This week I encountered a problem with an expired iOS MDM configuration profile (i.e., expired certificates) on one of my jailbroken testing devices. When I tried to re-enroll to the MDM server, iOS gave me the following error message:
“Profile Installation Failed - The new MDM Payload does not match the old payload.“
The only recommendation I found was to completely remove the old profile using the iOS Settings app:
Settings -> General -> Device Management -> Select MDM Profile -> Select “Remove Management”
However, the profile was issued with the
PayloadRemovalDisallowed flag to prevent manual removal. In fact, this flag hides the “Remove Management” button from the Profiles preference pane and effectively prevents removal of the profile.
As even the MDM server had no longer control over this device, the next step would have been to reset it, which would have caused me to lose the jailbreak. Since that was not an option, I took a look at the iOS MDM daemon
mdmd to find a way to remove the MDM profile from the command line.
If you ever experience similar problems, try the following steps:
Attach to iOS
# cycript -p profiled
List installed profiles using
cy# [[MCProfileConnection sharedConnection] installedProfileIdentifiers]; @["com.company.mobileconfig", "CERTIFICATE.1011"]
Remove any installed profiles:
cy# [[MCProfileConnection sharedConnection] removeProfileAsyncWithIdentifier:@"com.company.mobileconfig"]; cy# [[MCProfileConnection sharedConnection] removeProfileAsyncWithIdentifier:@"CERTIFICATE.1011"];
After perfoming these steps, verify that all profiles have been removed using the iOS Settings app and finally re-enroll to your MDM.