Fix: New profile does not meet criteria to replace existing profile

Articles

I recently ran into an issue with a couple of machines when trying to re-enrol them via my companies Apple MDM solution, Jamf.

New profile does not meet criteria to replace existing profile

The cause itself is not Jamf, rather the way in which Apple enforces profiles deployed through DEP. Devices that receive this error have previously communicated with an Apple DEP server and pulled down a configuration which has a “Non-removable” flag set. In many regards this is great as it means the device cannot be removed from management by an end user or device thief. On the other hand, it makes life a little more complicated for us admins. One way to get around this is to wipe the device and start again but that’d be too easy…

Don’t let the “Non-removable” flag fool you. Using the following steps you’ll be able to clear out all existing configuration profiles on the device and re-enrol without running into this error.

Requirements:

  • Apple DEP already setup for your organization.
  • Access to a local administrator account.
  • The device EFI/Boot password (If set).

Disable SIP (System Integrity Protection)

  1. Click the Apple menu.
  2. Select Restart…
  3. Hold down Command-R to boot into the Recovery System. If prompted, enter the device EFI/Boot password.
  4. Click the Utilities menu and select Terminal.
  5. Type the following and press enter.
    csrutil disable
  6. Close the Terminal app.
  7. Click the Apple menu and select Restart….

Remove all old profiles Boot into recovery mode again.

  1. Hold down Command-R to boot into the Recovery System. If prompted, enter the device EFI/Boot password.
  2. Click the Utilities menu and select Terminal.
  3. Type the following and press return.
    rm -rf /var/db/ConfigurationProfiles/Store/
  4. Close the Terminal app.
  5. Click the Apple menu and select Restart…

Re-enroll the device via DEP

  1. Log back into the mac with an account that has local administrator privileges.
  2. Open Terminal.app
  3. Type the following and press return.
sudo profiles renew -type enrollment
  1. This should throw up a notification (Top right of screen) to enrol the device via DEP. Click it and follow the onscreen prompts to complete enrolment.
  2. If prompted, enter credentials for your DEP account.

Re-enable SIP (Crucial)

This step is very important to do as SIP is an integral part of a Mac’s security mechanism. Disabling will put the device at risk.

  1. Click the Apple menu.
  2. Select Restart…
  3. Hold down Command-R to boot into the Recovery System. If prompted, enter the device EFI/Boot password.
  4. Click the Utilities menu and select Terminal.
  5. Type the following and press return.
csrutil enable
  1. Close the Terminal app.
  2. Click the Apple menu and select Restart….

 

Deploy an always up to date Google Chrome via Jamf

Articles, Technology

My approach to working with configuration management systems such as Jamf Pro Cloud is to be as hands off as possible when it comes to software updates. In this day and age there’s much smarter ways of ensuring your devices have the latest packages after imaging than to manually specify the installation package to the management platform.

For the majority of commodity software packages these days, it’s often possible to pull the latest version of an application straight from the vendors sites before an automated installation. That’s exactly what we’re going to do today:

      1. Create a script titled “Install Google Chrome”
      2. Add the following to the script:
        #!/bin/bash
        #make temp directory
        mkdir ~/ChromeTemp
        cd ~/ChromeTemp
        #remove any existing installations
        rm -rf /Applications/Google\ Chrome.app/
        #Installing Chrome
        curl -L -O "https://dl.google.com/chrome/mac/stable/GGRO/googlechrome.dmg"
        hdiutil mount -nobrowse googlechrome.dmg
        cp -R "/Volumes/Google Chrome/Google Chrome.app" /Applications
        hdiutil unmount "/Volumes/Google Chrome"
        #Clean up
        rm googlechrome.dmg
        rmdir ~/ChromeTemp
        exit
      3. Create a policy that runs the script at your specified trigger time. I choose to set the frequency to run once after device enrolment – After it’s installed, Google Chrome will update itself  as needed (providing you haven’t put any measures in place to prevent this).
      4. Within your new policy,  add rules to kill any running instances and remove existing installations as described in How to stop running applications via Jamf MDM.

Note:

Do be aware that since you’re essentially pulling software from a vendors repository, you’re at the mercy of whatever they supply behind the link. So be mindful to only use this method with vendors you absolutely trust.