1. Boot the Mac into Recovery Mode (hold down command-r during startup)<\/p>\n\n\n\n
2. Go to the Utilities menu and open Terminal and type:<\/p>\n\n\n\n
cd \/Volumes
ls<\/p>\n\n\n\n
In the result, you should see the hard drive name of your Mac (usually, \u201cMacintosh HD\u201d.) Whatever the case, type<\/p>\n\n\n\n
cd Macintosh\\ HD<\/p>\n\n\n\n
(Or whatever yours is called.) Note the backslash to escape the space in the name. Then type<\/p>\n\n\n\n
cd var\/db\/ConfigurationProfiles<\/p>\n\n\n\n
Then, type <\/p>\n\n\n\n
pwd<\/p>\n\n\n\n
(pwd = Print Working Directory \u2014 verify where you are in the directory structure.) The result should say<\/p>\n\n\n\n
\/Volumes\/Macintosh HD\/var\/db\/ConfigurationProfiles<\/p>\n\n\n\n
Again, substitute your hard drive name if it\u2019s not \u201cMacintosh HD.\u201d If you are not ABSOLUTELY CERTAIN that you\u2019re in this directory, do NOT PROCEED or you will lose data.<\/p>\n\n\n\n
If you ARE in that directory, CAREFULLY type:<\/p>\n\n\n\n
rm -rf *
mkdir Settings
touch Settings\/.profilesAreInstalled<\/p>\n\n\n\n
3. Reboot. <\/p>\n\n\n\n
You will have to manually enroll the Mac to your new MDM, i.e. it won\u2019t automatically self-enroll, but at least you don\u2019t have to erase it and start from scratch. <\/p>\n\n\n\n
To easily remove ALL<\/strong> profiles from a managed mac, do the following: sudo \/usr\/bin\/profiles -D -f Non-removable MDM<\/a> is a feature of Apple\u2019s Device Enrollment Program<\/a> (DEP) that locks in the MDM profile to the device, controlled by the This is also not great, because computers are not perfect, MDM is not perfect, DEP is not perfect, and user migrations are a thing.<\/p>\n\n\n\n This MDM profile cannot be touched at all. It cannot be removed or altered, but it also cannot be replaced or overwritten. This means that all mechanisms for re-enrollment or re-application of the MDM profile will fail. Everything from Well, in macOS Sierra, you remove that ConfigurationProfiles folder. Good old \u201cI know how to disable SIP, though, why can\u2019t I just do that?\u201d You can. You should definitely not remove the whole folder (removing the whole folder breaks the ability to have configuration profiles on the machine forever), but if you disable SIP, you can Disabling SIP is also a function that can only be performed by the user on the machine physically touching it. You can\u2019t remote in and boot to recovery and you can\u2019t send it as a command or a script. If you aren\u2019t physically with the machine, this is definitely a more complicated procedure than just two terminal commands in a live environment (that can even be scripted and cached!), and maybe you don\u2019t want to teach your users how to disable SIP or risk that they won\u2019t turn it back on. So how do we solve this in a live environment, running 10.13+, that can\u2019t receive MDM commands on the correct user (or at all)?<\/p>\n\n\n\n There\u2019s no way to deal with this, outside of disabling SIP, except with prevention. You can keep your High Sierra adoption rate low. You can choose to not use VPP-only apps (or distribute repackaged versions instead using a mechanism like Munki). You can choose to not make changes to your configuration profile setup after the initial deployment. But even with avoiding as many MDM features as possible, your enrollment may just stop working at some point and you may need to re-enroll, and if the only solution is disabling SIP and re-enrolling\u2026to me, that\u2019s a hack, not a solution.<\/p>\n\n\n\n There are a couple real solutions to this problem that I can think of off the top of my head. The one that seems most likely to work is for MDM services to figure out how to do everything without an MDM enabled user, so there\u2019s never a need to re-enroll so long as there\u2019s that system level MDM profile there somewhere. The other is for Apple to reconfigure the way non-removable MDM works to allow it to be replaceable using the It doesn\u2019t matter how it gets fixed really, so long as I don\u2019t have to live in fear of imperfect systems failing and there being no good way to fix them for another year after 10.14 hits. Someday, Apple will stop supporting El Capitan and Sierra. Someday, you won\u2019t be able to downgrade new machines from High Sierra to Sierra. That day, unless this is solved, either we will all have to make our DEP MDM profiles removable and hope the users leave them alone, or resign ourselves to wiping machines or taking a chance on disabling SIP every time MDM breaks. I\u2019ve got my fingers crossed.<\/p>\n\n\n\n Radar #40520642 from me specifically focuses on the fact that there is no recourse to enable MDM for a newly migrated-with-Migration-Assistant user with DEP non-removable MDM on the receiving machine. In addition to Twitter, I\u2019m also @crystallized on the MacAdmins Slack<\/a>, so feel free to pop by with questions!<\/p>\n","protected":false},"excerpt":{"rendered":" 1. Boot the Mac into Recovery Mode (hold down command-r during startup) 2. Go to the Utilities menu and open…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[16,40],"tags":[],"class_list":["post-564","post","type-post","status-publish","format-standard","hentry","category-anleitung","category-mobile-device-management"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/expanic.at\/wordpress\/wp-json\/wp\/v2\/posts\/564","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/expanic.at\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/expanic.at\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/expanic.at\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/expanic.at\/wordpress\/wp-json\/wp\/v2\/comments?post=564"}],"version-history":[{"count":4,"href":"https:\/\/expanic.at\/wordpress\/wp-json\/wp\/v2\/posts\/564\/revisions"}],"predecessor-version":[{"id":569,"href":"https:\/\/expanic.at\/wordpress\/wp-json\/wp\/v2\/posts\/564\/revisions\/569"}],"wp:attachment":[{"href":"https:\/\/expanic.at\/wordpress\/wp-json\/wp\/v2\/media?parent=564"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/expanic.at\/wordpress\/wp-json\/wp\/v2\/categories?post=564"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/expanic.at\/wordpress\/wp-json\/wp\/v2\/tags?post=564"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
1. Turn of system integrity.
Shut down the computer.
Boot up the computer while holding (command + R)
Press \u2018utilities\u2019.
Type (csrutil disable)
Restart
2. Give terminal root file access.
Open \u2018Privacy and Security\u2019 in \u2018System Preferences\u2019.
Press \u2018Privacy\u2019
Press \u2018Complete Disk Access\u2019
Unlock with the lock button at the bottom left
Add terminal.
3. Terminal Commands
Type: \u2018sudo jamf -removeFramework\u2019 into terminal, press enter.
Type: \u2018sudo -i\u2019 into terminal, press enter and enter your password, press enter.
Type: \u2018cd \/var\/db\/\u2018 into terminal, press enter.
Type: \u2018mv ConfigurationProfiles ConfigurationProfilesOLD\u2019 into terminal, press enter.
Type: \u2018logout\u2019 into terminal, press enter.
4. Final steps.
Restart computer.<\/p>\n\n\n\n
\n\n\n\n
To delete all profiles on the Mac without getting a prompt of «are you sure?» (forced)<\/p>\n\n\n\n\n\n\n\nis_mdm_removable<\/code> key in the enrollment profile. This is a great feature, especially if any users in your environment have admin permissions for their machines and you want to make expressly sure that they can\u2019t remove the MDM profile – in an enterprise environment, the ability to restrict as much as possible is key to keeping your devices compliant and working. With this key set to false<\/code>, a user is unable to remove the MDM profile from the Profiles pane in System Preferences or with any terminal command and, with System Integrity Protection<\/a> (SIP) in High Sierra protecting the \/var\/db\/ConfigurationProfiles<\/code> folder, it now can\u2019t be touched at all. This is great!<\/p>\n\n\n\nsudo jamf mdm<\/code> in Jamf<\/a>shops to sudo profiles renew -type enrollment<\/code> (sudo profiles -N<\/code> on regular Sierra) will return with a message like the one in the image above informing you that your current MDM profile exists and can\u2019t be replaced. So how do you re-apply MDM? If you need to change the MDM enabled user (ie. after using Migration Assistant or Time Machine to restore a user to the machine) or something has just timed out and your user just isn\u2019t downloading that configuration profile or VPP app? If you can\u2019t send any commands from your MDM server (including the one to remove the profile in the first place) since your MDM is broken?<\/p>\n\n\n\nrm -rf \/var\/db\/ConfigurationProfiles<\/code>. Reboot for safety, re-enroll with your DEP nag command of choice or whatever other mechanism you use to enroll devices. But in High Sierra, this folder is protected by SIP.<\/p>\n\n\n\nrm -rf \/var\/db\/ConfigurationProfiles\/Store\/<\/code>and re-enroll with your profiles<\/code> command while SIP is still disabled, and then turn SIP back on. This comes with a whole bucket of risks, though, some of which I\u2019m not sure we\u2019re willing to take. The machine needs to be able to connect to the internet in order to re-enroll, and I\u2019ve seen and heard stories of things going wrong with SIP disabled even for a few minutes with minimal action taken – corrupt System keychains and entire System Preferences functions breaking are just two examples I\u2019ve encountered while trying to execute this fix post-Migration Assistant that have led to wiping the entire machine and setting it up fresh for the user anyway.<\/p>\n\n\n\nprofiles renew<\/code> command but not removable or replaceable under any other circumstances. But those are just two ideas. The people at Apple (and at Jamf) are making best-in-class products, so I firmly believe they are smarter and more innovative than me in regards to coming up with ways to fix this issue.<\/p>\n\n\n\n