User Tag List

  1. benbrookshire's Avatar
    i just had a tough time with this process, so i thought i'd share for posterity's sake.

    Just a little background: the iphone configuration utility allows "Configuration Profiles" to be created by an administrator and distributed to end-users to quickly and easily apply new settings, or to enforce corporate policies.

    Administrators have the option to create profiles that are permanently applied after being installed, or with the option to remove at any time (with and without password). These three options are available under the Configuration Profiles -> General -> Security value.

    Unfortunately the wording on the section can be confusing - which was the source of this headache. I received and installed a "locked" configuration profile from my administrator. I blindly clicked through the "are you sure, this can't be removed?" popup, and was stuck with a bad configuration.

    other than my oversight in blindly accepting the installation, the wording for the setting is confusing if not read carefully.

    Security -> "Control when the profile can be removed" -> Always/With Authentication/Never

    • Never - profile is locked, and will be permanently applied
    • Always - removal is optional, with no password
    • With Authentication - removal is possible with a password (set in the profile)

    That said - once in this situation (a locked profile is applied) what are your options for removal? Restoring from a backup would take care of it, but thats a little overkill.

    There are two possible scenarios. Depending on whether or not the configuration profile is signed determines how to proceed:

    1. profile is signed, only the administrator who created/signed the profile can help
    2. profile is unsigned, you can edit and "update" the profile by reinstalling it over the top, making the profile it uninstallable

    To find out if the profile is signed go to Settings -> General -> Profiles, on your phone, and select the locked profile. You should see "Signed" in green, or "Unsigned" in red.

    In either case installing an updated copy of the profile will update the settings that were applied during the first installation. That means editing the original profile with Security -> "Control when the profile can be removed" -> Always, and Exporting, then reinstalling the profile will allow you to remove the profile.

    If the profile is unsigned you can download the iPhone Configuration Utility and do this on your own, just drop in the Configuration profile, make the change (Security -> "Control when the profile can be removed" -> Always) and Export it. When you export do so as "unsigned", and then download and install the profile on your phone. The existing profile is updated, and you can now remove it.

    Not about to restore my phone the above finally dawned on me, and it works.

    If the profile is signed (this part is conjecture), the above process of import/edit/export/install won't work, because during export you won't have the proper certificate to sign the edited copy of the profile. Instead the original creator will have to make the edit to the profile and reexport - signing with the original certificate. this updated profile can then be installed in the same way to update the settings (allowing you to remove the profile).

    Things that didn't work:
    • I was unable to reset all installed profiles by deleting /User/Library/ConfigurationProfiles (which is where at least part of the configuration is stored).
    • Installing a new profile with similar settings, but was unlocked
    2011-09-22 12:59 AM
  2. LewisO's Avatar
    If a profile is: Never - profile is locked, and will be permanently applied
    is there any way to remove or change it?
    2013-06-04 08:33 PM
  3. benbrookshire's Avatar
    If a profile is: Never - profile is locked, and will be permanently applied
    is there any way to remove or change it?
    Yes, the steps depend on whether the profile is signed it not, though. Read the rest of the writeup above. I outline steps to remove it by overwriting it.
    2013-06-05 01:05 AM