Jump to content

Apple MDM profiles not updating potential fix


Robert White

Recommended Posts

I had several macOS laptops not getting an updated WIFI configuration profile.  The affected devices weren't getting any Apple MDM profile updates at all. Config profiles that are issued direct from the server deployed properly, and all other filesets also deployed fine.  In case you have something like this, I wanted to share.  It saved me from erasing/re-provisioning several laptops and took a while to develop and test.

This isn't an issue with FileWave, but an issue with Apple.  I worked with FW support and the agent had me test a command to re-enroll the device [profiles renew -type enrollment].  Three hours later the Apple MDM command was executed and I was given an enrollment prompt to re-enroll the device which fixed the issue.  What the heck Apple... Three hours?

I've tested this on macOS Catalina, Monterey, and Ventura.  Test this on something you can reset before trying on production.

Important Note: All my test machines are intel processors.  I need to check this on M series processors.  It should work, but I've not validated M series at this time.

If you are having a macOS client that is fully DEP enrolled and not updating it's Apple MDM deployed configuration profiles.  You can run through this in 10 to 15 minutes.  You can’t do it remotely as you need to enter Recovery Mode. You must have hands on the device and internet connection and if your device(s) have firmware passwords set, you need that too.

Here you go.  Please be comfortable in a terminal window before proceeding...

  • Boot into Recovery Mode by holding Cmd+R

  • Select Terminal

  • Disable System Integrity Protection

    csrutil disable
    You will get a confirmation that System Integrity Protection is disabled.  You need to reboot for changes to take effect.
     
  • reboot and log in as an admin user
  • Open a terminal window, sudo bash and run the below script to delete all configuration profiles.

    #/bin/bash! # Rob did this. 2023.03.15
    rm -rf /var/db/ConfigurationProfiles/*
    mkdir /var/db/ConfigurationProfiles/Settings
    touch /var/db/ConfigurationProfiles/.profilesAreInstalled
    touch /var/db/ConfigurationProfiles/Settings/.profilesAreInstalled
    # warning... It runs in a second and reboots. Get ready to hold down Cmd+R
    # you could echo the commented out warning to prompt you to hold Cmd+R reboot
  • Quick, it’s rebooting, hold Cmd+R to boot into Recovery mode

  • Select Terminal

  • Re-enable System Integrity Protection

    csrutil enable

    You will get a confirmation that System Integrity Protection is enabled.  You need to reboot for changes to take effect.

  • Reboot and log in again as an admin user

  • You can check your enrollment status for kicks. Open terminal and sudo a shell so you can be root

    sudo bash and enter your password when prompted
    profiles status -type enrollment

    You’ll see the device is not enrolled.

    Enrolled via DEP: No
    MDM Enrollment: No
  • Now you have cleared all configuration profiles on your device.  You'll be prompted to re-enroll instantly, like the first time you connect a new laptop that's properly associated in ASM/ABM and you've prepped the DEP association in FileWave.

    profiles renew -type enrollment

    You will instantly be presented with an enrollment popup request. Follow the prompts and enter your enrollment credentials. Give it a few seconds or a minute and you can check to see all of your profiles installing.

If you want to quality check and verify things are setup as they should be.

  • Log in as an admin user and check your status on the client from a terminal

    sudo profiles status -type enrollment

    You’ll see you are enrolled

    Enrolled via DEP: Yes
    MDM enrollment: Yes (User Approved)

    You may or may not see this next line and I don’t see a difference in impact.

    MDM server: https://servername.something:20443/ios/mdm
  • Check you status on FileWave admin
    it will show as Server only. But you want to see Fully Enrolled. Reboot and check again. Upon reboot, it will show as Fully enrolled.

That’s it. You can pull of the whole process in 10 to 15 minutes if you are adept. Or you could wait a few hours for Apple to finally get with it and run the profiles renew -type enrollment command. But, I think given physical access, and unpredictability of Apple MDM, This is my new process.  Good luck!


 

  • Like 1
Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
×
×
  • Create New...