MacOS 11 "Big Sur" prevents automatic installation of profiles using the command line "profiles" command. This was introduced for security reasons (to prevent malware from installing silently profiles which could damage the device installation), this has an impact on how profiles must be installed with FileWave.
Currently, FileWave manages profiles:
- using FileWave agent (fwcld), which in turns uses profiles command line tool:
- profiles are installed using profiles -I
- profiles are removed using profiles -R
- profiles are updated using profiles -R followed by profiles -I as there is no "update" option
- using FileWave MDM, which uses InstallProfile, ProfileList and RemoveProfile commands if your device is MDM enrolled
In addition, FileWave keeps track if a profile has been installed via command line tool before it has been MDM enrolled. The reasons are:
- the MDM protocol does not allow to "take ownership" of a profile ; in other words, there is no way to manage, via MDM, a profile already installed via profiles command line
- managing such a profile from MDM requires the removal of the profile using command line before installing it via MDM
- removing Network, Certificate or any profile required to setup communication with FileWave server may break MDM management and require manual interaction to fix the issue
Therefore, FileWave keeps track of the method of installation and keeps managing via the profiles command line a profile which has been installed that way initially.
But, MacOS Big Sur now makes profiles -I command ineffective ; as FileWave removes and then reinstalls profiles when upgrading them, this can lead to profile removal.
Solution
Starting with FileWave 14.0.2, upgrading (command line) profiles on macOS Big Sur using the fwcld agent will be disabled, so profiles will not be removed accidentally. The next steps will be:
- ensure your device is MDM enrolled (DEP or User Approved)
- for any profile installed via command line, you need to remove the association so FileWave removes the profile via command line
- re-associate the profile, so FileWave now installs the profile via MDM
Nuclear Solution
If you are unable to get Filewave to remove the profiles by removing the association you will have to purge Filewave from the client:
- Create an association with the fileset "FileWaveUninstallermacOSv4 - incl.logging"
- Update Model and wait for client to deploy payload
- The client should now turn red and can be deleted from the server
- On the client - Remove the Filewave enrollment Profile (this should be the only remaining profile at this point)
- Reinstall the FileWave Client
- Run the Check Enrollment App to get a proper DEP Enrollment
- Import the Client into Filewave Server
- ???
- Success
Removing profile(s) may disconnect your device from your network ; proceed carefully. It may be required to deploy another profile which will allow the device to stay connected during the process. |
Related articles
Related articles appear here based on the labels you select. Click to edit the macro and add or change labels.
