for it. This means if your original install policy copied the "profilename.mobileconfig" to the /tmp/ directory to install it, you will need to again copy the "profilename.mobileconfig" to the /tmp/ directory before you can uninstall it.

Just to help future newbies!

Hey everyone,

I need to remove a specific Configuration Profile that was installed via the server on my 10.11.6 machines. I need to remove it via command line in a script for a very particular purpose. Since the Config Profile was installed via the JSS, the simple [ /usr/bin/profiles -R -F] will not work. Does anyone know how to remove a server installed Config Profile via terminal?

Thanks!

@cdenoia Have you tried using sudo profiles -R -p UUID as shown in some of the posts above? The UUID is the identifier string that you can get by running sudo profiles -P in Terminal.

Hey @mm2270 ,

Yes, I attempted to issue command: /usr/bin/profiles -R -p <UUID>
Error = "return 101 (profile is not removable)"

Any other ideas??

Try adding -U "creatorofprofile" at the end of the command

sudo profiles -R -p UUID -U magicname

That worked for me.

What do you mean by creator of profile?

Sorry for delay, If a profile was installed under a particular username when you run profile -P you should see the username at the start of the string, if you take that username and add it to the end of your command it should remove the profile so if the username was ted your command would look like this

sudo profiles -R -p UUID -U ted

Just to confirm, @alexmcclements command works.

To put it in a script, you just need to grab the logged in user's username from /dev/console for ex.

user=stat -f "%Su" /dev/console
profiles -R -p "UUID HERE" -U $user

Remove All Profiles
sudo /usr/bin/profiles -D

Remove a Single Profile
sudo /usr/bin/profiles -R -p com.eugene.

Remove All Profiles
sudo /usr/bin/profiles -D

Remove a Single Profile
sudo /usr/bin/profiles -R -p com.eugene.

Hi guy, just new and need this help, I got a Mac that is not showing any profile, how ever if I format it I get the corporate login page if connected to internet, if I disable the connection then I can go ahead and go through the activation, I've contacted the supplier but they haven't tested and now is out of the 3 months warranty they offered :(
stunning Mojave if that help, I can use it but I would like to have it as a normal MacBook..
any help much appreciated
thanks in advance!!

HI Fredor Are you perhaps describing login profiles ? (User Profiles) ?

This doesn't sound like a config profile, It sounds like your getting a DEP enrolment screen.

This can only be removed by the company shown in the screen - go back to the vendor you purchased this from, as without this being removed before sales the laptop is just a aluminium brick

sudo /usr/bin/profiles -D -f
To delete all profiles on the Mac without getting a prompt of "are you sure?" (forced)

Regarding Configuration Profiles was installed by Jamf Pro (not what the original poster was asking, but was asked elsewhere in this thread), it'll be enforced.

Meaning you can't remove it without it re-installing again. The only way to remove would be to exclude the computer(s).

Adding to what @donmontalvo mentioned above, you can send the command to remove the MDM profile. That'll also remove other profiles deployed and controlled by the MDM.

@waqas.khan - that's one of those I forget to use! Thanks for the reminder...

To easily remove ALL profiles from a managed mac, do the following:
1. Turn of system integrity.
Shut down the computer.
Boot up the computer while holding (command + R)
Press ‘utilities’.
Type (csrutil disable)
Restart
2. Give terminal root file access.
Open ‘Privacy and Security’ in ‘System Preferences’.
Press ‘Privacy’
Press ‘Complete Disk Access’
Unlock with the lock button at the bottom left
Add terminal.
3. Terminal Commands
Type: ‘sudo jamf -removeFramework’ into terminal, press enter.
Type: ‘sudo -i’ into terminal, press enter and enter your password, press enter.
Type: ‘cd /var/db/‘ into terminal, press enter.
Type: ‘mv ConfigurationProfiles ConfigurationProfilesOLD’ into terminal, press enter.
Type: ‘logout’ into terminal, press enter.
4. Final steps.
Restart computer.

@bbot your script worked great when I used it locally, but trying to run it as a script from jamf pro it complained about -U needing an option to be passed to it. I tried user= and also just using $USER but I had no luck with either. If I hard-coded their username then it worked as long as they were logged in. Otherwise I got an error that the user wasn't logged in. Has anybody figured out a way to use this with a variable? maybe a specific uid?

You can remove an individual OS X configuration profile using the profiles command line utility. Here are the steps to remove a configuration profile from the command line:

1. Open Terminal.

2. Type the following command to list the installed configuration profiles:

    

   profiles -P

3. Identify the profile you want to remove by its name or identifier.

4. Type the following command to remove the profile, replacing "PROFILE_IDENTIFIER" with the actual profile identifier:

    

   profiles -R -p PROFILE_IDENTIFIER

5. The profile should now be removed from the device.

Note: The profiles utility is a built-in command line tool in OS X and is used to manage configuration profiles on a Mac. The above steps are meant to be performed on a device that is managed by Jamf.