Recently in my IT, some of the techs I work alongside started noticing an error with some machines with messed up JAMF configurations, which is an Apple-focused device management suite for businesses. For most users, it started when they either couldn’t open JAMF’s Self Service app or updates pushed through said Self Service app weren’t going through. Our initial thought was to re-enroll the machine into our enterprise system, yet when trying to do so the machines would throw an error when attempting to install the new profiles. The error read:

Profile Installation Failed – New Profile Does Not Meet Criteria to Replace Existing Profile

After some research and troubleshooting, we were able to find workarounds to get the machines back into the system correctly. I’m going to walk you through first what profiles are, what could have caused the issue in the first place, and then a few different methods that we found worked to help use resolve the issue depending on the nature of the issue.

I’m absolutely must mention that these solutions were not things we came up with purely on our own. We got help from the JAMF Forums, which are absolutely a fantastic resource. The reason I’m writing this because some of the solutions are scattered about the forums as well as the potential reasons for these things, so I wanted to provide one streamlined guide to this error. That said, credit is due where it is due. I have links at the bottom of this article to the primary Forum sources I used when troubleshooting our own issue, so you can go back and read through them as well. I do not want to take away from the great benefit that the members of the forum provide.

What are Profiles:

Profiles are tools that enterprises can manage devices and enable or disable features as needed. This could be things like making sure apps like the antivirus to already have the permissions necessary to scan the entire hard drive, preventing certain features from being enabled such as a user’s personal Apple account or Find My, or allow a business to remotely wipe or lock a machine in the event it goes missing. They also allow companies to get information about devices such as hard drive usage, apps installed, and so on. These tools are really powerful, which is why Apple has restrictions about who can use them and when, lest some company abuse them outside their intended use.

These profiles can be installed one of two ways. One is if the device is setup for automatic enrollment an enterprise or management company can set it that as soon as the machine is turned on and has an Internet connection, these profiles can be installed automatically during the Mac’s own setup process. This is commonly done in enterprises that have direct relationships with Apple or use utilities like Apple School Manager.

Otherwise, profiles can be installed manually through a web browser or a flash drive, similar to the way you might install third party software from the web. The Mac will confirm once or twice that you want them to install and manage your machine, but after confirming that they are valid and the user wants to install them, they’ll now become active on the machine and start running their scripts and doing their work.

Regardless of the method, you can find any profiles active on your system in the “Profiles” section of System Preferences, typically next to “Startup Disk” near the bottom of the window. If you don’t see this option, then it means you don’t have any profiles installed and active.

What does the error mean and what causes it?

If you are seeing this error, it likely means your machine was setup through an auto-enroll method rather than being manually enrolled. What do I mean by this? If your machine was purchased through Apple for an enterprise through a system like Apple School Manager, then it means when your Mac runs through it’s setup process the first time and connects to the network, you’ll see an extra step added that machine recognizes that it belongs to a particular enterprise and will automatically install the profiles and subsequent apps and policies mandated by that enterprise.

If a machine isn’t purchased this way or the machine was purchased outside that program and brought into it outside of that process, then that is a user or manually enrolled system, meaning the user (or tech doing the setup) is choosing to put this machine into the management system of that enterprise.

So you can think of it like becoming a citizen of a country. If you’re born into that country, then you’re a citizen and all that paperwork happens without you having to be directly involved compared to choosing to change your citizenship to another country. (I also know this isn’t a perfect analogy, but it fits the bill).

So what does this have to do with profiles and the error? If your machine was part of the auto-enroll procedure, then a user cannot uninstall those profiles on their own, whereas a manual enroll (typically) can choose to uninstall those profiles and take themselves out of the system. This makes some sense when you think about it, because if I’m bringing my own machine into the company then I want to be able to take my machine back out of that system when I leave. If you’re the company, then you don’t want your users being able to just uninstall your profiles and then have free reign over their machines, especially if the machines in question are used for things that fall under extra regulation such as medical, financial, or educational data. Essentially what it comes down to is a flag set by the team that manages your enterprise’s JAMF (or other Apple management suite) that says whether or not these profiles can be removed by the user.

Now this is all well and good, but if your instance of JAMF on this machine isn’t functioning properly and needs to be rebuilt, then this can be an issue. So, how do we go about fixing this?

How to fix this:

Before you jump into the fix, you should know two things. First, if you’re a tech, talk to the team that manages your JAMF instance. They may have workaround for you to at least provide a temporary provision to allow profiles to be uninstalled. But if this machine’s enrollment is really screwed up, then follow the steps below after reading through the second notice.

The second thing is that you’re going to need to be logged in to an admin account. If you’re not already do that now. There’s going to be some Terminal work here.

Method 1: Renewing the Enrollment Profiles (Recommended on Big Sur and Monterey)

One of the things we found that worked on some machines was to force the machines to talk to our enterprise JAMF server and request all the enrollment profiles be refreshed from the server. This generally was the least destructive and least time-consuming option, and we found this step was particularly useful on Big Sur and later machines.

First, make sure your machine is connected to your enterprise network and has internet connection on said network. As stated before, the Mac is going to be connecting to your JAMF server.

Next, open your Terminal and type in the following command.

sudo profiles renew -type enrollment

Give it a few minutes as the profiles need a chance to resync. After it’s done, go ahead and run your manual sync commands in the Terminal. I’ve posted the JAMF commands but if you’re using a different service like InTune for managing your Mac then these commands will be different.

sudo jamf recon && sudo jamf policy

The commands should now run normally and check in and sync. I found when this worked the policy command actually re-ran all our first-run scripts such as installing our alerting tools and security suite, among other things. Afterwards our issues with Self Service were resolved on most of our machines but not all of them. In that case, check out the next two methods.

Method 2: The 2-step uninstall

Open the machine’s Terminal app. We’re going to run two commands to uninstall JAMF’s profiles and then JAMF itself. These need to be done in order though, so if the first command fails then stop and go to Method 2.

The first command to type in is as follows:

sudo jamf removeMDMProfiles

Hit Enter and let the command run for a couple of minutes. Assuming this ran successfully, which means it didn’t throw any errors in your face after hitting enter and instead returned to its normal state, then run the second command. That command is

sudo jamf removeFramework

Let this run for a few minutes to let this run until the Terminal returns to its normal state. Once this is done, reboot the Mac for good measure, and then attempt to re-enroll Jamf.

Method 3: Removing All Profiles via the Terminal

To follow this method, you’re going to have to lower the Mac’s security temporarily by disabling System Integrity Protection (SIP). You will need to re-enable this when you’re done.

First, you’re going to need to boot into Recovery Mode on the machine. Shut down the machine normally and then do the following depending on what kind of Mac you have.

• If it is an Intel Mac, hold down the “Command” and “R” buttons on the keyboard while turning on the Mac and keep holding them until the Apple logo and loading bar show up.
• On an Apple Silicon/M1 Mac, press and hold the power button. While the Mac is turning on it will say to keep holding to get boot Options. Soon the logo will change to a gear icon with the word Options.”  Click on the Options button then Continue to boot into Recovery Mode

Once you’re in Recovery Mode, hit “Utilities” in the menu bar, and then hit “Terminal”. Once the Terminal opens, type in the following command.

csrutil disable

Then reboot the Mac again and let it boot normally. SIP is now disabled.

When the Mac has rebooted, and you’ve logged back into an admin account, open the Terminal again and type in the following

sudo rm -rf /var/db/ConfigurationProfiles/Store/*

Next type in this command

sudo profiles -D

Between these 2 commands you should now have deleted all the profiles, JAMF or otherwise, from your machine. Now close the Terminal and reboot your Mac to complete the process. Once it comes back on and you login, verify that there are no more profiles by opening the System Preferences app then seeing if the “Profiles” section is there, which it shouldn’t be. And if it is there, you should be able to now delete any profiles in there as you so choose. But you’re not done yet.

Boot the Mac back into Recovery Mode, reopen the Terminal and type in this last command

csrutil enable

With this you have re-enabled SIP. Reboot your Mac, log back in, and you should now be able to re-enroll your Mac.

Sources:

• https://community.jamf.com/t5/jamf-pro/cannot-remove-profile/m-p/243142
• https://community.jamf.com/t5/jamf-pro/orphaned-profile-i-can-t-remove/td-p/158860
• https://community.jamf.com/t5/jamf-pro/hostile-takeover-possible-to-purge-non-removable-mdm-profile/td-p/182657#responseChild129140