How to delete a certificate restored from an iPhone or iPad backup when switching MDM?

I’m working on migrating my office from JAMF Now to Mosyle since Mosyle provides so much more for a cheaper price tag. Ive never used Mosyle before so I thought I’d start by asking their support after poking around in their new to me interface.

Submitting a ticket

I submitted a ticket to Mosyle Support asking how to do a migration:

Can you point me in the right direction on how to go about migrating from Jamf Now to Mosyle? I have a few blueprints in Jamf Now that I would like to migrate over, is there a good way to do that? These are mainly for iPads with a new Macs as well.

-Me

You would need to recreate your profiles and workflows in Mosyle and then erase and re-enroll your iPads to move them from another MDM. The Macs have a way of enrollment that doesn’t require a wipe. 

-Support

About my iPad Pro

My iPad Pro is a 3rd generation 11-inch that is part of our Apple business DEP so the device is bound to our organization’s account and forces an MDM on the device if assigned. This device is being backed up to my personal iCloud account which made for things to be a bit toublesom. I opened Mosyle and Jamf Now and one by one rebuilt the profile. Mind you this is my IT Dept profile that has very little locking it down but enough that makes the iPad secure and easy for me to use.

Switching MDMs in Apple Business

So I went to business.apple.com and changed the MDM for the iPad to Mosyle and did a restore on the iPad.

What about iCloud Backups?

Mind you, I’m currently running iPadOS 16.0 Beta and found that when I restored from iCloud backup it brought the profile from the Jamf Now MDM with it. Annoyed I looked into how to remove the Jamf Now Profile and found this post from a few years back.

https://apple.stackexchange.com/a/310041

I found a certificate in my iOS device’s Certificate Trust Settings. And it was not be found in Profiles. Finally I remove it by add the cert file again, and then I can found and remove it in Profiles.

At first, I can’t found the cert file, because this CA was installed years ago. So I did these things:

1. Backup iPhone to Mac, View backup file by some software (I used iMazing)
2. Find TrustStore.sqlite3 in Backup/KeychainDomain/ and export it to HOME DIR.
3. Use this project https://github.com/ADVTOOLS/ADVTrustStore to export certfile./iosCertTrustManager.py -t ~/TrustStore.sqlite3 -e ~/foo.crt
4. Airdrop or Email this crt file to iOS device, and install it.
5. Find it in Settings > General > Profiles and Remove it.
6. It disappear in “Certificate Trust Settings”

Wait… you can edit the backup?

I read step 1 and the rest didn’t help me any so I went ahead and followed step 1 to removed the file from the backup. Reading this I thought it would be a good idea to try and do a backup to my mac and then use iMazing (a way more user-friendly Configurator 2) to make a local backup on the mac so I can remove the problem profiles. I restored the iPad from local backup using iMazing’s restore feature and I was good to go.

End result

Once the restore was complete my iPad wasn’t on the old MDM any more and is now on Mosyle AND my setup were restored. So far this works on my iPad, let’s see what to does for a few of the others that my staff have.

My work has various utility iPads that we use for having our guests check in and get information from the iPads we have on campus. I don’t think I’ll need to do this backup and restore thing much since most of them will be wiped and setup using profiles defined in the MDM will be used.