Manually Remove MDM Profile and Re-Enroll

Tags macos izzy

Summary

In the event that you get the error update to MDM profile contains a different server URL when attempting to renew an MDM profile using sudo profiles renew -type enrollment, you can manually remove the profile after disabling SIP in recovery and removing the directory holding the profiles.

Please note: You will need the help of the Izzy team to remote in and provide credentials to rebind to JAMF/MDM, as well as link it back to Izzy once renewed.

Caution: This is not a fully supported option and is somewhat of a last-ditch/at-your-own-risk process. It should only be used if rebuilding is not possible. It can cause data loss, so be sure to complete a backup of the machine before attempting.

Source

Process

Removing the MDM Profile

  1. Just to be safe, make a backup of the device using IzzyStor
  2. Boot the Mac into Recovery Mode (hold down command+R during startup)
  3. Enter credentials to unlock the disk
  4. Go to the Utilities menu and open Terminal and type: csrutil disable
    • This will disable SIP (System Integrity Protection).
  5. Reboot into the OS
  6. Open the integrated terminal and type the following: 
    cd /var/db/ConfigurationProfiles
rm -rf *
mkdir Settings
touch Settings/.profilesAreInstalled
  7. Reboot and enter recovery again by holding command+R
  8. Go to the Utilities menu and open Terminal and type: csrutil enable
    • This will re-enable SIP
  9. Reboot into the OS and check the profiles in System Settings – there should be none

Re-Enrolling

  1. Open terminal under the UM-Support account
  2. Run the command sudo jamf enroll -prompt
  3. Connect with an Izzy team member who can enter credentials to re-enroll the device over bomgar or Remote Desktop
  4. Once enrolled, run the following: sudo profiles renew -type enrollment
  5. At this point some profiles will begin to load, but not all – the Izzy team member will need to re-link the device with Izzy
  6. You may also need to run the following two commands: 
    sudo jamf recon
sudo jamf policy
  7. At this point you should let the computer sit for 5-10 minutes before checking for software updates in Managed Software Center

Details

Article ID: 11277
Created
Fri 12/1/23 10:50 AM
Modified
Fri 3/8/24 12:17 PM