Overview: Using the 'sudo profiles renew -type enrollment" Command

This article will discuss the ins and outs of the command that is capable of refreshing the MDM status of a device enrolled via Automated Device Enrollment (ADE). A brief overview of this command can be seen in Apple's documentation.

The command we will cover is:

sudo profiles renew -type enrollment

Or, a shorter version:

sudo profiles -N

Requirements

1. Must be on macOS
2. The device must be tied to an MDM server in Apple Business or School Manager
3. The command must be executed as the first admin user created on the device
4. Requires manual interaction locally on the device

When the command does not work

1. If the device is attempting to install a different push certificate than the one currently installed. For example, if a device is enrolled in Policy A but is assigned to an MDM server tied to Policy B (with differing push certificates), you will receive an error using this command.
2. If an expired push certificate is being used in the policy that the device's MDM server is tied to
3. If SecureToken is broken on the user running the command

Common use cases

Modifying the ADE settings on a device (requires an active MDM push certificate): 

Let's say you enforce non-removable MDM on devices to ensure end-users cannot remove MDM on their devices. If MDM needs to be removed, you can normally do so by using the "Delete Devices" tool. However, if this is not working for any reason, the MDM profiles will have to be removed manually or the device will have to be wiped.
To leverage this command to remove MDM manually, you can change the relevant option within the ADE settings in Policies > (Policy) > Settings > Automated Device Enrollment.

Once you save the changes within the ADE settings page, go ahead and run the profiles renew command on the device and MDM will now be removable.

Notes: This workflow is especially useful for devices that need to migrate to a different push certificate. For more information on this process, kindly reference the following KB. FAQ: My Push Certificate Expired

Device is not responding to MDM:

We always recommend that you first try running our Kickstart MDMClient Script, but if this does not work, profiles renew may help serve as a backup.

Device skipped/did not receive the "Remote Management" screen during Setup Assistant:

There have been scenarios where a device did not get the Remote Management screen during setup, which is what performs the ADE process. This command has been seen to help enroll the device if it did not see the Remote Management screen during setup.

Steps to use the command

1. Open the Terminal app by pressing CMD+Space and searching for the app, or navigate to the Applications > Utilities folder and open it from there.
2. In Terminal, type the command and hit enter. When prompted, enter your password.
3. After the command is run and the correct admin password is provided, the next steps will depend on the OS version.
   • If the device is running macOS 14+, a full-screen prompt will be shown. Here, select "Enroll" and enter admin credentials.
     
   • If the device is running macOS 13 or lower, a notification from the System Settings / System Preferences app will be shown. You may need to expand the notification center to see this notification:
     
     Once you click on this notification, the Profiles window of System Settings / System Preferences should appear. If it does not, open the System Settings / System Preferences app and search for the Profiles section. Once there, you can approve the MDM enrollment profile by double-clicking it, selecting 'Install' and entering admin credentials.