The scenario is, we have some Mojave Macs that we enrolled into an MDM via Apple School Manager/Device Enrollment Program, and we made the enrollment profile be not removable (this is from Meraki, but any MDM offers this option):
This results in a profile that cannot be removed on the client Mac, even if you’re root. Here’s a detailed diatribe about that.
A few months later, we wanted to change to another MDM. First, we released it from the old MDM, and used ASM’s Device Assignments section to assign it to our new MDM. Then, we were supposed to factory-reset (erase) the Mac, but we didn’t want to do that, so we did this hack:
1. Boot the Mac into Recovery Mode (hold down command-r during startup)
2. Go to the Utilities menu and open Terminal and type:
cd /Volumes
ls
In the result, you should see the hard drive name of your Mac (usually, “Macintosh HD”.) Whatever the case, type
cd Macintosh\ HD
(Or whatever yours is called.) Note the backslash to escape the space in the name. Then type
cd var/db/ConfigurationProfiles
Then, type
pwd
(pwd = Print Working Directory — verify where you are in the directory structure.) The result should say
/Volumes/Macintosh HD/var/db/ConfigurationProfiles
Again, substitute your hard drive name if it’s not “Macintosh HD.” If you are not ABSOLUTELY CERTAIN that you’re in this directory, do NOT PROCEED or you will lose data.
If you ARE in that directory, CAREFULLY type:
rm -rf *
mkdir Settings
touch Settings/.profilesAreInstalled
3. Reboot.
You will have to manually enroll the Mac to your new MDM, i.e. it won’t automatically self-enroll, but at least you don’t have to erase it and start from scratch.