Force the Removal of a Specific macOS Configuration Profile

We’ve all done it.  We installed something without fully vetting it out and now we need to get it off – of all of our machines.  Whoops!

The other day, I received a question from a customer asking how he could remove a configuration profile from all of his machines at once – without having to log in to each machine.

Apple actually makes such a task quite easy as viewing, installing and removing a profile from a Mac is inherently built into the operating system itself.  Therefore, with a short script we can detect whether the profile is installed and then remove it if it is.

To manually check the status of a machine’s profiles, you can run, inside of Terminal, the following command.

View All Profiles

sudo /usr/bin/profiles -P

So doing should give you a report out of both the machine and user based profiles installed.

profiles -P.png

In the screenshot above, all 3 profiles are computer based profiles.  If I wanted to remove all of the profiles listed above, all I need to do is use the ‘profiles -D’ command and call the respective profileIdentifier.

Remove All Profiles

sudo /usr/bin/profiles -D

However, removing all profiles is probably a bit forceful, often a little precision can help us in the long run.  In our example above, we may choose to only remove one of the profiles instead of all of them.  To do this, we just need to specify that we’re removing a profile and what the profile identifier name is.

Remove a Single Profile

sudo /usr/bin/profiles -R -p com.landesk.profile

-R is the command to remove the profile and -p specifies we’re removing it by the identifier name.  There are actually quite a few other options available as well, so check out the man page for more info.  For example, you may need to add in the password to remove so the user doesn’t get prompted.  This switch is -z.


Now, let’s use LANDESK Management Suite to create a custom patch definition that will detect the machines that have a given profile and remove it if you choose to repair it. You can download the custom definition I built on my GitHub site here or build it yourself using the scripts below.

Custom Patch Detection Logic

Just change the variable profileIdentifier to match your desired profile identifier.


# Created by Bennett Norton on 2/6/17.
# Detects the whether a specific profile exists on a machine

# Profile Identifier Name Variable
# Change this name to match the profile identifier you want to remove
# Find the name by typing sudo /usr/bin/profiles -P in Terminal


#  create an output variable with the the potential profile from the machine
#  grep filters all of the results to only show that which matches our desired configuration profile
#  awk allows us to pull just the data we're looking for from the command line

discoveredProfileIdentifier=( $( sudo /usr/bin/profiles -P | grep "$profileIdentifier" | awk '{print $4}') )

if [[ $profileIdentifier != $discoveredProfileIdentifier ]] ; then
 echo "Found: Configuration profile $profileIdentifier was not found on the machine."
 echo "Reason: $profileIdentifier not intalled."
 echo "Expected: $profileIdentifier to not exist."
 echo "Detected: 0"
 exit 0
 echo "Found: Configuration profile $discoveredProfileIdentifier was found on the machine."
 echo "Reason: $discoveredProfileIdentifier intalled."
 echo "Expected: $discoveredProfileIdentifier to not exist."
 echo "Detected: 1"
 exit 1

Custom Definition Repair Script

Just as in the first script, you need to change the variable profileIdentifier to match your desired profile identifier.


# Created by Bennett Norton on 2/6/17.
# Deletes a specific profile on a machine

# Profile Identifier Name Variable
# Change this name to match the profile identifier you want to remove
# Find the name by typing sudo /usr/bin/profiles -P in Terminal


# Delete
sudo /usr/bin/profiles -R -p "$profileIdentifier"


LANDESK Mac Management Part 4: Patching OS X and 3rd Party Applications

In part 4 of this LANDESK Mac Management series, we’ll demonstrate how you can patch the Mac OS, walking through the reboot process as well as patching 3rd party application titles on the machine; which typically don’t require a reboot to take place.

How to Patch Mac App Store Apps with LANDESK Patch’s Manual Definitions


Patching OS X applications can be quite the adventure.  Due to digital rights management, Apple ID’s and user agreements, not all content found inside of Apple’s Mac App Store for OS X is available for redistribution by LANDESK.  This white paper will discuss how an application installer found in the Mac App Store (MAS) can be captured and used to patch applications deployed on your OS X devices.


LANDESK has a team of engineers that write content for many of the common applications in use on the OS X platform.  This content can be downloaded by anyone with a LANDESK Patch Manager or LANDESK Security Suite license.  However, unless the application is patched by Apple’s update servers, the content provided by LANDESK will have a “manual” appended to the title of the definition file.

Manual Content.png

This “manual” indication in the title is to inform you that LANDESK cannot redistribute the content for that particular object. In order to do more than just detection for that vulnerability, the application will need to be manually downloaded.  By reviewing the Description tab on the Properties panel, you’ll find the note: “The patches for these applications should be downloaded from the Apple network by the LANDESK administrator. The respective patches should then be compressed into individual packages for each patch and named as * (for example, The last step would be to copy the zip package to the path \\coreservername\ldlogon\patch” or wherever your patch repository is located.



The LANDESK administrator will need to have access to an OS X device that has purchased the application that is intended to be patched, but that does not have the application currently installed.  A VM set aside just for downloading Apps may be an efficient method for the ongoing patch process.

Enable Debug Mode for the Mac App Store (MAS)

When an application is downloaded from the MAS, the installer file is downloaded, executed and then promptly removed.  By enabling debug mode for the MAS, we can create a link to the downloaded installer(s) allowing for future use on more than just the machine currently downloading the app.

  1. Quit the Mac App Store if currently opened
  2. Open Terminal and run the command ‘defaults write ShowDebugMenu -bool true’


Note: To disable debug mode, use the following command: ‘defaults write ShowDebugMenu -bool false’

Download the Installer for the App to be Patched

Once the debug mode is enabled, it will be possible to capture the download installer file for later use in patching.

  1. Launch the App Store App (notice you should now have a Debug menu item) and navigate to the Purchased tab.  Sign in if prompted.
  2. Select the app to be patched and click Install
  3. Once the install process shows visible progress in the download process, hit the pause button
  4. From the Debug menu, select the option Show Download Folder
  5. Finder will open and you’ll need to navigate inside the folder
  6. Locate the folder with a string of numbers, this should be your app, and navigate inside of it


You now need to create a hard link between the randomly named download to a file name and path of where to store the installer.  You’ll do this by opening Terminal and use the ‘ln’ command followed by the path of the installer from the Mac App Store and then the path to where you want to save your copy of the installer that won’t be deleted as soon as . The easiest way to enter the path of the randomly named installer is to drag and drop it into terminal after typing ‘ln’

  1. Launch Terminal and type ‘ln /path/to/macappstore.pkg /path/to/savedinstaller.pkg’                            HardLink.png
  2. Return to the Mac App Store purchased tab and resume the download
  3. When the installation for your app finishes, you’ll have a signed installer from Apple to use to update your fleet of Mac devices

Automating for Multiple Concurrent Downloads

If the manual linking process described above seems a bit burdensome when in need of downloading many applications, Max Schlapfer has created a script to not only automate the creation of the hard links, but it also has the capability to download multiple files at once.  To download Max’s AppStoreExtract script, see  These next steps are not requisite, if you have the installers you need to patch, skip forward to Configuring the Output Installers for LANDESK Patch.

Note: You do not need the Debug mode enabled for the Mac App Store, as outlined above, for this script to work.

  1. Download Max’s script from Github and extract it to a folder location of choice                                                 AppStoreExtractGitHub.png
  2. Open terminal and execute the script by typing in ‘./path/to/script/’ and hitting Return
    1. Note: Do not run this script as root.                                                                                             AppStoreScriptWaiting.png
  3. Launch the App Store App and navigate to the Purchased tab.  Sign in if prompted.
  4. Click Install on all of theApps you want to create installers for and wait for them to complete the install process
  5. When the installation process has finished, return to the Terminal window and hit any key to finish the script.  When asked to finalize the packages, type Y.TerminalAppStoreExtractProcess.png
  6. The script will name the output files according the product and version and then convert them to DMG files and store them in the /Users/Shared/AppStore_Packages folderOutputAppStoreExtract.png

Configuring the Output Installers for LANDESK Patch

There is a good chance that LANDESK has already created the definitions needed to properly detect and repair the application of choice, you simply need to zip up the installer and name it according to what the definition file expects.  Refer to the description tab for each piece of content for specifics, but in general, you’ll want to name the zip file by the  If LANDESK has not already created the content, feel free to reach out to your local support representative and request the content be generated. Alternatively, you can create your own custom definitions as well.  See for more information on creating your own vulnerability definitions.

  1. Rename each installer according to as defined in the definition file.  Make sure artifacts such as .dmg or .pkg are removed from the zip file name as well as any underscores “_” where LANDESK patch content may be expecting a dash “-.”    If you want to verify you have properly named your installer, go to the properties panel for the detection rule within the vulnerability definition and highlight the Patch Information menu tree item. TheUnique Filename provided will tell you the exact name it is expecting.                                     UniqueFileName.png
  2. Copy the installers to your LANDESK patch repository
    1. Typically, the path to the LANDESK patch repository will be \\coreservername\ldlogon\patch.  However, this can be changed by an administrator.  If you’re unsure, go to the Patch and Compliance tool within the console and hit the Download Updates icon from the tool’s menu bar.  From there, click on the Patch location tab and validate your UNC path.

Note:  The individual patch content will not show as downloaded until the next scheduled patch download or if you manually attempt to download the patch.  At that point, it will see the file and change the status to yes.

Repair Your OS X Devices Using LANDESK Patch

Now that you have the installers for your content, you can repair your devices by either scheduling a repair task or by setting the content to be repaired by Autofix.


  1. Open the Patch and Compliance tool within the LANDESK console
  2. Ensure your desired content is in the Scan folder
  3. Right click on the definition and select Autofix > Enable global autofix or Enable autofix for all scopes.AutofixSelection.png
    1. If you prefer to only enable autofix for a couple of scopes, go to the prosperities panel, select the Autofix tab and  check the boxes for the desired scopes.ScopeSelection.png

For more information on Autofix, see:

Scheduled Repair

  1. Open the Patch and Compliance tool within the LANDESK console
  2. Ensure your desired content is in the Scan folder
  3. Right click on the definition and select Repair
  4. From the Add targets select on the Repair settings task panel, select Add all affected computers                              RepairTaskTargets.png
  5. In the Tasks settings panel, set your desired Task type.
  6. Ensure the Display in portal option for the portal settings panel is set to Run automatically (unless you want your users to update their own apps)
  7. Schedule the task to start when desired from the Schedule task panel
  8. Save the task


For additional information on how to use LANDESK Patch Manager, see: