Removing a Non-Removable MDM Profile

1-Reboot to Recovery.command

#!/bin/zsh

# Elevate permissions, if needed
if [ $USER != 'root' ]; then
  sudo $0
  exit 0
fi

# Reboot to Recovery
/usr/sbin/nvram "recovery-boot-mode=unused"
reboot

2-Remove MDM Profile.command

#!/bin/zsh
autoload colors; colors;

# Elevate permissions, if needed
if [ $USER != 'root' ]; then
  sudo $0
  exit 0
fi

# Ensure SIP is disabled
if [ $(/usr/bin/csrutil status | awk '{print $NF}') != 'disabled.' ]; then
  print -P "%F{red}\nSIP is still enabled. Please reboot to Recovery and disable SIP%f\n"
  exit 2
fi

# Remove all configuration profiles
/bin/rm -rf /var/db/ConfigurationProfiles/Store/*

# Enable SIP and reboot
/usr/bin/csrutil clear
reboot

3-Enroll Device.command

#!/bin/zsh
autoload colors; colors;

# Elevate permissions, if needed
if [ $USER != 'root' ]; then
  sudo $0
  exit 0
fi

# Ensure SIP is enabled
if [ $(/usr/bin/csrutil status | awk '{print $NF}') != 'enabled.' ]; then
  print -P "%F{red}\n SIP is still disabled. Please reboot to Recovery and enable SIP.%f\n"
  exit 2
fi

# Enroll device
/usr/bin/profiles renew -type=enrollment

Removing a Non-Removable MDM Profile

These steps are only recommended as a last resort before performing a nuke and pave. Normally we would send an Unmanage command from Jamf Pro to the computer. These steps are intended for use when that process fails.

From a high level, the process requires rebooting to Recovery to disable System Integrity Protection (SIP), removing normally-locked files, enabling SIP, and re-enrolling into Jamf Pro. These steps require administrative rights. If the current user is not an administrator, login as a local admin before attempting.

There are several restarts during this process. Please save and close all work.

1)	Run 1-Reboot to Recovery.command. (Note: You may be prompted for a password. If so, use the local account password.)
2)	Wait for the computer to restart into Recovery.
3)	Open the Utilities menu from the menu bar and select Terminal.
4)	Enter csrutil disable && reboot into the terminal window and press return
5)	Wait for the computer to restart normally and login.
6)	Run 2-Remove MDM Profile.command. (Note: You may be prompted for a password. If so, use the local account password.)
7)	Wait for the computer to restart normally and login.
8)	Run 3-Re-enroll Device.command. (Note: You may be prompted for a password. If so, use the local account password.)
9)	Click on the alert titled Device Enrollment in the upper right corner of the screen.
10)	When prompted if you would like to Allow Device Enrollment, select Allow.
11)	The 3 files used above can be deleted at this time.

If we allow when we run Enroll-device.command does it re-enrol in MDM again ?

How would you delete a specific unremovable MDM profile rather than all of them?

If we allow when we run Enroll-device.command does it re-enrol in MDM again ?

Yes. This command will begin the Automated Device Enrollment process.

How would you delete a specific unremovable MDM profile rather than all of them?

You would use an MDM server to remove that profile. This workflow is designed for devices that are no longer communicating with an MDM server where that is not an option. The idea here is to delete them all and then re-enroll into an MDM to fix that communication breakdown.

Let's assume I don't have access to an MDM server and I won't use the re-enroll step, I only want to remove a specific MDM on my device, what should I do then?

Let's assume I don't have access to an MDM server and I won't use the re-enroll step, I only want to remove a specific MDM on my device, what should I do then?

I will not help you break the security of someone else's device.

That's an exciting assumption. My school locks down the wifi via an MDM on each students laptop, I am simply trying to remove the Fortigate MDM from mine without removing any of the important MDM's