Remove Individual OS X Configuration Profile via Command Line

benjamin_michae
New Contributor III
New Contributor III

Hoping to get some assistance from the knowledge of the JAMF Nation. I am struggling to remove an individual configuration profile, that was installed manually, via the command line. Testing on Mavericks 10.9.1 currently. Used the profiles man page and this: https://developer.apple.com/library/mac/documentation/darwin/Reference/ManPages/man1/profiles.1.html

Commands I've tried:

sudo profiles -R -F /tmp/profilename.mobileconfig
sudo profiles -R -p profileidentifier
sudo profiles -R -p profileidentifier -U username

No dice so far. Use case is that a profile is installed manually and it needs to be removed without removing all profiles. Any thoughts out there?

Thanks!
Ben

39 REPLIES 39

nessts
Valued Contributor II

i use the profiles -R -p profileidentifier all the time
use profiles -P to get the identifier before hand, maybe you are using the wrong identifier.

Bauer
New Contributor

We've had to do the same thing in our environment, and I found the uninstall has to be formatted like:

profiles -R -p com.apple.mdm.server.corp.company.com.123af456-78e9-112-123a-123a456789.alacarte

...and like @nessts said, you'll need to get that whole identifier string from the

```
profiles -P
``` command. If you have a password required to uninstall the profile, that'll still be necessary from the command line, like it would through the gui. Hope that helps!

Sonic84
Contributor III

Is there a way to remove user level MDMs from multiple users (Like SCEP or AD Certs)?

relliott
New Contributor

From what I have found out, apparently not. I am looking for the same thing myself. An woeful omittance on behalf of Apple i think.

scottb
Honored Contributor

Has anyone read about changes in 10.10 that might make this more versatile? Just curious. No NDA breakage, just wondering if anyone has read anything about it?

ctangora
Contributor III

This is what I wrote to remove a MDM based on the name. Profile name being the fourth variable passed.

#!/bin/bash

## Get UUID of requested MDM Profile
MDMUUID=`profiles -Lv | grep "name: $4" -4 | awk -F": " '/attribute: profileIdentifier/{print $NF}'`

## Remove said profile, identified by UUID
if [[ $MDMUUID ]]; then
    profiles -R -p $MDMUUID
else
    echo "No Profile Found"
fi

sleep 5

Look
Valued Contributor III

Just because I needed it today...
I have created a script to look for a profile name starting with MDM (which seems to be what our evnironment has), it then removes it and runs jamf manage to get it back again.
I have set this in Self Service as a way for people who for whatever reason weren't getting updated policies.
It's not particularly elegant and would probably remove the first profile starting with MDM, so if you have other policies so named it's probably not for you...

#!/bin/bash
echo

MDM_UUID=$(profiles -Lv | awk '/attribute: name: MDM/,/attribute: profileUUID:/' | awk '/attribute: profileUUID:/ {print $NF}')
echo $MDM_UUID
if [ -z "$MDM_UUID" ]
then
echo "-MDM profile NOT found. Attempting to manage-"
jamf manage
else
echo "-MDM profile found. Removing MDM before attempting to manage-"
profiles -R -p "$MDM_UUID"
sleep 5
jamf manage
fi

echo
exit 0

Jand99
New Contributor

Even as a root/admin user the profiles cannot be removed. Any suggestions?

_computerlevel[1] attribute: profileIdentifier: 00000000-0000-0000-A000-3A414D460003
>>profiles -v -R -p 00000000-0000-0000-A000-3A414D460004
profiles: verbose mode ON
profiles uninstall for identifier:'00000000-0000-0000-A000-3A414D460004' and user:'root' returned -205 (Unable to locate configuration profile.)
profiles: returned error: -205

rqomsiya
Contributor III

@Jand99 I'm having the same issue. Running into error -205. Did you find a solution??

Thanks,
R

Jand99
New Contributor

Solution is simple if you have admin rights.
Assuming that "sudo jamf removeFramework" did not work you can try this:
Start terminal and type:
sudo -i
cd /var/db/
mv ConfigurationProfiles ConfigurationProfilesOLD

then reboot. A new empty ConfigurationProfiles folder will be created automatically.

NOTE: If you need to keep some special configuration profiles in that folder it may be better to only delete the file in /var/db/ConfigurationProfiles/MDM_ComputerPrefs.plist file.

rqomsiya
Contributor III

Well i actually have a config profile that is for wi-fi access. We manually packaged it and installed via script. However, i can't remove it. I keep getting the -205 error. I'm running the simple command

#!/bin/sh

profiles -R -p UUID (of the file in question)

Malcolm
Contributor II

passcode protected?

dstranathan
Valued Contributor II

Related question: When a configuration profile has been removed from a JAMF Managed Mac manaully (command or script), will the profile get reinstalled automatically via MDM at some point (assuming the target Mac is still scoped for that particular profile etc)?

Espaay
New Contributor III

From our experience and with JAMF support on a call if you want to remove a config profile, the best approach to remove the devices from the scope, is to let it sit for a day, circle back validate config profile not showing on the devices, when all devices are not showing, finally disable the config profile and later delete it within JAMF.

donmontalvo
Esteemed Contributor III

@dstranathan will until out of scope

--
https://donmontalvo.com

jouwstrab
New Contributor III

@Jand99 You're a genius, that was the answer I was looking for. I ran your commands after doing -removeFramework and then re-enrolled with a QuickAdd and WIN!

Thanks a bunch.

trademarkable
New Contributor II

+1 for @Bauer from way-back-when, had a manually- (not JAMF-) distributed config profile which just wouldn't go away. Syntax is everything!

Chris_Hafner
Valued Contributor II

Just to clear up a question I had when reading this post all this time later. For those using secured, manually installed profiles. Removal of such a profile using a command:

sudo profiles -R -F /tmp/profilename.mobileconfig

requires the profilename.mobileconfig to be loaded into /tmp/ again. For most of you, this is totally obvious as the command calls for it. This means if your original install policy copied the "profilename.mobileconfig" to the /tmp/ directory to install it, you will need to again copy the "profilename.mobileconfig" to the /tmp/ directory before you can uninstall it.

Just to help future newbies!

cdenoia
New Contributor

Hey everyone,

I need to remove a specific Configuration Profile that was installed via the server on my 10.11.6 machines. I need to remove it via command line in a script for a very particular purpose. Since the Config Profile was installed via the JSS, the simple [ /usr/bin/profiles -R -F] will not work. Does anyone know how to remove a server installed Config Profile via terminal?

Thanks!

mm2270
Legendary Contributor III

@cdenoia Have you tried using sudo profiles -R -p UUID as shown in some of the posts above? The UUID is the identifier string that you can get by running sudo profiles -P in Terminal.

cdenoia
New Contributor

Hey @mm2270 ,

Yes, I attempted to issue command: /usr/bin/profiles -R -p <UUID>
Error = "return 101 (profile is not removable)"

Any other ideas??

alexmcclements
Contributor

Try adding -U "creatorofprofile" at the end of the command

sudo profiles -R -p UUID -U magicname

That worked for me.

rqomsiya
Contributor III

What do you mean by creator of profile?

alexmcclements
Contributor

Sorry for delay, If a profile was installed under a particular username when you run profile -P you should see the username at the start of the string, if you take that username and add it to the end of your command it should remove the profile so if the username was ted your command would look like this

sudo profiles -R -p UUID -U ted

bbot
Contributor

Just to confirm, @alexmcclements command works.

To put it in a script, you just need to grab the logged in user's username from /dev/console for ex.

user=stat -f "%Su" /dev/console
profiles -R -p "UUID HERE" -U $user

MacGeno
New Contributor II

Remove All Profiles
sudo /usr/bin/profiles -D

Remove a Single Profile
sudo /usr/bin/profiles -R -p com.eugene.

MacGeno
New Contributor II

Remove All Profiles
sudo /usr/bin/profiles -D

Remove a Single Profile
sudo /usr/bin/profiles -R -p com.eugene.

Fredor
New Contributor

Hi guy, just new and need this help, I got a Mac that is not showing any profile, how ever if I format it I get the corporate login page if connected to internet, if I disable the connection then I can go ahead and go through the activation, I've contacted the supplier but they haven't tested and now is out of the 3 months warranty they offered :(
stunning Mojave if that help, I can use it but I would like to have it as a normal MacBook..
any help much appreciated
thanks in advance!!

MacGeno
New Contributor II

HI Fredor Are you perhaps describing login profiles ? (User Profiles) ?

garybidwell
Contributor III

This doesn't sound like a config profile, It sounds like your getting a DEP enrolment screen.

This can only be removed by the company shown in the screen - go back to the vendor you purchased this from, as without this being removed before sales the laptop is just a aluminium brick

sousap
New Contributor

sudo /usr/bin/profiles -D -f
To delete all profiles on the Mac without getting a prompt of "are you sure?" (forced)

donmontalvo
Esteemed Contributor III

Regarding Configuration Profiles was installed by Jamf Pro (not what the original poster was asking, but was asked elsewhere in this thread), it'll be enforced.

Meaning you can't remove it without it re-installing again. The only way to remove would be to exclude the computer(s).

--
https://donmontalvo.com

waqas_khan
New Contributor III

Adding to what @donmontalvo mentioned above, you can send the command to remove the MDM profile. That'll also remove other profiles deployed and controlled by the MDM.

c0947ce23d7b4c12b5e58e46d7fcb33c

scottb
Honored Contributor

@waqas.khan - that's one of those I forget to use! Thanks for the reminder...

adambrest
New Contributor

To easily remove ALL profiles from a managed mac, do the following:
1. Turn of system integrity.
Shut down the computer.
Boot up the computer while holding (command + R)
Press ‘utilities’.
Type (csrutil disable)
Restart
2. Give terminal root file access.
Open ‘Privacy and Security’ in ‘System Preferences’.
Press ‘Privacy’
Press ‘Complete Disk Access’
Unlock with the lock button at the bottom left
Add terminal.
3. Terminal Commands
Type: ‘sudo jamf -removeFramework’ into terminal, press enter.
Type: ‘sudo -i’ into terminal, press enter and enter your password, press enter.
Type: ‘cd /var/db/‘ into terminal, press enter.
Type: ‘mv ConfigurationProfiles ConfigurationProfilesOLD’ into terminal, press enter.
Type: ‘logout’ into terminal, press enter.
4. Final steps.
Restart computer.

Hi @adambrest

i’m just gonna shoot straight. I think I purchased a MacBookPro in 2017 that is somehow registered to the Govmt. It was brand new, still in the unbroken cello when I got it off of eBay. 

I just picked it up from Apple where they replaced the logic board and keyboard as a part of a recall. The serial number must have come up showing the device as a part of a Govmt agency. 

Upon boot, I select language, nation, keyboard and WiFi (I’ve also bi-passed WiFi) and the next screen is “Configuration Available. This Mac will be configured automatically by _____.” (I can fill in the blank in an offline discussion)

if I choose -> Continue, I am then asked for log-in credentials which I obviously do not have. 

Would you be willing to tell me or help me bypass this? Is it possible? 

donmontalvo
Esteemed Contributor III

If the computer is in Apple Business Manager, you're kind of SOL, unless you never ever connect it to the internet. 😉

--
https://donmontalvo.com

jared_hodgkins
New Contributor II

@bbot your script worked great when I used it locally, but trying to run it as a script from jamf pro it complained about -U needing an option to be passed to it. I tried user= and also just using $USER but I had no luck with either. If I hard-coded their username then it worked as long as they were logged in. Otherwise I got an error that the user wasn't logged in. Has anybody figured out a way to use this with a variable? maybe a specific uid?

Jaykrishna1
Contributor II

You can remove an individual OS X configuration profile using the profiles command line utility. Here are the steps to remove a configuration profile from the command line:

  1. Open Terminal.

  2. Type the following command to list the installed configuration profiles:

     
    profiles -P
  3. Identify the profile you want to remove by its name or identifier.

  4. Type the following command to remove the profile, replacing "PROFILE_IDENTIFIER" with the actual profile identifier:

     
    profiles -R -p PROFILE_IDENTIFIER
  5. The profile should now be removed from the device.

Note: The profiles utility is a built-in command line tool in OS X and is used to manage configuration profiles on a Mac. The above steps are meant to be performed on a device that is managed by Jamf.