We’ve all done it. We installed something without fully vetting it out and now we need to get it off – of all of our machines. Whoops!
The other day, I received a question from a customer asking how he could remove a configuration profile from all of his machines at once – without having to log in to each machine.
Apple actually makes such a task quite easy as viewing, installing and removing a profile from a Mac is inherently built into the operating system itself. Therefore, with a short script we can detect whether the profile is installed and then remove it if it is.
To manually check the status of a machine’s profiles, you can run, inside of Terminal, the following command.
View All Profiles
sudo /usr/bin/profiles -P
So doing should give you a report out of both the machine and user based profiles installed.
In the screenshot above, all 3 profiles are computer based profiles. If I wanted to remove all of the profiles listed above, all I need to do is use the ‘profiles -D’ command and call the respective profileIdentifier.
Remove All Profiles
sudo /usr/bin/profiles -D
However, removing all profiles is probably a bit forceful, often a little precision can help us in the long run. In our example above, we may choose to only remove one of the profiles instead of all of them. To do this, we just need to specify that we’re removing a profile and what the profile identifier name is.
Remove a Single Profile
sudo /usr/bin/profiles -R -p com.landesk.profile
-R is the command to remove the profile and -p specifies we’re removing it by the identifier name. There are actually quite a few other options available as well, so check out the man page for more info. For example, you may need to add in the password to remove so the user doesn’t get prompted. This switch is -z.
Automation
Now, let’s use LANDESK Management Suite to create a custom patch definition that will detect the machines that have a given profile and remove it if you choose to repair it. You can download the custom definition I built on my GitHub site here or build it yourself using the scripts below.
Custom Patch Detection Logic
Just change the variable profileIdentifier to match your desired profile identifier.
#!/bin/sh
# singleConfigurationProfileDetection.sh
# Created by Bennett Norton on 2/6/17.
# Detects the whether a specific profile exists on a machine
# Profile Identifier Name Variable
# Change this name to match the profile identifier you want to remove
# Find the name by typing sudo /usr/bin/profiles -P in Terminal
profileIdentifier="com.landesk.profile"
# create an output variable with the the potential profile from the machine
# grep filters all of the results to only show that which matches our desired configuration profile
# awk allows us to pull just the data we're looking for from the command line
discoveredProfileIdentifier=( $( sudo /usr/bin/profiles -P | grep "$profileIdentifier" | awk '{print $4}') )
if [[ $profileIdentifier != $discoveredProfileIdentifier ]] ; then
echo "Found: Configuration profile $profileIdentifier was not found on the machine."
echo "Reason: $profileIdentifier not intalled."
echo "Expected: $profileIdentifier to not exist."
echo "Detected: 0"
exit 0
else
echo "Found: Configuration profile $discoveredProfileIdentifier was found on the machine."
echo "Reason: $discoveredProfileIdentifier intalled."
echo "Expected: $discoveredProfileIdentifier to not exist."
echo "Detected: 1"
exit 1
fi
Custom Definition Repair Script
Just as in the first script, you need to change the variable profileIdentifier to match your desired profile identifier.
#!/bin/sh # singleConfigurationProfileDeletion.sh # Created by Bennett Norton on 2/6/17. # Deletes a specific profile on a machine # Profile Identifier Name Variable # Change this name to match the profile identifier you want to remove # Find the name by typing sudo /usr/bin/profiles -P in Terminal profileIdentifier="com.landesk.profile" # Delete sudo /usr/bin/profiles -R -p "$profileIdentifier"
Apple in the Enterprise Moved 
Recent Comments