Today I Learned

Remove a non-removable MDM profile from macOS without a complete wipe

Non-removable MDM profiles cannot officially removed without doing a full system wipe. This is a problem when you restore a system from Time Machine after you enrolled it into the MDM, as the MDM will break, leaving you unable to re-enroll the machine.

Here's how to remove a non-removable MDM profile

  1. Boot the Mac into Recovery Mode (hold down command+R during startup).
  2. Go to the Utilities menu and open Terminal and type: csrutil disable. This will disable SIP (System Integrity Protection).
  3. Reboot into the OS.
  4. Open the integrated terminal and type:
cd /var/db/ConfigurationProfiles
rm -rf *
mkdir Settings
touch Settings/.profilesAreInstalled
  1. Reboot.
  2. Boot the Mac into Recovery Mode (hold down command+R during startup).
  3. Go to the Utilities menu and open Terminal and type: csrutil enable. This will re-enable SIP.
  4. Reboot into the OS.

The profile will be now removed and you will be able to re-enroll the Mac to your MDM.