Skip to main content
Solved

Remove User Level Configuration Profile


BookMac
Forum|alt.badge.img+9

Hello, everyone,

we added our existing MacBooks to jamf via UIE. The devices still have manually installed user profiles under System Settings - Profiles. Certificates were distributed with the configuration profile. Is there a way to uninstall this profile via jamf?

Cheers

Best answer by BookMac

mm2270 wrote:

Ah, Ok. I didn't know it had that. So in that case you may be able to script removing this by passing the actual profile password after that flag. I would give that a try. It seems to me that's the reason why you haven't been able to remove it in your policy. It's looking for that removal password.


i think we got it. this script in a policy removed the profile

#!/bin/sh

username=$( scutil <<< "show State:/Users/ConsoleUser" | awk -F': ' '/[[:space:]]+Name[[:space:]]:/ { if ( $2 != "loginwindow" ) { print $2 }}' )
loggedInUID=$(id -u "$username")

/bin/launchctl asuser $loggedInUID sudo -iu $username profiles -R -p CompanyCertificates -z password

exit

View original
Did this topic help you find an answer to your question?

20 replies

junjishimazaki
Forum|alt.badge.img+10
  • New Contributor
  • 423 replies
  • November 30, 2021

Hi, can you explain what you mean by "manually installed config profiles"?


BookMac
Forum|alt.badge.img+9
  • Author
  • Jamf Heroes
  • 72 replies
  • November 30, 2021

Before we had jamf we installed a configuration profile on every mac by double click the profile and insert the admin credentials for the installation.


junjishimazaki
Forum|alt.badge.img+10
  • New Contributor
  • 423 replies
  • November 30, 2021

Ah I see, thank you for clarifying.  Then yeah if it was manually installed then you have to manually uninstall the profiles.  

You can try the script route to search for the config profile UUID and then remove it. 

You might have to use the command sudo profiles -R -p profileidentifier


BookMac
Forum|alt.badge.img+9
  • Author
  • Jamf Heroes
  • 72 replies
  • November 30, 2021

I'm getting the error:

profiles remove for identifier:'xxx' and user:'root' returned -205 (The operation couldn't be completed. (CPProfileManager error -205.))

To uninstall the profile a pasccode is required. Could this be a problem?


junjishimazaki
Forum|alt.badge.img+10
  • New Contributor
  • 423 replies
  • November 30, 2021

How did you obtain the profile identifier?


BookMac
Forum|alt.badge.img+9
  • Author
  • Jamf Heroes
  • 72 replies
  • November 30, 2021

sudo profiles list -all

then I get the user and the certificate as output:

givenname.surname[1] attribute: profileIdentifier: CompanyCertificates


junjishimazaki
Forum|alt.badge.img+10
  • New Contributor
  • 423 replies
  • November 30, 2021

Sorry for the delay, I got busy. Hmmm, that is correct. Did you run the removal as a script or just in the terminal to test it out?


BookMac
Forum|alt.badge.img+9
  • Author
  • Jamf Heroes
  • 72 replies
  • November 30, 2021

just in terminal to test it out. if i delete the configuration profile in system preferences i must insert a passcode and it's gone. But i don't want to connect to every mac and insert the passcode to delete it


junjishimazaki
Forum|alt.badge.img+10
  • New Contributor
  • 423 replies
  • November 30, 2021

Passcode or password?


BookMac
Forum|alt.badge.img+9
  • Author
  • Jamf Heroes
  • 72 replies
  • November 30, 2021

Password, sorry


mm2270
Forum|alt.badge.img+16
  • Legendary Contributor
  • 7880 replies
  • November 30, 2021
BookMac wrote:

just in terminal to test it out. if i delete the configuration profile in system preferences i must insert a passcode and it's gone. But i don't want to connect to every mac and insert the passcode to delete it


 


@BookMac wrote:

just in terminal to test it out. if i delete the configuration profile in system preferences i must insert a passcode and it's gone. But i don't want to connect to every mac and insert the passcode to delete it


I'm not understanding this. Don't you have Jamf Pro? That's a perfect scenario for using Jamf since it runs scripts and commands as root. If you put that into a script and deploy it it should not require you entering any passwords.


BookMac
Forum|alt.badge.img+9
  • Author
  • Jamf Heroes
  • 72 replies
  • December 1, 2021
mm2270 wrote:

 


@BookMac wrote:

just in terminal to test it out. if i delete the configuration profile in system preferences i must insert a passcode and it's gone. But i don't want to connect to every mac and insert the passcode to delete it


I'm not understanding this. Don't you have Jamf Pro? That's a perfect scenario for using Jamf since it runs scripts and commands as root. If you put that into a script and deploy it it should not require you entering any passwords.


yes, we have jamf pro. i've tried a policy with "Files and Processes" and the execute command "sudo profiles -R -p CompanyCertificates

The result of the policy is the same like in terminal: 

Result of command:
profiles remove for identifier:'CompanyCertificates' and user:'root' returned -205 (The operation couldn’t be completed. (CPProfileManager error -205.))


BookMac
Forum|alt.badge.img+9
  • Author
  • Jamf Heroes
  • 72 replies
  • December 1, 2021
junjishimazaki wrote:

Passcode or password?


password


junjishimazaki
Forum|alt.badge.img+10
BookMac wrote:

yes, we have jamf pro. i've tried a policy with "Files and Processes" and the execute command "sudo profiles -R -p CompanyCertificates

The result of the policy is the same like in terminal: 

Result of command:
profiles remove for identifier:'CompanyCertificates' and user:'root' returned -205 (The operation couldn’t be completed. (CPProfileManager error -205.))


When you run sudo profiles -R -p in the terminal with the profile ID does it ask for a password?


BookMac
Forum|alt.badge.img+9
  • Author
  • Jamf Heroes
  • 72 replies
  • December 2, 2021
junjishimazaki wrote:

When you run sudo profiles -R -p in the terminal with the profile ID does it ask for a password?


exactly. this is what it looks in terminal:

username@devicename ~ % profiles -R -p CompanyCertificates

Enter the profile removal password:

After the password the profile is gone. the user is no admin user.


mm2270
Forum|alt.badge.img+16
  • Legendary Contributor
  • 7880 replies
  • December 2, 2021
BookMac wrote:

exactly. this is what it looks in terminal:

username@devicename ~ % profiles -R -p CompanyCertificates

Enter the profile removal password:

After the password the profile is gone. the user is no admin user.


Ok, I see what’s going on here. Your profile has a removal password applied to it. Meaning the password is something separate from an admin password. 

if this is the case, the only way I believe you can automate this would be with an expect script. I don’t think the ‘profiles’ command has a flag for using a removal password, not that I’m aware of anyway. You can look thru the man page for it to see. 


junjishimazaki
Forum|alt.badge.img+10
mm2270 wrote:

Ok, I see what’s going on here. Your profile has a removal password applied to it. Meaning the password is something separate from an admin password. 

if this is the case, the only way I believe you can automate this would be with an expect script. I don’t think the ‘profiles’ command has a flag for using a removal password, not that I’m aware of anyway. You can look thru the man page for it to see. 


In the man pages for Profiles there is a flag to pass a password which is -password. 


mm2270
Forum|alt.badge.img+16
  • Legendary Contributor
  • 7880 replies
  • December 2, 2021
junjishimazaki wrote:

In the man pages for Profiles there is a flag to pass a password which is -password. 


Ah, Ok. I didn't know it had that. So in that case you may be able to script removing this by passing the actual profile password after that flag. I would give that a try. It seems to me that's the reason why you haven't been able to remove it in your policy. It's looking for that removal password.


BookMac
Forum|alt.badge.img+9
  • Author
  • Jamf Heroes
  • 72 replies
  • Answer
  • December 2, 2021
mm2270 wrote:

Ah, Ok. I didn't know it had that. So in that case you may be able to script removing this by passing the actual profile password after that flag. I would give that a try. It seems to me that's the reason why you haven't been able to remove it in your policy. It's looking for that removal password.


i think we got it. this script in a policy removed the profile

#!/bin/sh

username=$( scutil <<< "show State:/Users/ConsoleUser" | awk -F': ' '/[[:space:]]+Name[[:space:]]:/ { if ( $2 != "loginwindow" ) { print $2 }}' )
loggedInUID=$(id -u "$username")

/bin/launchctl asuser $loggedInUID sudo -iu $username profiles -R -p CompanyCertificates -z password

exit


Forum|alt.badge.img+5
  • Contributor
  • 64 replies
  • June 14, 2023
mm2270 wrote:

Ok, I see what’s going on here. Your profile has a removal password applied to it. Meaning the password is something separate from an admin password. 

if this is the case, the only way I believe you can automate this would be with an expect script. I don’t think the ‘profiles’ command has a flag for using a removal password, not that I’m aware of anyway. You can look thru the man page for it to see. 


@mm270 Explain what is removal password here as I'm also facing an issue in removing the profile via shell script.


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings