Enrolment profile not removed

Hello, we are usingWorkspace ONE UEM with iOS devices and we have following issue.
If I send to device “enterprise wipe” or “delete device” request from the console, account on device in Inteligent Hub is removed, also profiles for wifi are gone, but the Device management profile in SETTINGS -> General on the device is resisting and not removed. This have the consequence, that we cant enrol the device again. Can someone help with that? Any advice?

Hello,

did you see this article?

„ Rare chance for MDM profile to persist on iOS device after deleting the device from Workspace ONE UEM (81976)“

https://kb.vmware.com/s/article/81976

Do you have this issue just with this device?

Hello, yes this looks like my issue. I have it on both testing devices.
Workspace ONE UEM:
Version: 21.1.0.6 (2101)
Build Information: AIRW-AWCREL60-46 cc6f9d48fee22c5661576cb777af610ee4948c1e

But in the article is desctibed workaround, but this doesnt work in my case. If I send the enterprise wipe, profile is still persisting. We definitelly do not want to wipe whole device because of private content stored there. Our goal is to remove Airwatch management for ca 200 devices without wiping whole device. Currently tested this on 2 devices and on both is this issue. All those devices are enrolled via Apple business manager and are supervised. End usera cant remove the profile by him self :frowning:

Is there a policy that forbids the user to remove the profile?
Maybe it’s possible to change that and therefore allow the users to remove the management under settings.

I would have to check if this remove setting is set for the setup during initial enrollment. I‘m not sure if this is a setting that only can be removed by a wipe and enrollment. I can’t check that at the moment, sorry.

But of course you need the user to do something.

I’m curious: Does the issue still persists with a newly enrolled device?
I had this issue on a few devices but not on a lot.

Our AirWatch is currently crappy. It is disconnected from Appble business manager for several months and new devices are enroled to AirWatch manually, those device can remove the profile at least manually. But those which was enrolled via Apple business manager and setup as supervised, I do not se option how to turn the devices to NOT Supervised mode without wiping the device. I tested 3 test devices to remove the management profile and non of them removed the profile on the device. I still hope we find some way to do the removal automatically.
I already changed the enrolment profile which set up the device to supervised mode, but it doesnt change the satuts of already enroled devices.

Just to confirm is AirWatch actually communicating with devices in your environment?
Is your APNS certificate current? Can you send other commands down to devices successfully? i.e. lock

Yes, I agree. you should test APNS as suggested.
Especially because the known issue should not effect so many devices. But why can’t you use ABM? Is this a planned decision to cut of those services?
Supervision isn‘t bad in general.
As far as I can remember you can only supervise a device during the initial enrollment. If you want that to be gone you have to wipe the device.

Did you select a „don’t allow profile to be removed“ setting in the dep profile? I think you can select such a thing and therefore the mdm profile can’t be removed by the user.
I‘ll look it up tomorrow.

Here is the setting. I think if this is activated you‘ll have to wipe the device.

Yes this is something what was enabled and what i disabled now, but as you mentioned it have not impact to devices already enrolled as supervised. The goal is that we need to migrate part of our devices to other MDM solution and we want to do it without wipe of user device. I will check the APNS certifikates today. My expectations was that everything works fine if I`m able to enroll new devices. But I will check the test as sugested by daniil_michine.

Daniil was right, the APNs certificate expire on 1/30/2021
Im pretty new in AirWatch is it possible to renew the certificate without impact to devices?

Are you some of you aware, if we renew the certificate after it is expiring, if the connection to devices will be re-estabilish?

I think best would be to review the KB article:

https://kb.vmware.com/s/article/2960965

Very important: „ * You must renew the certificate with the same Apple ID credentials used to get the original certificate. It is also important to renew the same certificate that was originally uploaded in the console. If you use different credentials or renew an different certificate, you are not renewing the certificate but rather generating a new certificate. When you apply this new certificate to the Workspace ONE UEM Console, the communication breaks between the Workspace ONE UEM Console and the iOS devices associated with the original certificate. If this happens, you must then re-enroll every iOS device associated with the original certificate. Using the same Apple ID credentials and certificate for renewal saves the effort of having to re-enroll all your iOS devices.“

If you are really switching to another MDM I would suggest to use ABM. I think you have to reset the device if this setting is activated in the DEP profile. You should test that.

But first I would resolve the APNS issue. Be aware that this must be done every year.

I tried to renew the certificate, but I got error of certificate mismatch when uploading the .PEM certificate. I followed the manula and if I sign in to apple certificate portal (using same apple ID as in the current certificate) I find only one active certificate with same expiration date as in AirWatch. SO I followed the instructions renew the certificate using downloaded .plist request from AirWatch and then downloaded the new generated .PEM certificate. but during the last check I find out that the thumprints of the certificates (current and new) are different. than uplaoded and get the error. So currently I still have in AW the old certificate and Im not able to renew it.

Did you use the same Browser?
There’s a KB article linked within the guide on how to update it. Depending on the error it could be your browser:

„ * The .plist uploaded into the Workspace ONE UEM Console during the APNs renewal process may have been created from a different browser session (as the Console is expecting a certificate that was renewed using a CSR file generated within the same browser session). The entire process must be completed consecutively within the same browser window.“

https://kb.vmware.com/s/article/50101005

Yes I used same browser, same session doing at once. But I gues the issue is here:
in AW I see in details about the expired cert:
Issued to C=US, CN=APSP:0e18e122-d185-465d-a626-17a345b32903, OID.0.9.2342.19200300.100.1.1=
com.apple.mgmt.External.0e18e122-d185-465d-a626-17a345b32903
but if I check the only available certificate in Apple pusch certificate console, there is:
C=US, CN=APSP:e31b81b7-c365-42e7-b733-efe94a8a40c6, UID=com.apple.mgmt.External.e31b81b7-c365-42e7-b733-efe94a8a40c6
it look like two different certificates, but this is the only available certificate (aditionally named MDM AirWatch) and generated with same apple ID as is in AW. Also the expiration date was similar.

It is fixed. The root cause was expiring APN certificate for Apple devices. THe most tricky part was, that AW console told displayed different Apple ID than under which was the certificate issued. AW displays anything what you input in the last step of cert. renewal where you upload the .pem certificate and you also insert some apple ID. In this field my colleague inser different apple ID than under which it was renewed and it cause all this issue.
Godd thing is that after certificate renewal is everything working well even if the certificate was already expired. After renewl push notifications starts working and also enterprise wipe and delete remove the management profile.
Thank you all for good tips and help.