Forked from MScottBlake/1-Reboot to Recovery.command
Created
September 15, 2025 04:07
-
-
Save T1r3d/b8dbd7efb1ee71cd55a5e02c592cc940 to your computer and use it in GitHub Desktop.
Removing a Non-Removable MDM Profile
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/zsh | |
| # Elevate permissions, if needed | |
| if [ $USER != 'root' ]; then | |
| sudo $0 | |
| exit 0 | |
| fi | |
| # Reboot to Recovery | |
| /usr/sbin/nvram "recovery-boot-mode=unused" | |
| reboot |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/zsh | |
| autoload colors; colors; | |
| # Elevate permissions, if needed | |
| if [ $USER != 'root' ]; then | |
| sudo $0 | |
| exit 0 | |
| fi | |
| # Ensure SIP is disabled | |
| if [ $(/usr/bin/csrutil status | awk '{print $NF}') != 'disabled.' ]; then | |
| print -P "%F{red}\nSIP is still enabled. Please reboot to Recovery and disable SIP%f\n" | |
| exit 2 | |
| fi | |
| # Remove all configuration profiles | |
| /bin/rm -rf /var/db/ConfigurationProfiles/Store/* | |
| # Enable SIP and reboot | |
| /usr/bin/csrutil clear | |
| reboot |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/zsh | |
| autoload colors; colors; | |
| # Elevate permissions, if needed | |
| if [ $USER != 'root' ]; then | |
| sudo $0 | |
| exit 0 | |
| fi | |
| # Ensure SIP is enabled | |
| if [ $(/usr/bin/csrutil status | awk '{print $NF}') != 'enabled.' ]; then | |
| print -P "%F{red}\n SIP is still disabled. Please reboot to Recovery and enable SIP.%f\n" | |
| exit 2 | |
| fi | |
| # Enroll device | |
| /usr/bin/profiles renew -type=enrollment |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| These steps are only recommended as a last resort before performing a nuke and pave. Normally we would send an Unmanage command from Jamf Pro to the computer. These steps are intended for use when that process fails. | |
| From a high level, the process requires rebooting to Recovery to disable System Integrity Protection (SIP), removing normally-locked files, enabling SIP, and re-enrolling into Jamf Pro. These steps require administrative rights. If the current user is not an administrator, login as a local admin before attempting. | |
| There are several restarts during this process. Please save and close all work. | |
| 1) Run 1-Reboot to Recovery.command. (Note: You may be prompted for a password. If so, use the local account password.) | |
| 2) Wait for the computer to restart into Recovery. | |
| 3) Open the Utilities menu from the menu bar and select Terminal. | |
| 4) Enter csrutil disable && reboot into the terminal window and press return | |
| 5) Wait for the computer to restart normally and login. | |
| 6) Run 2-Remove MDM Profile.command. (Note: You may be prompted for a password. If so, use the local account password.) | |
| 7) Wait for the computer to restart normally and login. | |
| 8) Run 3-Re-enroll Device.command. (Note: You may be prompted for a password. If so, use the local account password.) | |
| 9) Click on the alert titled Device Enrollment in the upper right corner of the screen. | |
| 10) When prompted if you would like to Allow Device Enrollment, select Allow. | |
| 11) The 3 files used above can be deleted at this time. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment