Mac OS X,  Mac OS X Server

Use The Profiles Command In High Sierra

You might be happy to note that other than the ability to interpret new payloads, the profiles command mostly stays the same in High Sierra. You can still export profiles from Apple Configurator or Profile Manager (or some of the 3rd party MDM tools). You can then install profiles by just opening them and installing.

Once profiles are installed on a Mac, mdmclient, a binary located in /usr/libexec will process changes such as wiping a system that has been FileVaulted (note you need to FileVault if you want to wipe an OS X Lion client computer). /System/Library/LaunchDaemons and /System/Library/LaunchAgents has a mdmclient daemon and agent respectively that start it up automatically. This, along with all of the operators remains static from 10.10 and on.

To script profile deployment, administrators can add and remove configuration profiles using the new /usr/bin/profiles command. To see all profiles, aggregated, use the profiles command with just the -P option:

/usr/bin/profiles -P

If there are no profiles installed, you’ll see a message similar to the following:

There are no configuration profiles installed

As with managed preferences (and piggy backing on managed preferences for that matter), configuration profiles can be assigned to users or computers. To see just user profiles, use the -L option:

/usr/bin/profiles -L

If there aren’t any profiles in the System Domain, you’ll see a message similar to the following:

There are no configuration profiles installed in the system domain

You can remove all profiles using -D:

/usr/bin/profiles -D

You’ll then see a prompt to remove all profiles, enter y to do so or n to skip:

Are you sure you want to remove all device configuration profiles? [y/n]

The -I option installs profiles and the -R removes profiles. Use -p to indicate the profile is from a server or -F to indicate it’s source is a file. To remove a profile:

/usr/bin/profiles -R -F /tmp/HawkeyesTrickshot.mobileconfig

To remove one from a server:

/usr/bin/profiles -R -p com.WestCoastAvengers.HawkeyesTrickshot

The following installs HawkeyesTrickshot.mobileconfig from your desktop:

/usr/bin/profiles -I -F ~/Desktop/HawkeyesTrickshot.mobileconfig

If created in Profile Manager:

/usr/bin/profiles -I -p com.WestCoastAvengers.HawkeyesTrickshot

You can configure profiles to install at the next boot, rather than immediately. Use the -s to define a startup profile and take note that if it fails, the profile will attempt to install at each subsequent reboot until installed. To use the command, simply add a -s then the -F for the profile and the -f to automatically confirm, as follows (and I like to throw in a -v usually for good measure):

profiles -s -F /Profiles/SuperAwesome.mobileconfig -f -v

And that’s it. Nice and easy and you now have profiles that only activate when a computer is started up. As of OS X Yosemite, the dscl command got extensions for dealing with profiles as well. These include the available MCX Profile Extensions:

-profileimport -profiledelete -profilelist [optArgs] -profileexport
-profilehelp

To list all profiles from an Open Directory object, use 
-profilelist. To run, follow the dscl command with -u to specify a user, -P to specify the password for the user, then the IP address of the OD server (or name of the AD object), then the profilelist verb, then the relative path. Assuming a username of diradmin for the directory, a password of moonknight and then cedge user:

dscl -u diradmin -P moonknight 192.168.210.201 profilelist /LDAPv3/127.0.0.1/Users/cedge

To delete that information for the given user, swap the profilelist extension with profiledelete:

dscl -u diradmin -P apple 192.168.210.201 profilelist /LDAPv3/127.0.0.1/Users/cedge

If you would rather export all information to a directory called ProfileExports on the root of the drive:

dscl -u diradmin -P moonknight 192.168.210.201 profileexport . all -o /ProfileExports

In Yosemite we got a few new options (these are all still in 10.11 with no new operators), such as -H which shows whether a profile was installed, -z to define a removal password and -o to output a file path for removal information. Also, as in Yosemite it seems as though if a configuration profile was pushed to you from MDM, you can’t remove it (fyi, I love having the word fail as a standalone in verbose output):

bash-3.2# profiles -P
_computerlevel[1] attribute: profileIdentifier: 772BED54-5EDF-4987-94B9-654456CF0B9A
_computerlevel[2] attribute: profileIdentifier: 00000000-0000-0000-A000-4A414D460003
_computerlevel[3] attribute: profileIdentifier: C11672D9-9AE2-4F09-B789-70D5678CB397
charlesedge[4] attribute: profileIdentifier: com.krypted.office365.a5f0e328-ea86-11e3-a26c-6476bab5f328
charlesedge[5] attribute: profileIdentifier: odr.krypted.com.ADD7E5A6-8EED-4B11-8470-C56C8DC1E2E6
_computerlevel[6] attribute: profileIdentifier: EE08ABE9-5CB8-48E3-8E02-E46AD0A03783
_computerlevel[7] attribute: profileIdentifier: F3C87B6E-185C-4F28-9BA7-6E02EACA37B1
_computerlevel[8] attribute: profileIdentifier: 24DA416D-093A-4E2E-9E6A-FEAD74B8B0F0
There are 8 configuration profiles installed

bash-3.2# profiles -r 772BED54-5EDF-4987-94B9-654456CF0B9A
bash-3.2# profiles -P
_computerlevel[1] attribute: profileIdentifier: F3C87B6E-185C-4F28-9BA7-6E02EACA37B1
_computerlevel[2] attribute: profileIdentifier: EE08ABE9-5CB8-48E3-8E02-E46AD0A03783
_computerlevel[3] attribute: profileIdentifier: 24DA416D-093A-4E2E-9E6A-FEAD74B8B0F0
_computerlevel[4] attribute: profileIdentifier: 00000000-0000-0000-A000-4A414D460003
_computerlevel[5] attribute: profileIdentifier: 772BED54-5EDF-4987-94B9-654456CF0B9A
_computerlevel[6] attribute: profileIdentifier: C11672D9-9AE2-4F09-B789-70D5678CB397
charlesedge[7] attribute: profileIdentifier: odr.krypted.com.ADD7E5A6-8EED-4B11-8470-C56C8DC1E2E6
charlesedge[8] attribute: profileIdentifier: com.krypted.office365.a5f0e328-ea86-11e3-a26c-6476bab5f328
There are 8 configuration profiles installed

bash-3.2# profiles -rv 772BED54-5EDF-4987-94B9-654456CF0B9A
profiles: verbose mode ON
profiles: returned error: -204
fail

The -N option will re-run the DEP enrollment:

profiles -N

A list of command verbs found using “profiles -help”:

Command Verbs:
status – indicates if profiles are installed
list – list profile information
show – show expanded profile information
install – install profile
remove – remove profile
sync – synchronize installed configuration profiles with known users
renew – renew configuration profile installed certificate
version – display tool version number

Options: (not all options are meaningful for a command)
-type= – type of profile; either ‘configuration’,
‘provisioning’, ‘enrollment’, or ‘startup’
-user= – short user name
-identifier= – profile identifier
-path= – file path
-uuid= – profile UUID
-enrolledUser= – enrolled user name
-verbose – enable verbose mode
-forced – when removing profiles, automatically confirms requests
-all – select all profiles
-quiet – enable quiet mode