Manually Remove MDM Profile and Re-Enroll

In the event that you get the error update to MDM profile contains a different server URL when attempting to renew an MDM profile using sudo profiles renew -type enrollment, you can manually remove the profile after disabling SIP in recovery and removing the directory holding the profiles.

Please note: You will need the help of the Izzy team to remote in and provide credentials to rebind to JAMF/MDM, as well as link it back to Izzy once renewed.

Caution: This is not a fully supported option and is somewhat of a last-ditch/at-your-own-risk process. It should only be used if rebuilding is not possible. It can cause data loss, so be sure to complete a backup of the machine before attempting.

Source

• remove-a-non-removable-mdm-profile-from-macos-without-a-complete-wipe
• Jamf Nation Community Thread

Process

Removing the MDM Profile

1. Just to be safe, make a backup of the device using IzzyStor
2. Boot the Mac into Recovery Mode (hold down command+R during startup)
3. Enter credentials to unlock the disk
4. Go to the Utilities menu and open Terminal and type: csrutil disable
   • This will disable SIP (System Integrity Protection).
5. Reboot into the OS
6. Open the integrated terminal and type the following:

   cd /var/db/ConfigurationProfiles
   rm -rf *
   mkdir Settings
   touch Settings/.profilesAreInstalled

7. Reboot and enter recovery again by holding command+R
8. Go to the Utilities menu and open Terminal and type: csrutil enable
   • This will re-enable SIP
9. Reboot into the OS and check the profiles in System Settings – there should be none

Re-Enrolling

1. Open terminal under the UM-Support account
2. Run the command sudo jamf enroll -prompt
3. Connect with an Izzy team member who can enter credentials to re-enroll the device over bomgar or Remote Desktop
4. Once enrolled, run the following: sudo profiles renew -type enrollment
5. At this point some profiles will begin to load, but not all – the Izzy team member will need to re-link the device with Izzy
6. You may also need to run the following two commands:

   sudo jamf recon
   sudo jamf policy

7. At this point you should let the computer sit for 5-10 minutes before checking for software updates in Managed Software Center444

Non-removable MDM profiles cannot officially removed without doing a full system wipe. This is a problem when you restore a system from Time Machine after you enrolled it into the MDM, as the MDM will break, leaving you unable to re-enroll the machine.

Here's how to remove a non-removable MDM profile

1. Boot the Mac into Recovery Mode (hold down command+R during startup).
2. Go to the Utilities menu and open Terminal and type: csrutil disable. This will disable SIP (System Integrity Protection).
3. Reboot into the OS.
4. Open the integrated terminal and type:

cd /var/db/ConfigurationProfiles
rm -rf *
mkdir Settings
touch Settings/.profilesAreInstalled

5. Reboot.
6. Boot the Mac into Recovery Mode (hold down command+R during startup).
7. Go to the Utilities menu and open Terminal and type: csrutil enable. This will re-enable SIP.
8. Reboot into the OS.

The profile will be now removed and you will be able to re-enroll the Mac to your MDM.