MScottBlake · March 6, 2025 21:38 · ghost · Aug 9, 2023 · Wildhawk325 · Nov 25, 2024
diff --git a/1-Reboot to Recovery.command b/1-Reboot to Recovery.command
 #!/bin/zsh

 # Elevate permissions, if needed
 if [ $USER != 'root' ]; then
  sudo $0
  exit 0
 fi

 # Reboot to Recovery
 /usr/sbin/nvram "recovery-boot-mode=unused"
 reboot
diff --git a/2-Remove MDM Profile.command b/2-Remove MDM Profile.command
 #!/bin/zsh
 autoload colors; colors;

 # Elevate permissions, if needed
 if [ $USER != 'root' ]; then
  sudo $0
  exit 0
 fi

 # Ensure SIP is disabled
 if [ $(/usr/bin/csrutil status | awk '{print $NF}') != 'disabled.' ]; then
  print -P "%F{red}\nSIP is still enabled. Please reboot to Recovery and disable SIP%f\n"
  exit 2
 fi

 # Remove all configuration profiles
 /bin/rm -rf /var/db/ConfigurationProfiles/Store/*

 # Enable SIP and reboot
 /usr/bin/csrutil clear
 reboot
diff --git a/3-Enroll Device.command b/3-Enroll Device.command
 #!/bin/zsh
 autoload colors; colors;

 # Elevate permissions, if needed
 if [ $USER != 'root' ]; then
  sudo $0
  exit 0
 fi

 # Ensure SIP is enabled
 if [ $(/usr/bin/csrutil status | awk '{print $NF}') != 'enabled.' ]; then
  print -P "%F{red}\n SIP is still disabled. Please reboot to Recovery and enable SIP.%f\n"
  exit 2
 fi

 # Enroll device
 /usr/bin/profiles renew -type=enrollment
diff --git a/Removing a Non-Removable MDM Profile b/Removing a Non-Removable MDM Profile
 These steps are only recommended as a last resort before performing a nuke and pave. Normally we would send an Unmanage command from Jamf Pro to the computer. These steps are intended for use when that process fails.

 From a high level, the process requires rebooting to Recovery to disable System Integrity Protection (SIP), removing normally-locked files, enabling SIP, and re-enrolling into Jamf Pro. These steps require administrative rights. If the current user is not an administrator, login as a local admin before attempting.

 There are several restarts during this process. Please save and close all work.

 1)	Run 1-Reboot to Recovery.command. (Note: You may be prompted for a password. If so, use the local account password.)
 2)	Wait for the computer to restart into Recovery.
 3)	Open the Utilities menu from the menu bar and select Terminal.
 4)	Enter csrutil disable && reboot into the terminal window and press return
 5)	Wait for the computer to restart normally and login.
 6)	Run 2-Remove MDM Profile.command. (Note: You may be prompted for a password. If so, use the local account password.)
 7)	Wait for the computer to restart normally and login.
 8)	Run 3-Re-enroll Device.command. (Note: You may be prompted for a password. If so, use the local account password.)
 9)	Click on the alert titled Device Enrollment in the upper right corner of the screen.
 10)	When prompted if you would like to Allow Device Enrollment, select Allow.
 11)	The 3 files used above can be deleted at this time.
	#!/bin/zsh

	# Elevate permissions, if needed
	if [ $USER != 'root' ]; then
	sudo $0
	exit 0
	fi

	# Reboot to Recovery
	/usr/sbin/nvram "recovery-boot-mode=unused"
	reboot
	#!/bin/zsh
	autoload colors; colors;

	# Elevate permissions, if needed
	if [ $USER != 'root' ]; then
	sudo $0
	exit 0
	fi

	# Ensure SIP is enabled
	if [ $(/usr/bin/csrutil status \| awk '{print $NF}') != 'enabled.' ]; then
	print -P "%F{red}\n SIP is still disabled. Please reboot to Recovery and enable SIP.%f\n"
	exit 2
	fi

	# Enroll device
	/usr/bin/profiles renew -type=enrollment
	These steps are only recommended as a last resort before performing a nuke and pave. Normally we would send an Unmanage command from Jamf Pro to the computer. These steps are intended for use when that process fails.

	From a high level, the process requires rebooting to Recovery to disable System Integrity Protection (SIP), removing normally-locked files, enabling SIP, and re-enrolling into Jamf Pro. These steps require administrative rights. If the current user is not an administrator, login as a local admin before attempting.

	There are several restarts during this process. Please save and close all work.

	1) Run 1-Reboot to Recovery.command. (Note: You may be prompted for a password. If so, use the local account password.)
	2) Wait for the computer to restart into Recovery.
	3) Open the Utilities menu from the menu bar and select Terminal.
	4) Enter csrutil disable && reboot into the terminal window and press return
	5) Wait for the computer to restart normally and login.
	6) Run 2-Remove MDM Profile.command. (Note: You may be prompted for a password. If so, use the local account password.)
	7) Wait for the computer to restart normally and login.
	8) Run 3-Re-enroll Device.command. (Note: You may be prompted for a password. If so, use the local account password.)
	9) Click on the alert titled Device Enrollment in the upper right corner of the screen.
	10) When prompted if you would like to Allow Device Enrollment, select Allow.
	11) The 3 files used above can be deleted at this time.