-
-
Save JZFeng/18068115143acee153a91a3e6c5b244c to your computer and use it in GitHub Desktop.
Removing a Non-Removable MDM Profile
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/zsh | |
| # Elevate permissions, if needed | |
| if [ $USER != 'root' ]; then | |
| sudo $0 | |
| exit 0 | |
| fi | |
| # Reboot to Recovery | |
| /usr/sbin/nvram "recovery-boot-mode=unused" | |
| reboot |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/zsh | |
| autoload colors; colors; | |
| # Elevate permissions, if needed | |
| if [ $USER != 'root' ]; then | |
| sudo $0 | |
| exit 0 | |
| fi | |
| # Ensure SIP is disabled | |
| if [ $(/usr/bin/csrutil status | awk '{print $NF}') != 'disabled.' ]; then | |
| print -P "%F{red}\nSIP is still enabled. Please reboot to Recovery and disable SIP%f\n" | |
| exit 2 | |
| fi | |
| # Remove all configuration profiles | |
| /bin/rm -rf /var/db/ConfigurationProfiles/Store/* | |
| # Enable SIP and reboot | |
| /usr/bin/csrutil clear | |
| reboot |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/zsh | |
| autoload colors; colors; | |
| # Elevate permissions, if needed | |
| if [ $USER != 'root' ]; then | |
| sudo $0 | |
| exit 0 | |
| fi | |
| # Ensure SIP is enabled | |
| if [ $(/usr/bin/csrutil status | awk '{print $NF}') != 'enabled.' ]; then | |
| print -P "%F{red}\n SIP is still disabled. Please reboot to Recovery and enable SIP.%f\n" | |
| exit 2 | |
| fi | |
| # Enroll device | |
| /usr/bin/profiles renew -type=enrollment |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| These steps are only recommended as a last resort before performing a nuke and pave. Normally we would send an Unmanage command from Jamf Pro to the computer. These steps are intended for use when that process fails. | |
| From a high level, the process requires rebooting to Recovery to disable System Integrity Protection (SIP), removing normally-locked files, enabling SIP, and re-enrolling into Jamf Pro. These steps require administrative rights. If the current user is not an administrator, login as a local admin before attempting. | |
| There are several restarts during this process. Please save and close all work. | |
| 1) Run 1-Reboot to Recovery.command. (Note: You may be prompted for a password. If so, use the local account password.) | |
| 2) Wait for the computer to restart into Recovery. | |
| 3) Open the Utilities menu from the menu bar and select Terminal. | |
| 4) Enter csrutil disable && reboot into the terminal window and press return | |
| 5) Wait for the computer to restart normally and login. | |
| 6) Run 2-Remove MDM Profile.command. (Note: You may be prompted for a password. If so, use the local account password.) | |
| 7) Wait for the computer to restart normally and login. | |
| 8) Run 3-Re-enroll Device.command. (Note: You may be prompted for a password. If so, use the local account password.) | |
| 9) Click on the alert titled Device Enrollment in the upper right corner of the screen. | |
| 10) When prompted if you would like to Allow Device Enrollment, select Allow. | |
| 11) The 3 files used above can be deleted at this time. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment