Fix: New profile does not meet criteria to replace existing profile

Articles

I recently ran into an issue with a couple of machines when trying to re-enrol them via my companies Apple MDM solution, Jamf.

New profile does not meet criteria to replace existing profile

The cause itself is not Jamf, rather the way in which Apple enforces profiles deployed through DEP. Devices that receive this error have previously communicated with an Apple DEP server and pulled down a configuration which has a “Non-removable” flag set. In many regards this is great as it means the device cannot be removed from management by an end user or device thief. On the other hand, it makes life a little more complicated for us admins. One way to get around this is to wipe the device and start again but that’d be too easy…

Don’t let the “Non-removable” flag fool you. Using the following steps you’ll be able to clear out all existing configuration profiles on the device and re-enrol without running into this error.

Requirements:

  • Apple DEP already setup for your organization.
  • Access to a local administrator account.
  • The device EFI/Boot password (If set).

Disable SIP (System Integrity Protection)

  1. Click the Apple menu.
  2. Select Restart…
  3. Hold down Command-R to boot into the Recovery System. If prompted, enter the device EFI/Boot password.
  4. Click the Utilities menu and select Terminal.
  5. Type the following and press enter.
    csrutil disable
  6. Close the Terminal app.
  7. Click the Apple menu and select Restart….

Remove all old profiles Boot into recovery mode again.

  1. Hold down Command-R to boot into the Recovery System. If prompted, enter the device EFI/Boot password.
  2. Click the Utilities menu and select Terminal.
  3. Type the following and press return.
    rm -rf /var/db/ConfigurationProfiles/Store/
  4. Close the Terminal app.
  5. Click the Apple menu and select Restart…

Re-enroll the device via DEP

  1. Log back into the mac with an account that has local administrator privileges.
  2. Open Terminal.app
  3. Type the following and press return.
sudo profiles renew -type enrollment
  1. This should throw up a notification (Top right of screen) to enrol the device via DEP. Click it and follow the onscreen prompts to complete enrolment.
  2. If prompted, enter credentials for your DEP account.

Re-enable SIP (Crucial)

This step is very important to do as SIP is an integral part of a Mac’s security mechanism. Disabling will put the device at risk.

  1. Click the Apple menu.
  2. Select Restart…
  3. Hold down Command-R to boot into the Recovery System. If prompted, enter the device EFI/Boot password.
  4. Click the Utilities menu and select Terminal.
  5. Type the following and press return.
csrutil enable
  1. Close the Terminal app.
  2. Click the Apple menu and select Restart….