Removing Jamf didn't remove MDM profile

samantha_cowan
New Contributor

We removed JAMF from a laptop but it failed to remove the MDM profile. Now, without JAMF on the machine, what is the best way to remove the profile?

25 REPLIES 25

seanhansell
Contributor

Are you using DEP? If so, do you have "Allow MDM Profile Removal" unchecked in your prestage enrollment? This is the only scenario where I've seen MDM profiles get locked in like that.

- Sean

mm2270
Legendary Contributor III

How did you remove the jamf components? There's a command you can send to the jamf binary itself to tell it to remove all the jamf components, including the main profile and the binary itself. If you manually deleted the jamf binary and some other items, that won't remove the profile.

To remove the profile now, you can try using the profiles command in Terminal:
sudo profiles -R -p <profile UUID>
You might need to first run profiles -Pv and take a look at the output to determine the UUID string for the Jamf profile. It's usually something that starts with the string 00000000-0000-0000-A000-

If that doesn't work, you might need to copy back the jamf binary and run either
sudo jamf removeMdmProfile
or the removeFramework command

Hugonaut
Valued Contributor II

@mm2270 is correct

if you can get hands on or terminal access via vpn, hit the terminal

login / run as root the following 2 commands and you are good to go (in the following order, pretty sure framework removes the binary)

sudo jamf removeMdmProfile
sudo jamf removeFramework

then reinstall your quickadd package

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month

ajb_
New Contributor II

Try this;

sudo jamf removeFramework

sudo profiles -D

A

Caleb_Anderson
New Contributor III

I know this is old, but I just had the problem and solved it fairly easily so I thought I'd share.

One of our staff removed the DEP enrolled device from the MDM because under "management" there were no options (I suspect the way he enrolled it was a bit funky to begin with) and then he ran

sudo jamf removeFramework

in terminal.

This removed the jamf binary, but the profiles were all still installed and set to not allow removal, so he couldn't re-install the profile back over the top with user initiated enrollment.

Since it was enrolled in DEP, I ran:

sudo rm /var/db/.AppleSetupDone

This made the computer boot into Apple Setup Assistant when I rebooted, and prompted for the profile installation again after connecting to a WiFi network. The profile reinstalled correctly this time and the computer is now in the MDM and fully functional.

selleos
New Contributor II

Did you have to create a new user profile or did it overlook that portion of the setup?

DFree
New Contributor III

@Caleb.Anderson See @dselleos 's question. Did you have to create a new user profile? Does it wipe the existing user profile?

cpresnall
Contributor

You will need to progress through the user creation, but can then log out and back in to the normal user with no data loss. The new user can be deleted once the process is complete.

tlarkin
Honored Contributor

Reboot the computer, this has been a known issue and rare exception for years. Sometimes the MDM won't fully remove until you reboot the system.

Caleb_Anderson
New Contributor III

@dselleos @DFree Sorry for the late response - you go through User Creation again but you don't lose data. Just don't create a user with the same name (though it probably won't let you anyway).

abrahamT
New Contributor III

You should just be able to go to the computer record of the device in the console and on the Management tab click on “Remove MDM Profile”. The removal of binaries is independent of the MDM profiles.

DFree
New Contributor III

Just an update on my situation with this. There was somehow a disconnect between the MDM Profile on the laptop and Jamf. Somehow the laptop said it was user-approved and Jamf said it wasn't.

Luckily this mac was under our DEP account (we have some that are not) and I ended up using @Caleb.Anderson 's solution and it worked great. I ran into one hiccup when the gear screen came up and it timed out. I ended up deleting the computer from JSS and tried again and it worked. Not sure if it was related or not. I deleted the randomuseraccount after I was done. User account data was never touched.

micmil
New Contributor III

Just had the same experience as @DFree. Had to follow @Caleb.Anderson's solution. I still have multiple computers that were enrolled with PreStage and just stopped communicating with Jamf Cloud. All computers were enrolled with PreStage, were migrated from existing computers, and had DeepFreeze installed post migration. Considering how rampant this problem is at our site, I suspect there is something in the Migration or DF that caused a disconnect.

cschneer
New Contributor

I have a computer that I tried to remove the mdm profile on and it hung, i removed the computer object from the JSS also. The issue is that our students are savvy so i disable terminal on the devices. Can i remove the framework in single user mode?

matin
New Contributor III

I recently needed to use Migration Assistant to migrate a C-Level and ran into issues with the non-removable MDM profile and MDM-enabled user. I ended up using @Caleb.Anderson process with some updating. I added a temp admin user then removed the migrated user's macOS account but not the home directory that way during the Setup Assistant the second time around I could set the migrated user's local macOS account up again and it will automatically associate to the previously migrated home directory. Note, make sure you remove the (Deleted) from the migrated user's home directory name to associated properly during setup assistant. The reason for this is to set the migrated user as the MDM-enabled user. In my experience, if that is not setup properly then things such as the macappstore apps and updates will fail since it waits for the MDM-enabled user to be active to perform these tasks. Anyways, I wanted to thank the thread and add to it. Tested this in macOS 10.15.7.

LA_RX
New Contributor II

Hello I just tested @Caleb_Anderson method today on Mac OSX Big Sur 11.6.1 and it doesn't seem to work. Unless I did something wrong?

These were my steps:

1. Run the following commands in order:

sudo jamf removeMDMProfile
sudo jamf removeFramework
sudo rm /var/db/.AppleSetupDone

2. Reboot laptop.

3. User had to login.

4. Setup Screen appeared. User had to pick Country and setup wifi.

5. User then had to login again.

However, I never got the Remote Management screen at all. I tried this twice.

I then tried what @DFree did by deleting the device from JSS, then removing it and then adding it back to PreStage Enrollment.

Tried the steps again and still same outcome.

Unfortunately, profiles are still there and I cannot seem to remove them and re-enroll the computer.

Would anyone be able to advise on what I might have done wrong and what I might be able to do to re-enroll the laptop without having to wipe it?

I think the main issue is deleting the MDM profile and then manually adding it again which I can't seem to do. 

LA_RX
New Contributor II

Updating my post from December. I found this method to manually remove MDM profile from a Mac without having to wipe the laptop. Tested it and it worked great!

https://graffino.com/til/UmkCdmEx7v-remove-a-non-removable-mdm-profile-from-macos-without-a-complete...

Devo
New Contributor II

For me, this required the use of Root. Regular admin was unable to follow those steps. That said, it worked after using root.

LA_RX
New Contributor II

From my understanding when you boot into recovery mode you are a root user. I didn't have to change users when I followed these steps.

Devo
New Contributor II

To clarify, step 3 says to boot into the OS. I logged into an admin user, couldn't process the terminal commands from step 4. I enabled root and then logged in as root and I was able to run the 4 terminal commands from step 4.

I was successful on a machine that I had deleted from JSS and previously run the command

sudo jamf removeFramework

I tested this on a second computer without running other commands first or deleting it from JSS. The steps in the graffino link by themselves did not work. I plan to rerun them after first removing the framework via the command below

sudo jamf removeFramework  

 I will try to remember to followup

LA_RX
New Contributor II

Interesting what OSX version are you running?

LA_RX
New Contributor II

If you run sudo jamf removeFramework it should fine and is the correct way to do it.

My issue was that someone deleted the JamF binary and it did not allow me to do it the correct way.

So I could delete it from JamF Pro console but not remove the MDM profiles. Hence why it had to be done manually.

Devo
New Contributor II

This was on 12.6. What started it all was a loss of creds for the push cert. Setup a new push cert, but have to reenroll all the devices. Can't remove the MDM profile because of push cert issue. Here are the steps in order that worked for me. I started with an Admin account.

1- Enable root user

2- Remove framework using sudo jamf removeFramework

3- boot into recovery mode, in terminal run csrutil disable

4- Login as root, run the following commands in terminal:

cd /var/db/ConfigurationProfiles
rm -rf *
mkdir Settings
touch Settings/.profilesAreInstalled
sudo rm /var/db/.AppleSetupDone

 5- boot into recovery mode, run csrutil enable

6- log into admin account, disable root. If you have DEP setup you will see this kickoff and install current profiles. I had to physically restart after the MDM profile was installed as well.

LA_RX
New Contributor II

Thanks for this info. Devices we had were on OSX Big Sur. I hope you didn't have to do this for all your devices under your JamF setup. Losing creds for the Push cert is a huge PIA.

QGJZerk
New Contributor

I know this is an older topic, but I just came across this issue as well and wasn't able to remove using sudo jamf removeFramework or sudo jamf removeMdmProfile. I also attempted sudo rm /var/db/.AppleSetupDone to no avail.

My device was enrolled via Pre-stage enrollment, and my profiles were not removed whenever I tried to run the above scripts. However, I was able to get back online using sudo profiles renew -type  enrollment. 

Hope this helps anyone else that is having this trouble!