profiles command includes client-side rate limitation for certain functions on macOS 12.3
One of the changes brought with macOS 12.3 is that the profiles command line tool now includes a rate limiter for some of its functions:
profiles show
profiles validate
In both cases, running these functions may be limited to once every 23 hours.
For those familiar with rate limitation on the server side, where a server may choose to limit how many calls can be received in a set period from a client, this rate limitation is similar but is set and managed entirely on the client side. This means that there is no bypassing the profiles command’s rate limitation in this case for the Mac in question.
One way this may appear is on Macs which are part of the Automated Device Enrollment program, where the Mac can show its enrollment status by running the following command:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| profiles show -type enrollment |
In the event that this command errors, the profiles command will block further attempts to display this information for the next 23 hours. In this situation, you may see output like that shown below:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| username@computername ~ % sudo profiles show -type enrollment | |
| Password: | |
| Device Enrollment configuration: | |
| (null) | |
| username@computername ~ % sudo profiles show -type enrollment | |
| Error fetching Device Enrollment configuration – Request too soon. Try again later. |
At this time, I don’t know where the information which tracks this 23 hour limitation is stored, but I did confirm that it is stored somewhere in the writable portion of the Mac’s boot drive. Wiping the Mac’s boot drive, via a disk wipe and OS reinstall or via Erase All Contents and Settings, will remove whatever is tracking and enforcing the 23 hour limitation.
Update – 4-22-2022:
It looks like the file which tracks this information is stored in the following location:
/private/var/db/ConfigurationProfiles/Settings/.profilesFetchTimerCheck
This file is protected by SIP. Thanks to zolotkey in the comments!
Also, in the original version of this post, I had made a mistake and conflated the functions of the following commands:
- profiles renew -type enrollment
- profiles show -type enrollment
The profiles renew -type enrollment command can be used to enroll or re-enroll a Mac which is part of the Automated Device Enrollment program with the MDM server that ADE associates the Mac with. To the best of my knowledge, the renew function of the profiles command does not have a client side rate limitation on macOS 12.3. Thanks also to Richard in the comments for catching my mistake and letting me know about it.
Leave a Reply
Recent Comments
 | Mark P on 20 years of Der Flounder |
 | Bruce Carter on 20 years of Der Flounder |
 | JimH on Downloading installer packages… |
 | Sander on Downloading installer packages… |
 | Andreas Schenk on Downloading installer packages… |
Der Flounder 
“where the Mac can be enrolled with its MDM server by running the following command:” ?!?
The above for “profiles show” is incorrect, show is an advanced, more detailed, version of status.
From the man page information where screenshots have been included in the article: “For an enrollment, this will show the current DEP configuration, …”
You’re right and I’ll correct that. I was thinking of “sudo profiles renew -type enrollment”
when I do “profiles status -type enrollment” I do not get the enrollment popup. When I do “profiles show -type enrollment” I do get the enrollment pop up.
The file that the holds the timer is `/private/var/db/ConfigurationProfiles/Settings/.profilesFetchTimerCheck`
It is under SIP. So you can only remove it if you do so from recovery. It holds both Show and Validate.
Example:
{
“lastProfilesShowFetchTime” => 2022-03-22 20:37:31 +0000
“lastProfilesValidateFetchTime” => 2022-03-22 20:31:07 +0000
}
Thanks for the post Rich!
Can “sudo profiles renew -type enrollment” be used to get around this even if the computer never went through setup assistant?
Great Post!
Interesting to see, that a SIP Protected File can be changed by the OS. It looks like this is a priviledged part of the OS/Framework that ignores SIP. Otherwise the File that zolotkey identified would not be writeable.
Hi. It looks like the rate limitation for profiles show, even if it is still indicated in the man page, is gone with macOS 12.4. I’m currently able to run a profiles show -type enrollment multiple times in a raw so far.