Removing profiles

I found this discussion but to be honest it confused me more than it helped. https://jamfnation.jamfsoftware.com/discussion.html?id=5376

How were the profiles installed originally?
Were they installed manually or via the command line?
Or were they installed as a Casper Configuration Profile via APNS?

For the former you would use a script and the "profiles" command. (man profiles)
For the latter you would remove the Macs from the scope of the Casper Configuration Profile.

I hope that helps.

Are you able to leverage push notifications? We don't yet allow push notifications in my environment, so we do everything with profiles manually. Because of that, I don't have any first-hand experience with APNs, but it's my understanding that if you change the scope of the profile to exclude those computers, a push notification will go out and remove that profile from those machines. Again, I don't have any 1st hand experience, so YMMV.

If you don't have APNs, and you know the Profile Identifier, you can do it like this for a system-level profile:

Run profiles -C to get a list of the installed profiles and their identifier.

#!/bin/bash
# profile identifier
PROID=0314A2A7-347C-4006-91B9-4C03E3D4EFB4

# check to see if the profile is installed on the machine, and attempt to remove it if found.
    if [[ $(profiles -C | grep "${PROID}") ]]; then 
        profiles -R -p "${PROID}"
        if [[  $(profiles -C | grep "${PROID}") ]]; then
            echo "Removeal of ${PROID} failed. Exiting"
            exit 1
        else
            echo "Removal of ${PROID} successful."
        fi
    fi
done

Thanks for the responses. To answer your questions, It was installed by Casper about 3 years ago at the device level. In my testing removing computers from the scope gives mixed results. If I remove the computers from the scope, is there a criteria that I can use in advanced search to confirm the profile has been removed?

I have an extension attribute that lists all the profiles installed on a machine. It looks like this:

#!/bin/bash

IFS=$'
'
Info=()
Info+=($(profiles -Cv | grep -A4 "attribute: name:" | awk '{$1=$2=""; print $0}'))

echo -n "<result>"
for item in "${Info[@]}}"
do
    echo "${item}"
done
echo "</result>"

You can either create a search from this extension attribute and scope it to "not like" the profile in question, or you can create a similar attribute that searches for that one specific profile. Then just scope the search appropriately.

That attribute would look something like:

#!/bin/bash

##profile in question
PROFILE="profilename"

if [[ $(profiles -Cv |  awk '/attribute/ && /'"${PROFILE}"'/{$1=$2=$3=""; print $0}') ]]; then
  echo "Installed"
else
  echo "Not Installed"
fi

We have an Extension Attribute to list all Computer Level profiles with their identifier:

#!/bin/sh

# List the Profile Names with their Profile Identifiers and remove the very first space before them.
CompLevelProfiles=`profiles -C -v | awk -F: '/attribute: name/{print $NF}''/attribute: profileIdentifier/{print $NF "
"}' | sed 's/ //'`
echo "<result>$CompLevelProfiles</result>"

Output will be like this:

MDM Profile
00000000-0000-0000-A000-9365F43J64G1

Wi-Fi System and Loginwindow Profile v1.0
6348624F5-JS54-77GT-KK623-63NBFS45LFB6

Then you can remove the profile from the identifier (profiles -R -p [identifier]):
e.g.-

/usr/bin/profiles -R -p XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX