Unlike Configuration Baseline, Profiles, configurations and other items are not being removed or reverted when Deployment is removed for specific Task Sequence in SCCM Console.
If we want to remove a profile in such case, we can create another TS with a short script to remove the profile and deploy it to the collection which only contains Macs that should get the profile removed.
At first we should find out the profile identifier which is going to be used for removal of corresponding profile. We can find it in .mobileconfig file:
Or from terminal when the profile is already deployed to some Mac:
/usr/bin/profiles -P shows all profiles installed on the Mac
/usr/bin/profiles -C shows Computer or System level profiles
/usr/bin/profiles -L shows user level profiles for current user
NOTE: Profiles utility offer a lot more functionality which can be checked using "profiles help" or "man profiles" terminal commands.
Once profile identifier is known we may create a Task Sequence for it's removal:
- In SCCM Console > Software Library > Overview > Operating Systems > Task Sequences hit Create OSX Task Sequence:
- Specify desired Task Sequence Name at General tab, switch to Steps tab and add Execute Script Step:
/usr/bin/profiles -R -p com.apple.mdm.Mac-mini-Ilya.local.5de00e7c-778c-4d2a-bf45-002e610b43ff.alacarte
NOTE: Once Task Sequence is created, it's better to remove deployment for old Task Sequence which applied the profile we want to remove and alter it or turn off Apply Configuration Profile Step in it and only then redeploy, so that it would not install the profile on the same Macs afterward. After that we can Deploy the newly created TS for profile removal. Make sure to deploy it as Required if you do not want users to execute it manually from Parallels Application Portal.
Script also can be executed directly in macOS terminal/SSH session:
sudo /usr/bin/profiles -R -p com.apple.mdm.Mac-mini-Ilya.local.5de00e7c-778c-4d2a-bf45-002e610b43ff.alacarte
Or from SCCM Console > Assets and Compliance > Overview > Devices > Search for required device(s) and select them > right-click > Parallels Management Tools > Execute Script:
NOTE: Such method will not be applicable for Profiles pushed via MDM which are restricted from removal.
Was this article helpful?
Tell us how we can improve it.