Removing Jamf didn't remove MDM profile

samantha_cowan
New Contributor

We removed JAMF from a laptop but it failed to remove the MDM profile. Now, without JAMF on the machine, what is the best way to remove the profile?

15 REPLIES 15

seanhansell
New Contributor III

Are you using DEP? If so, do you have "Allow MDM Profile Removal" unchecked in your prestage enrollment? This is the only scenario where I've seen MDM profiles get locked in like that.

mm2270
Legendary Contributor II

How did you remove the jamf components? There's a command you can send to the jamf binary itself to tell it to remove all the jamf components, including the main profile and the binary itself. If you manually deleted the jamf binary and some other items, that won't remove the profile.

To remove the profile now, you can try using the profiles command in Terminal:
sudo profiles -R -p <profile UUID>
You might need to first run profiles -Pv and take a look at the output to determine the UUID string for the Jamf profile. It's usually something that starts with the string 00000000-0000-0000-A000-

If that doesn't work, you might need to copy back the jamf binary and run either
sudo jamf removeMdmProfile
or the removeFramework command

Hugonaut
Valued Contributor

@mm2270 is correct

if you can get hands on or terminal access via vpn, hit the terminal

login / run as root the following 2 commands and you are good to go (in the following order, pretty sure framework removes the binary)

sudo jamf removeMdmProfile
sudo jamf removeFramework

then reinstall your quickadd package

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman

ajb_
New Contributor II

Try this;

sudo jamf removeFramework

sudo profiles -D

A

Caleb_Anderson
New Contributor III

I know this is old, but I just had the problem and solved it fairly easily so I thought I'd share.

One of our staff removed the DEP enrolled device from the MDM because under "management" there were no options (I suspect the way he enrolled it was a bit funky to begin with) and then he ran

sudo jamf removeFramework

in terminal.

This removed the jamf binary, but the profiles were all still installed and set to not allow removal, so he couldn't re-install the profile back over the top with user initiated enrollment.

Since it was enrolled in DEP, I ran:

sudo rm /var/db/.AppleSetupDone

This made the computer boot into Apple Setup Assistant when I rebooted, and prompted for the profile installation again after connecting to a WiFi network. The profile reinstalled correctly this time and the computer is now in the MDM and fully functional.

dselleos
New Contributor II

Did you have to create a new user profile or did it overlook that portion of the setup?

DFree
New Contributor III

@Caleb.Anderson See @dselleos 's question. Did you have to create a new user profile? Does it wipe the existing user profile?

cpresnall
Contributor

You will need to progress through the user creation, but can then log out and back in to the normal user with no data loss. The new user can be deleted once the process is complete.

tlarkin
Honored Contributor

Reboot the computer, this has been a known issue and rare exception for years. Sometimes the MDM won't fully remove until you reboot the system.

Caleb_Anderson
New Contributor III

@dselleos @DFree Sorry for the late response - you go through User Creation again but you don't lose data. Just don't create a user with the same name (though it probably won't let you anyway).

abrahamT
New Contributor III

You should just be able to go to the computer record of the device in the console and on the Management tab click on “Remove MDM Profile”. The removal of binaries is independent of the MDM profiles.

DFree
New Contributor III

Just an update on my situation with this. There was somehow a disconnect between the MDM Profile on the laptop and Jamf. Somehow the laptop said it was user-approved and Jamf said it wasn't.

Luckily this mac was under our DEP account (we have some that are not) and I ended up using @Caleb.Anderson 's solution and it worked great. I ran into one hiccup when the gear screen came up and it timed out. I ended up deleting the computer from JSS and tried again and it worked. Not sure if it was related or not. I deleted the randomuseraccount after I was done. User account data was never touched.

micmil
New Contributor II

Just had the same experience as @DFree. Had to follow @Caleb.Anderson's solution. I still have multiple computers that were enrolled with PreStage and just stopped communicating with Jamf Cloud. All computers were enrolled with PreStage, were migrated from existing computers, and had DeepFreeze installed post migration. Considering how rampant this problem is at our site, I suspect there is something in the Migration or DF that caused a disconnect.

cschneer
New Contributor

I have a computer that I tried to remove the mdm profile on and it hung, i removed the computer object from the JSS also. The issue is that our students are savvy so i disable terminal on the devices. Can i remove the framework in single user mode?

matin
New Contributor III

I recently needed to use Migration Assistant to migrate a C-Level and ran into issues with the non-removable MDM profile and MDM-enabled user. I ended up using @Caleb.Anderson process with some updating. I added a temp admin user then removed the migrated user's macOS account but not the home directory that way during the Setup Assistant the second time around I could set the migrated user's local macOS account up again and it will automatically associate to the previously migrated home directory. Note, make sure you remove the (Deleted) from the migrated user's home directory name to associated properly during setup assistant. The reason for this is to set the migrated user as the MDM-enabled user. In my experience, if that is not setup properly then things such as the macappstore apps and updates will fail since it waits for the MDM-enabled user to be active to perform these tasks. Anyways, I wanted to thank the thread and add to it. Tested this in macOS 10.15.7.