Help

Using self-service to remove a user profile

Go to solution
Matt_Ellis
Contributor II

Posted on ‎11-06-2019 08:43 AM

I am trying to figure out a way i can use the profile command to remove a user profile that was installed by JAMF. The profile is used to add a AD generated user cert to connect systems to our . WiFi. For various reasons this cert breaks or gets removed.

I was hoping to build something in self service user can use to remove the profile and re-add it forcing a new user cert to be generrated. But im having zero luck i get a profile not found error using

sudo profiles -R -p "profiles ID"

Error:
profiles remove for identifier:'Profile ID' and user:'Username' returned -205 (Unable to locate configuration profile.)

0 Kudos
Reply
1 ACCEPTED SOLUTION

Go to solution
mm2270
Legendary Contributor III

Posted on ‎11-08-2019 07:34 AM

@Matt.Ellis As far as I know, you can't alter that setting after the fact, but, I think there's an easy fix here. Profiles can be both installed and removed using Self Service. Even if a profile was pushed automatically and silently to a Mac, if you go back in to the Config Profile itself and change it to "Make available in Self Service", there is a drop down that let's you choose if it can be uninstalled from Self Service as well.

0a0cc7b89374433487b40600b2d7348a

Set that to Yes, then when saving, choose one of the options given. In the test I just ran, I chose "Make available in Self Service"

2ffc53a2a3ff4c56bdc19e9a07a3e289

This profile was scoped and installed to my Mac (only), and sure enough, when I went back into Self Service, it showed up there with a "Remove" button, and I was able to uninstall it. Keep in mind that because I changed the profile to install via Self Service, it will not auto deploy again to my Mac, and the profile remains in Self Service after removing it, but the button changes to "Install" I don't know if that's what you had in mind, but if that's acceptable, then that is probably the best approach to allowing users to remove this profile.

View solution in original post

Reply
10 REPLIES 10

Go to solution
mm2270
Legendary Contributor III

Posted on ‎11-06-2019 08:55 AM

Is the profile a User Level profile or Computer Level? I'm assuming it's user level from your description, which may explain the problem you're experiencing.

0 Kudos
Reply

Go to solution
cdenesha
Valued Contributor III

Posted on ‎11-06-2019 09:29 AM

That is because Self Service is running elevated as root. I believe if you search the forum for 'Outset' you'll find examples of scripts that run as the local user.

0 Kudos
Reply

Go to solution
AdamCraig
Contributor III

Posted on ‎11-06-2019 11:06 AM

To run a command as the logged in user I do this:

#!/bin/sh
username=$( scutil <<< "show State:/Users/ConsoleUser" | awk -F': ' '/[[:space:]]+Name[[:space:]]:/ { if ( $2 != "loginwindow" ) { print $2 }}' )
loggedInUID=$(id -u "$username")

/bin/launchctl asuser $loggedInUID sudo -iu $username commandsyouwanttorunhere.
Reply

Go to solution
Matt_Ellis
Contributor II

Posted on ‎11-08-2019 06:34 AM

Thanks all i will take a look and see if that helps

0 Kudos
Reply

Go to solution
Matt_Ellis
Contributor II

Posted on ‎11-08-2019 06:42 AM

@strayer using your code and "profiles -R -p 53B24E0A-3032-4230-8499-DC272E985007" I now get a Script result: profiles remove for identifier:'53B24E0A-3032-4230-8499-DC272E985007' and user:'matt_ellis' returned 101 (Profile is not removable.)

0 Kudos
Reply

Go to solution
mm2270
Legendary Contributor III

Posted on ‎11-08-2019 07:07 AM

@Matt.Ellis How was the profile originally installed? Was it via Jamf/MDM, or manually? If it was installed by Jamf, then it may have been set to non-removable by the user, which means only Jamf can remove it. From the new error message you're seeing, it looks like that may be the case.

0 Kudos
Reply

Go to solution
Matt_Ellis
Contributor II

Posted on ‎11-08-2019 07:10 AM

@mm2270 Yes it was installed via JAMF. its set to install automatically, is there away to flag it as removable?

0 Kudos
Reply

Go to solution
mm2270
Legendary Contributor III

Posted on ‎11-08-2019 07:34 AM

@Matt.Ellis As far as I know, you can't alter that setting after the fact, but, I think there's an easy fix here. Profiles can be both installed and removed using Self Service. Even if a profile was pushed automatically and silently to a Mac, if you go back in to the Config Profile itself and change it to "Make available in Self Service", there is a drop down that let's you choose if it can be uninstalled from Self Service as well.

0a0cc7b89374433487b40600b2d7348a

Set that to Yes, then when saving, choose one of the options given. In the test I just ran, I chose "Make available in Self Service"

2ffc53a2a3ff4c56bdc19e9a07a3e289

This profile was scoped and installed to my Mac (only), and sure enough, when I went back into Self Service, it showed up there with a "Remove" button, and I was able to uninstall it. Keep in mind that because I changed the profile to install via Self Service, it will not auto deploy again to my Mac, and the profile remains in Self Service after removing it, but the button changes to "Install" I don't know if that's what you had in mind, but if that's acceptable, then that is probably the best approach to allowing users to remove this profile.

Reply

Go to solution
Matt_Ellis
Contributor II

Posted on ‎11-08-2019 07:44 AM

@mm2270 I owe you a beer! This is 95% of what im looking for!

0 Kudos
Reply

Go to solution
Anthony_Moss
New Contributor

Posted on ‎06-21-2020 07:48 PM

As far as I know, you can't alter that setting after the fact, but, I think there's an easy fix here. Profiles can be both installed and removed using Self Service. Even if a profile was pushed automatically and silently to a Mac, if you go back in to the Config Profile itself and change it to "Make available in Self Service", there is a drop down that let's you choose if it can be uninstalled from Self Service as well.

I need the same thing but for an iPad. Setting a profile to be removable for A Mobile Device config profile doesn't seem like a function, is there a way to replicate it?

Reply