Posted on 06-28-2017 07:02 AM
I am trying to script removing our old MDM enrollment through DEP from Macs so I can have them prompt for DEP enrollment into Jamf. I am OK with the end user being prompted for their admin password but would rather not have them manually type in the commands into the terminal.
sudo rm -rf /var/db/ConfigurationProfiles/
sudo rm /Library/Keychains/apsd.keychain
sudo /usr/libexec/mdmclient dep nag
The commands work great when manually typed into terminal.
Unfortunately none of them seem to work in a script.
: command not found2:
Password:
rm: /Library/Keychains/apsd.keychain
: No such file or directory
[ERROR] Unknown command: nag
: command not found12:
Solved! Go to Solution.
Posted on 06-28-2017 08:32 AM
Hmm, I can't really explain that off hand. I looked on my system, not part of DEP, and the apsd.keychain
is in /Library/Keychains/
so it seems like a standard keychain created by the OS. Not sure why you're getting a command not found. That would mean it can't find rm
which doesn't make much sense. I suppose you could put in the full paths for the binaries, just on the off chance its not resolving the path?
/bin/rm /Library/Keychains/apsd.keychain
I see that the keychain has an extended attribute on it, in my case anyway, but it's only the com.apple.quarantine flag, which I can't see how that would prevent it from being deleted.
ls -l@ /Library/Keychains/apsd.keychain
-rw-r--r--@ 1 root wheel 35656 Sep 8 2016 /Library/Keychains/apsd.keychain
com.apple.quarantine 29
Posted on 06-28-2017 07:07 AM
you don't need to use "sudo" in your script.
Posted on 06-28-2017 07:11 AM
I get this when running without sudo in the script:
: command not found2:
rm: /Library/Keychains/apsd.keychain
: No such file or directory
[ERROR] Must run as root
: command not found12:
Posted on 06-28-2017 07:18 AM
Make sure your bash (environment) declaration is
#!/bin/bash
The leading octothorpe (pound sign) is important. Just want to make sure that didn't get left out.
Posted on 06-28-2017 07:21 AM
Not sure why the pound sign didn't get included in the post but that is in the script.
Posted on 06-28-2017 07:23 AM
try this
#!/bin/sh
##rm -Rf * will delete everything inside the Keychains folder
cd /Library/Keychains/
rm -Rf *
rm -Rf /var/db/ConfigurationProfiles/
/usr/libexec/mdmclient dep nag
Posted on 06-28-2017 07:32 AM
Posted on 06-28-2017 07:47 AM
Note that this is the in Library/Keychains folder that also includes the system.keychain. What issues will that cause?
Posted on 06-28-2017 07:59 AM
I get this when running without sudo in the script: : command not found2: rm: /Library/Keychains/apsd.keychain : No such file or directory [ERROR] Must run as root : command not found12:
How is the script being run? If you're just running it in Terminal normally then that error makes sense. Generally speaking you want the whole script to run with root privileges, not have sudo's in the script. To do that you simply do something like:
sudo /path/to/script.sh
If the script is deployed and run from a Jamf Pro policy, then it automatically runs as root. So it in effect does the above command by default.
Posted on 06-28-2017 08:10 AM
@mm2270 After removing sudo from the script, I am running it with the sudo command. Unfortunately the devices are not yet in Jamf so the script is being run manually. I still get the command not found if I specify the apsd.keychain file.
Posted on 06-28-2017 08:32 AM
Hmm, I can't really explain that off hand. I looked on my system, not part of DEP, and the apsd.keychain
is in /Library/Keychains/
so it seems like a standard keychain created by the OS. Not sure why you're getting a command not found. That would mean it can't find rm
which doesn't make much sense. I suppose you could put in the full paths for the binaries, just on the off chance its not resolving the path?
/bin/rm /Library/Keychains/apsd.keychain
I see that the keychain has an extended attribute on it, in my case anyway, but it's only the com.apple.quarantine flag, which I can't see how that would prevent it from being deleted.
ls -l@ /Library/Keychains/apsd.keychain
-rw-r--r--@ 1 root wheel 35656 Sep 8 2016 /Library/Keychains/apsd.keychain
com.apple.quarantine 29
Posted on 06-28-2017 01:43 PM
Thanks everyone for helping the noob.
The commands are now working. (except the apsd.keychain is not being recreated until reboot so I may need to use rm /var/db/.AppleSetupDone instead of /usr/libexec/mdmclient dep nag. Seems a bit inconsistent.)
Adding /bin/ in front of the commands was the final piece that got it working.
sudo path/to/script.sh
/bin/rm -rf /var/db/ConfigurationProfiles/
/bin/rm /Library/Keychains/apsd.keychain
/bin/rm /var/db/.AppleSetupDone