Manually Remove MDM Profile and Re-Enroll

Summary

In the event that you get the error update to MDM profile contains a different server URL when attempting to renew an MDM profile using sudo profiles renew -type enrollment, you can manually remove the profile after disabling SIP in recovery and removing the directory holding the profiles.

Please note: You will need the help of the Izzy team to remote in and provide credentials to rebind to JAMF/MDM, as well as link it back to Izzy once renewed.

Caution: This is not a fully supported option and is somewhat of a last-ditch/at-your-own-risk process. It should only be used if rebuilding is not possible. It can cause data loss, so be sure to complete a backup of the machine before attempting.

Source

• remove-a-non-removable-mdm-profile-from-macos-without-a-complete-wipe
• Jamf Nation Community Thread

Process

Removing the MDM Profile

1. Just to be safe, make a backup of the device using IzzyStor
2. Boot the Mac into Recovery Mode (hold down command+R during startup)
3. Enter credentials to unlock the disk
4. Go to the Utilities menu and open Terminal and type: csrutil disable
   • This will disable SIP (System Integrity Protection).
5. Reboot into the OS
6. Open the integrated terminal and type the following:

   cd /var/db/ConfigurationProfiles
   rm -rf *
   mkdir Settings
   touch Settings/.profilesAreInstalled

7. Reboot and enter recovery again by holding command+R
8. Go to the Utilities menu and open Terminal and type: csrutil enable
   • This will re-enable SIP
9. Reboot into the OS and check the profiles in System Settings – there should be none

Re-Enrolling

1. Open terminal under the UM-Support account
2. Run the command sudo jamf enroll -prompt
3. Connect with an Izzy team member who can enter credentials to re-enroll the device over bomgar or Remote Desktop
4. Once enrolled, run the following: sudo profiles renew -type enrollment
5. At this point some profiles will begin to load, but not all – the Izzy team member will need to re-link the device with Izzy
6. You may also need to run the following two commands:

   sudo jamf recon
   sudo jamf policy

7. At this point you should let the computer sit for 5-10 minutes before checking for software updates in Managed Software Center