Remove an (embedded) iOS configuration profile installed through Self Service

aram
New Contributor II

Before iOS 8 I was able to manually remove a configuration profile from an iPad, installed through Self Service. In Settings > General > Profiles & Device Management the individual profiles were listed and (if enabled in JSS) could be deleted. This way I could go back in Self Service and reinstall the profile again.

Now, with iOS 8.0.2 these profiles seem to be listed/embedded within the MDM Profile. The profile I'm trying to remove is an email profile (Exchange, Gmail settings) and all that is visible is an 'Accounts'-section that is added inside the MDM profile. How can I remove this profile from the iPad without logging in to the JSS?

The mail accounts-tab will only tell me that "These settings are installed by the profile 'Gmail Settings - Self Service'"; everything is set as desired in the JSS (including ability to remove this profile) and works as expected, however, I'm not seeing the ability to remove these individual profiles. Am I not seeing something?

Thanx, Aram

2 ACCEPTED SOLUTIONS

plawrence
Contributor II

Hi Aram

This is listed as a known issue in 9.52:

[D-007628] iOS configuration profiles made available in Self Service cannot be removed manually from mobile devices with iOS 8 even when the profiles are configured to allow removal. Workaround: Remove the mobile device from the scope of the profile.

View solution in original post

aram
New Contributor II

UPDATE : I have been testing the Self Service app and found that there is a re-install option. This isn't present in the Web Clip.

Changing the user in the JSS and then re-installing the mail profile from Self Service app will take the new user-settings and set up the new user's mailbox!!!

This fixes my initial issue I had with 'outdated', embedded profiles with the MDM-profile. I can now just 'overwrite' the profile within the MDM-profile with a updated user credentials.

bc90559511874910bf0b76e49c7b83f8

I need this functionality because students at our school could stop/start mid-year and will get an iPad that was used by someone else before. Setting it up from scratch is another option, although 9 out of 10 times they are already using the iPad before someone lets me know and I can't wipe it anymore, because the new student has already saved stuff on there... ;-) I can now just have the new users (re-)setup their mail as normal through Self Service.

View solution in original post

8 REPLIES 8

plawrence
Contributor II

Hi Aram

This is listed as a known issue in 9.52:

[D-007628] iOS configuration profiles made available in Self Service cannot be removed manually from mobile devices with iOS 8 even when the profiles are configured to allow removal. Workaround: Remove the mobile device from the scope of the profile.

BK
New Contributor III

I also am having this issue as well. This feature needs to be in place without having to re-scope mobile devices to remove. This thread is from 6 months ago and still an issue.

cdenesha
Valued Contributor II

I agree it would be nice to have that capability back! However this is the way Apple designed it with iOS 8. You'll notice this sentence at the top of the Known Issues list in each Casper Release Notes: "The following issues are a result of bugs in third-party software. Defects have been filed for these bugs and are awaiting resolution."

You would also want to leave Apple feedback to have this changed.

chris

aram
New Contributor II

I have just left some feedback with Apple too, Chris!

For me the suggested workaround with changing the scope wasn't an option (as I learned the hard way); removing the iPad from the static group, would also remove all the scoped apps to that iPad, including all the data, which, of course, wasn't backed up or 'properly' saved/stored off the iPad.

But then I work with 5-yr olds in education, so can't really blame them, can I...?? It was unfortunate for the kid that he had to redo some work, but lived to tell... ;-)

Because this is about email settings, I am able to simply switch the account off in Settings / Mail, Contacts, Agenda and manually add it; most users don't even know they have an inactive mail account, they just use Mail and their mail shows up! :-)

I would really like the functionality back, though. Remove profile, submit inventory and bring it down from Self Service again... This all happened, by the way, because the user wasn't assigned in Casper (my bad!), thus the kid downloaded an empty mail profile without a $EMAIL-value in it (the username in this case, which is an inaccessible field in the profile).

cdenesha
Valued Contributor II

I'm glad you were able to find a workaround.

Please note that it is a Best Practice to configure different types of settings (WiFi, Email, Restrictions) in different profiles. You can then make granular changes without messing with other options - even reinstall if necessary.

I have created Extension Attributes called 'temporarily exclude from Restrictions', and WiFi, and Content Filter, etc. I then have a Smart Group with criteria of 'temporarily exclude from Restrictions' IS 'Yes'. This SG is an Exclusion in the Scope of my configuration profiles. By simply editing the record in the JSS I can uninstall profiles, then reverse it to reinstall. I think there is also less chance of making a mistake by editing the Scope directly.

chris :)

aram
New Contributor II

UPDATE : I have been testing the Self Service app and found that there is a re-install option. This isn't present in the Web Clip.

Changing the user in the JSS and then re-installing the mail profile from Self Service app will take the new user-settings and set up the new user's mailbox!!!

This fixes my initial issue I had with 'outdated', embedded profiles with the MDM-profile. I can now just 'overwrite' the profile within the MDM-profile with a updated user credentials.

bc90559511874910bf0b76e49c7b83f8

I need this functionality because students at our school could stop/start mid-year and will get an iPad that was used by someone else before. Setting it up from scratch is another option, although 9 out of 10 times they are already using the iPad before someone lets me know and I can't wipe it anymore, because the new student has already saved stuff on there... ;-) I can now just have the new users (re-)setup their mail as normal through Self Service.

RLR
Valued Contributor

Currently have similar issue to OP except our student has installed a profile using our BYOD provisioning portal which enables users to bring their own devices and join the school wifi. This profile installed via the BYOD portal is stopping them from joining the wifi normally -Jamf is reporting that the profile is removable, but I can't remove it as it's embedded in the MDM profile.

As this isn't installed via Jamf, I can't put the iPad in a restricted group to remove the profile. Only way I can think to remove this now is to restore the iPad from backup.