This article will discuss the ins and outs of the command that is capable of refreshing the MDM status of a device enrolled via Automated Device Enrollment (ADE). A brief overview of this command can be seen in Apple's documentation.
The command we will cover is:
sudo profiles renew -type enrollment
Or, a shorter version:
sudo profiles -N
Requirements
- Must be on macOS
- The device must be tied to an MDM server in Apple Business or School Manager
- The command must be executed as the first user created on the device
- Requires manual interaction locally on the device
When the command does not work
- If the device is attempting to install a different push certificate than the one currently installed. For example, if a device is enrolled in Policy A but is assigned to an MDM server tied to Policy B (with differing push certificates), you will receive an error using this command.
- If an expired push certificate is being used in the policy that the device's MDM server is tied to
- If SecureToken is broken on the user running the command
Using the command remotely
The following script is capable of initiating the profiles renew process via Addigy, however, local interaction is still required on the device. Further, the ADE user (the first user created on the device) must be logged in when the script is executed.
launchctl asuser "$(id -u $(scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }'))" sudo profiles renew -type enrollment
Common use cases
Modifying the ADE settings on a device (requires an active MDM push certificate):
Let's say you enforce non-removable MDM on devices to ensure end-users cannot remove MDM on their devices. If MDM needs to be removed, you can normally do so by using the "Delete Devices" tool. However, if this is not working for any reason, the MDM profiles will have to be removed manually or the device will have to be wiped.
To leverage this command to remove MDM manually, you can change the relevant option within the ADE settings in Policies > (Policy) > Settings > Automated Device Enrollment.
Once you save the changes within the ADE settings page, go ahead and run the profiles renew command on the device and MDM will now be removable.
Notes: This workflow is especially useful for devices that need to migrate to a different push certificate. For more information on this process, kindly reference the following KB. FAQ: My Push Certificate Expired
Device is not responding to MDM:
We always recommend that you first try running our Kickstart MDMClient Script, but if this does not work, profiles renew may help serve as a backup.
Device skipped/did not receive the "Remote Management" screen during Setup Assistant:
There have been scenarios where a device did not get the Remote Management screen during setup, which is what performs the ADE process. This command has been seen to help enroll the device if it did not see the Remote Management screen during setup.