Using self-service to remove a user profile

Matt_Ellis
Contributor II

I am trying to figure out a way i can use the profile command to remove a user profile that was installed by JAMF. The profile is used to add a AD generated user cert to connect systems to our . WiFi. For various reasons this cert breaks or gets removed.

I was hoping to build something in self service user can use to remove the profile and re-add it forcing a new user cert to be generrated. But im having zero luck i get a profile not found error using

sudo profiles -R -p "profiles ID"

Error:
profiles remove for identifier:'Profile ID' and user:'Username' returned -205 (Unable to locate configuration profile.)

1 ACCEPTED SOLUTION

mm2270
Legendary Contributor III

@Matt.Ellis As far as I know, you can't alter that setting after the fact, but, I think there's an easy fix here. Profiles can be both installed and removed using Self Service. Even if a profile was pushed automatically and silently to a Mac, if you go back in to the Config Profile itself and change it to "Make available in Self Service", there is a drop down that let's you choose if it can be uninstalled from Self Service as well.

0a0cc7b89374433487b40600b2d7348a

Set that to Yes, then when saving, choose one of the options given. In the test I just ran, I chose "Make available in Self Service"

2ffc53a2a3ff4c56bdc19e9a07a3e289

This profile was scoped and installed to my Mac (only), and sure enough, when I went back into Self Service, it showed up there with a "Remove" button, and I was able to uninstall it. Keep in mind that because I changed the profile to install via Self Service, it will not auto deploy again to my Mac, and the profile remains in Self Service after removing it, but the button changes to "Install" I don't know if that's what you had in mind, but if that's acceptable, then that is probably the best approach to allowing users to remove this profile.

View solution in original post

10 REPLIES 10

mm2270
Legendary Contributor III

Is the profile a User Level profile or Computer Level? I'm assuming it's user level from your description, which may explain the problem you're experiencing.

cdenesha
Valued Contributor II

That is because Self Service is running elevated as root. I believe if you search the forum for 'Outset' you'll find examples of scripts that run as the local user.

AdamCraig
Contributor III

To run a command as the logged in user I do this:

#!/bin/sh
username=$( scutil <<< "show State:/Users/ConsoleUser" | awk -F': ' '/[[:space:]]+Name[[:space:]]:/ { if ( $2 != "loginwindow" ) { print $2 }}' )
loggedInUID=$(id -u "$username")

/bin/launchctl asuser $loggedInUID sudo -iu $username commandsyouwanttorunhere.

Matt_Ellis
Contributor II

Thanks all i will take a look and see if that helps

Matt_Ellis
Contributor II

@strayer using your code and "profiles -R -p 53B24E0A-3032-4230-8499-DC272E985007" I now get a Script result: profiles remove for identifier:'53B24E0A-3032-4230-8499-DC272E985007' and user:'matt_ellis' returned 101 (Profile is not removable.)

mm2270
Legendary Contributor III

@Matt.Ellis How was the profile originally installed? Was it via Jamf/MDM, or manually? If it was installed by Jamf, then it may have been set to non-removable by the user, which means only Jamf can remove it. From the new error message you're seeing, it looks like that may be the case.

Matt_Ellis
Contributor II

@mm2270 Yes it was installed via JAMF. its set to install automatically, is there away to flag it as removable?

mm2270
Legendary Contributor III

@Matt.Ellis As far as I know, you can't alter that setting after the fact, but, I think there's an easy fix here. Profiles can be both installed and removed using Self Service. Even if a profile was pushed automatically and silently to a Mac, if you go back in to the Config Profile itself and change it to "Make available in Self Service", there is a drop down that let's you choose if it can be uninstalled from Self Service as well.

0a0cc7b89374433487b40600b2d7348a

Set that to Yes, then when saving, choose one of the options given. In the test I just ran, I chose "Make available in Self Service"

2ffc53a2a3ff4c56bdc19e9a07a3e289

This profile was scoped and installed to my Mac (only), and sure enough, when I went back into Self Service, it showed up there with a "Remove" button, and I was able to uninstall it. Keep in mind that because I changed the profile to install via Self Service, it will not auto deploy again to my Mac, and the profile remains in Self Service after removing it, but the button changes to "Install" I don't know if that's what you had in mind, but if that's acceptable, then that is probably the best approach to allowing users to remove this profile.

Matt_Ellis
Contributor II

@mm2270 I owe you a beer! This is 95% of what im looking for!

Anthony_Moss
New Contributor
As far as I know, you can't alter that setting after the fact, but, I think there's an easy fix here. Profiles can be both installed and removed using Self Service. Even if a profile was pushed automatically and silently to a Mac, if you go back in to the Config Profile itself and change it to "Make available in Self Service", there is a drop down that let's you choose if it can be uninstalled from Self Service as well.

I need the same thing but for an iPad. Setting a profile to be removable for A Mobile Device config profile doesn't seem like a function, is there a way to replicate it?