Skip to main content
Solved

Using self-service to remove a user profile


Forum|alt.badge.img+9

I am trying to figure out a way i can use the profile command to remove a user profile that was installed by JAMF. The profile is used to add a AD generated user cert to connect systems to our . WiFi. For various reasons this cert breaks or gets removed.

I was hoping to build something in self service user can use to remove the profile and re-add it forcing a new user cert to be generrated. But im having zero luck i get a profile not found error using

sudo profiles -R -p "profiles ID"

Error:
profiles remove for identifier:'Profile ID' and user:'Username' returned -205 (Unable to locate configuration profile.)

Best answer by mm2270

@Matt.Ellis As far as I know, you can't alter that setting after the fact, but, I think there's an easy fix here. Profiles can be both installed and removed using Self Service. Even if a profile was pushed automatically and silently to a Mac, if you go back in to the Config Profile itself and change it to "Make available in Self Service", there is a drop down that let's you choose if it can be uninstalled from Self Service as well.

Set that to Yes, then when saving, choose one of the options given. In the test I just ran, I chose "Make available in Self Service"

This profile was scoped and installed to my Mac (only), and sure enough, when I went back into Self Service, it showed up there with a "Remove" button, and I was able to uninstall it. Keep in mind that because I changed the profile to install via Self Service, it will not auto deploy again to my Mac, and the profile remains in Self Service after removing it, but the button changes to "Install" I don't know if that's what you had in mind, but if that's acceptable, then that is probably the best approach to allowing users to remove this profile.

View original
Did this topic help you find an answer to your question?

12 replies

mm2270
Forum|alt.badge.img+24
  • Legendary Contributor
  • 7881 replies
  • November 6, 2019

Is the profile a User Level profile or Computer Level? I'm assuming it's user level from your description, which may explain the problem you're experiencing.


Forum|alt.badge.img+14
  • Honored Contributor
  • 862 replies
  • November 6, 2019

That is because Self Service is running elevated as root. I believe if you search the forum for 'Outset' you'll find examples of scripts that run as the local user.


Forum|alt.badge.img+16
  • Valued Contributor
  • 182 replies
  • November 6, 2019

To run a command as the logged in user I do this:

#!/bin/sh
username=$( scutil <<< "show State:/Users/ConsoleUser" | awk -F': ' '/[[:space:]]+Name[[:space:]]:/ { if ( $2 != "loginwindow" ) { print $2 }}' )
loggedInUID=$(id -u "$username")

/bin/launchctl asuser $loggedInUID sudo -iu $username commandsyouwanttorunhere.

Forum|alt.badge.img+9
  • Author
  • Valued Contributor
  • 94 replies
  • November 8, 2019

Thanks all i will take a look and see if that helps


Forum|alt.badge.img+9
  • Author
  • Valued Contributor
  • 94 replies
  • November 8, 2019

@strayer using your code and "profiles -R -p 53B24E0A-3032-4230-8499-DC272E985007" I now get a Script result: profiles remove for identifier:'53B24E0A-3032-4230-8499-DC272E985007' and user:'matt_ellis' returned 101 (Profile is not removable.)


mm2270
Forum|alt.badge.img+24
  • Legendary Contributor
  • 7881 replies
  • November 8, 2019

@Matt.Ellis How was the profile originally installed? Was it via Jamf/MDM, or manually? If it was installed by Jamf, then it may have been set to non-removable by the user, which means only Jamf can remove it. From the new error message you're seeing, it looks like that may be the case.


Forum|alt.badge.img+9
  • Author
  • Valued Contributor
  • 94 replies
  • November 8, 2019

@mm2270 Yes it was installed via JAMF. its set to install automatically, is there away to flag it as removable?


mm2270
Forum|alt.badge.img+24
  • Legendary Contributor
  • 7881 replies
  • Answer
  • November 8, 2019

@Matt.Ellis As far as I know, you can't alter that setting after the fact, but, I think there's an easy fix here. Profiles can be both installed and removed using Self Service. Even if a profile was pushed automatically and silently to a Mac, if you go back in to the Config Profile itself and change it to "Make available in Self Service", there is a drop down that let's you choose if it can be uninstalled from Self Service as well.

Set that to Yes, then when saving, choose one of the options given. In the test I just ran, I chose "Make available in Self Service"

This profile was scoped and installed to my Mac (only), and sure enough, when I went back into Self Service, it showed up there with a "Remove" button, and I was able to uninstall it. Keep in mind that because I changed the profile to install via Self Service, it will not auto deploy again to my Mac, and the profile remains in Self Service after removing it, but the button changes to "Install" I don't know if that's what you had in mind, but if that's acceptable, then that is probably the best approach to allowing users to remove this profile.


Forum|alt.badge.img+9
  • Author
  • Valued Contributor
  • 94 replies
  • November 8, 2019

@mm2270 I owe you a beer! This is 95% of what im looking for!


Forum|alt.badge.img+2
  • New Contributor
  • 1 reply
  • June 22, 2020
As far as I know, you can't alter that setting after the fact, but, I think there's an easy fix here. Profiles can be both installed and removed using Self Service. Even if a profile was pushed automatically and silently to a Mac, if you go back in to the Config Profile itself and change it to "Make available in Self Service", there is a drop down that let's you choose if it can be uninstalled from Self Service as well.

I need the same thing but for an iPad. Setting a profile to be removable for A Mobile Device config profile doesn't seem like a function, is there a way to replicate it?


FutureFacinLuke
Forum|alt.badge.img+8
  • Valued Contributor
  • 119 replies
  • February 26, 2025
Anthony_Moss wrote:
As far as I know, you can't alter that setting after the fact, but, I think there's an easy fix here. Profiles can be both installed and removed using Self Service. Even if a profile was pushed automatically and silently to a Mac, if you go back in to the Config Profile itself and change it to "Make available in Self Service", there is a drop down that let's you choose if it can be uninstalled from Self Service as well.

I need the same thing but for an iPad. Setting a profile to be removable for A Mobile Device config profile doesn't seem like a function, is there a way to replicate it?


Does this work on iPads?

I've set as follows but cannot remove it:


FutureFacinLuke
Forum|alt.badge.img+8
  • Valued Contributor
  • 119 replies
  • February 28, 2025
FutureFacinLuke wrote:

Does this work on iPads?

I've set as follows but cannot remove it:


Inspecting the payload in iMazing I can see conflicting flags in General:

in Profile Removal:

It looks like Jamf is not setting the Removal Flag correctly.


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings