Stuck MDM profile on Big Sur

samuellarsson
New Contributor III

One of our MacBook Pros wasn't properly enrolled, and got the MDM profile installed but nothing else (i.e. no Jamf binary). In previous OSes I have been able to remove /var/db/ConfigurationProfiles from the Recovery Partition, but this is seemingly no longer an option in Big Sur. Is there any workarounds for removing a stubborn MDM profile?

12 REPLIES 12

JG3741
New Contributor III

Hello,

Is the MacBook Pro using the new M1 Processor? If so, open terminal and enable Rosetta. Then, create a QuickAdd package with Jamf Recon, run the package on the computer, and the MDM issue should be resolved.

samuellarsson
New Contributor III
Then, create a QuickAdd package with Jamf Recon, run the package on the computer, and the MDM issue should be resolved.

Thanks, will try that. I have tried to enroll via the web, but it didn't work because there was already an MDM profile in place (it's not an M1).

FrigidInIowa
New Contributor II

Did you have any luck with this? I've got a Big Sur Intel macbook with a borked enrollment. We purged it from Jamf and the DEP, but the MDM profile is non-removable. I've tried Recon and QuickAdd packages, as well as a web enrollment. The web enrollment fails because the existing MDM profile isn't replaceable.

I've got a Jamf support ticket open, but I'd love to hear if anyone's got a method to try.

SovanaIT
New Contributor

@Messick I had luck doing the following:

Create a new Admin level user and log in to that profile at least once
Reboot to recovery (Command + R)
Open Terminal and disable SIP (csrutil disable)
Reboot to Big Sur desktop
Log in as the new Admin user you just created
Open Terminal Type "sudo -i" w/o quotes
Type "mv /var/db/ConfigurationProfiles /var/db/ConfigurationProfilesOLD"
Type "mkdir /var/db/ConfigurationProfiles"
Reboot to Recovery Open Terminal and type "csrutil enable"
Reboot and login to Big Sur with the Admin profile you completed the previous steps with
Go to the JAMF open enrollment URL for your organization and enroll the device.
After the enrollment completes, log in with the user account you want MDM to run on.
Go to the JAMF open enrollment URL for your organization and re-enroll the device.

The reason I say to create a new Admin level user is because when I tried to use the existing user profile to re-enroll after renaming the ConfigurationProfiles folder, it didn't work. Somehow, enrolling the device with a new user allowed JAMF to repopulate the freshly created ConfigurationProfiles folder.

Anyway, if anyone has any questions, let me know. In case y'all couldn't tell, it has been a long while since I've done any technical documentation. ;)

Cheers

matin
New Contributor III

@SovanaIT, thanks for the write up.

@Messick I ran into a similar issue on Catalina however I was able to fix it by performing the following. (Hopefully, works in Big Sur):

  1. Open Terminal
  2. Run the following command:

    sudo rm /var/db/.AppleSetupDone

  3. Ran through the Setup Assistant to create the assigned user account. Note, this is important since this was the only way I could add the assigned user as the MDM Capable User of the assigned computer. Reference: Enabling MDM for Local User Accounts

I was able to remove the non-removable MDM profile and the computer was able to complete the DEP process/prestage enrollment fully.

mainelysteve
Valued Contributor II

@SovanaIT You can skip some of those steps and stay in Recovery. Use terminal and cd into the volume(Volumes/Macintosh HD) and make those changes. One additional step after purging the profiles directory is to also delete the apsd.keychain file in /Library/Keychains. Once you're back into the OS run sudo profiles renew -type enrollment when logged in as the assigned user of the machine

SovanaIT
New Contributor

@mainelysteve Thanks. I'll give the keychain delete a whirl as JAMF pushed apps are now failing to install. Ditto on staying in Recovery. I forgot that you need to switch to the boot volume to make these changes from Recovery.

GeorgeCasper
New Contributor III

I've been having this issue in our environment to, so I tried the process that SovanaIT + mainelysteve proposed, and it seemed to work, albeit with some interesting caveats:

The first time I tried it, I reached the point of logging back in (after having missed the csrutil enable step) and without any action on my part, I began being prompted to approve a CA Cert and MDM Profile. Once I did, all other Config Profiles came down.

Curious about the process, I tried it again, and was unable to replicate it. Through trial and error, I found that if I removed the computer's record in Jamf, used the manual re-enrollment URL and manually downloaded & installed the CA certificate and MDM profile, I was once again about to receive all of my Configuration Profiles.

As an aside, when I first tried the csrutil disable command, it failed. Apparently there is a ordinary recovery mode and a "one true recovery" mode, as detailed here:
https://forums.macrumors.com/threads/can-not-disable-sip-on-my-new-mac-mini-m1.2277479/page-2?post=29668556#post-29668556

mainelysteve
Valued Contributor II

@GeorgeCasper I assume you're not using DEP/ADE if you're using manually installed profiles to enroll a machine? For me I had a more consistent experience using the command I have in my previous post versus manually installed profiles. My experience has been better as well to remove the management record.

raymond_lyon
New Contributor II

@mainelysteve@SovanaIT I tried what you recommended and ran into two issues:

1. When trying to nuke the ConfigurationProfiles directory from Recovery, I get an "operation not permitted" error even after running csrutil disable. Same result if I reboot back into Recovery and try again. Only way I could get it done was by logging into the admin user and running the commands as root.

2. After nuking the ConfigurationProfiles folder, I log back into the desired user and run sudo profiles renew -type enrollment, but nothing happens. The machine doesn't appear to re-enroll and I don't get any sort of prompt.

Any ideas? I can manually re-enroll by downloading the cert and the MDM profile but the ideal situation is to re-enroll the machine via Automated Enrollment without a wipe.

@matinDoes re-running the Apple setup work for a pre-existing user or do you have to create a fresh one? Ideally I'd love to re-run it for a user that's already there so I can re-enroll.

Thanks!

If you're in the recovery terminal running these commands csrutil won't be necessary. That's for use when the volume your affecting is booted. Perhaps try renaming the directory as @SovanaIT described above or just nuke the contents versus removing the entire directory. Rerunning the Setup Assistant may cause it to create another user account. 

As far as your problem below. I've never run into that, but connection interrupted looks like an upstream issue at a firewall. I assume you checked the connectivity of that machine?

raymond_lyon
New Contributor II

When running sudo profiles validate -type enrollment, I get:

Bad response from apsd: Connection interrupted.
Error validating Device Enrollment configuration: We can't determine if this machine is DEP enabled. Try again later. 

Anyone got this before?