Nine41 Consulting | Force the Removal of a Specific macOS Configuration Profile
apple, device management, dep, vpp, systems management, landesk, ivanti, lanrev, absolute, heat, mdm,
1617
post-template-default,single,single-post,postid-1617,single-format-standard,qode-quick-links-1.0,ajax_fade,page_not_loaded,,columns-3,qode-child-theme-ver-1.0.0,qode-theme-ver-11.0,qode-theme-bridge,wpb-js-composer js-comp-ver-5.1.1,vc_responsive
 

Force the Removal of a Specific macOS Configuration Profile

Force the Removal of a Specific macOS Configuration Profile

We’ve all done it.  We installed something without fully vetting it out and now we need to get it off – of all of our machines.  Whoops!

The other day, I received a question from a customer asking how he could remove a configuration profile from all of his machines at once – without having to log in to each machine.

Apple actually makes such a task quite easy as viewing, installing and removing a profile from a Mac is inherently built into the operating system itself.  Therefore, with a short script we can detect whether the profile is installed and then remove it if it is.

To manually check the status of a machine’s profiles, you can run, inside of Terminal, the following command.

View All Profiles

sudo /usr/bin/profiles -P

So doing should give you a report out of both the machine and user based profiles installed.

profiles -P.png

In the screenshot above, all 3 profiles are computer based profiles.  If I wanted to remove all of the profiles listed above, all I need to do is use the ‘profiles -D’ command and call the respective profileIdentifier.

Remove All Profiles

sudo /usr/bin/profiles -D

However, removing all profiles is probably a bit forceful, often a little precision can help us in the long run.  In our example above, we may choose to only remove one of the profiles instead of all of them.  To do this, we just need to specify that we’re removing a profile and what the profile identifier name is.

Remove a Single Profile

sudo /usr/bin/profiles -R -p com.landesk.profile

-R is the command to remove the profile and -p specifies we’re removing it by the identifier name.  There are actually quite a few other options available as well, so check out the man page for more info.  For example, you may need to add in the password to remove so the user doesn’t get prompted.  This switch is -z.

Automation

Now, let’s use LANDESK Management Suite to create a custom patch definition that will detect the machines that have a given profile and remove it if you choose to repair it. You can download the custom definition I built on my GitHub site here or build it yourself using the scripts below.

Custom Patch Detection Logic

Just change the variable profileIdentifier to match your desired profile identifier.

#!/bin/sh

# singleConfigurationProfileDetection.sh
# Created by Bennett Norton on 2/6/17.
# Detects the whether a specific profile exists on a machine

# Profile Identifier Name Variable
# Change this name to match the profile identifier you want to remove
# Find the name by typing sudo /usr/bin/profiles -P in Terminal

profileIdentifier="com.landesk.profile"

#  create an output variable with the the potential profile from the machine
#  grep filters all of the results to only show that which matches our desired configuration profile
#  awk allows us to pull just the data we're looking for from the command line

discoveredProfileIdentifier=( $( sudo /usr/bin/profiles -P | grep "$profileIdentifier" | awk '{print $4}') )


if [[ $profileIdentifier != $discoveredProfileIdentifier ]] ; then
 echo "Found: Configuration profile $profileIdentifier was not found on the machine."
 echo "Reason: $profileIdentifier not intalled."
 echo "Expected: $profileIdentifier to not exist."
 echo "Detected: 0"
 exit 0
else
 echo "Found: Configuration profile $discoveredProfileIdentifier was found on the machine."
 echo "Reason: $discoveredProfileIdentifier intalled."
 echo "Expected: $discoveredProfileIdentifier to not exist."
 echo "Detected: 1"
 exit 1
fi

Custom Definition Repair Script

Just as in the first script, you need to change the variable profileIdentifier to match your desired profile identifier.

#!/bin/sh

# singleConfigurationProfileDeletion.sh
# Created by Bennett Norton on 2/6/17.
# Deletes a specific profile on a machine

# Profile Identifier Name Variable
# Change this name to match the profile identifier you want to remove
# Find the name by typing sudo /usr/bin/profiles -P in Terminal

profileIdentifier="com.landesk.profile"

# Delete
sudo /usr/bin/profiles -R -p "$profileIdentifier"


 

3 Comments
  • Mo
    Posted at 18:13h, 20 October Reply

    what if its says?
    There are profiles installed that marked non-removable

  • Mo
    Posted at 18:13h, 20 October Reply

    There are profiles installed that marked non-removable

  • Bennett Norton
    Posted at 10:16h, 26 October Reply

    MO – the management profiles applied through DEP will be marked as such and cannot be removed.

Post A Comment

ARE YOU READY TO GET STARTED?
Please fill out your information, and a specialist will reach out to discuss our services in more details.
Your Information will never be shared with any third party.
        
Free Training Videos
Register to gain access to all of our free content.
YOUR PHONE
YOUR NAME
YOUR EMAIL
        
Get Started
Provide us your contact information and we will reach out as quickly as possible.
YOUR PHONE
YOUR NAME
YOUR EMAIL
        
Additional Questions?
Provide us your contact information and we will reach out as quickly as possible.
YOUR PHONE
YOUR NAME
YOUR EMAIL
        
Pay by PO?
Provide us your contact information and we will reach out to help you sign up by PO.
YOUR PHONE
YOUR NAME
YOUR EMAIL
Subscribe Now
Subscribing to our site gives you access to our Apple Admin 101 training videos as well as allowing us to notify you of each new blog post we release.
YOUR PHONE
YOUR NAME
YOUR EMAIL
Pay by PO
Send us your contact information and we will reach out to help you sign up by PO.
YOUR PHONE
YOUR NAME
YOUR EMAIL
Additional Questions?
Send us your contact information and your questions and we will reach out as quickly as possible.
YOUR PHONE
YOUR NAME
YOUR EMAIL
YOUR QUESTIONS
Get Started
Provide us your contact information and we will reach out as quickly as possible.
YOUR PHONE
YOUR NAME
YOUR EMAIL
Free Training Videos
Subscribing to our site gives you access to our Apple Admin 101 training videos as well as allowing us to notify you of each new blog post we release.
FIRST NAME
LAST NAME
PHONE
EMAIL
Subscribe Now
Subscribing to our site gives you access to our Apple Admin 101 training videos as well as allowing us to notify you of each new blog post we release.
FIRST NAME
LAST NAME
PHONE
EMAIL