Remote delete of ITL file

[Dieselboy]

I migrated our CUCM/CUC/IMP set up to DNS / FQDN so that Jabber doesn't warn about invalid certificates any more. Some of my remote users switch off their VPN phones over the weekend so they were not connected to CUCM while I made the changes. These phones are online now and I've used unifiedFX to remotely delete the ITL (I think!), at least the 2 phone's I've tried this on are showing ITL updated in the status messages when I browse to the web page of the phone.
Sometimes unifiedFX doesn't work for me. I'll just get the command in the queue and the phone will not do anything. I'm not really sure why.

One thing I'm cautious about is these remote phones are VPN phones and connect to the corp. VPN using certificate authentication, so that the end user doesn't have to manually log in with their userID and password. So I cannot simply get the user to factory reset the phone. Well I can but then I need to fudge up something with Internet Connection Sharing to get it connected back to the corp office via AnyConnect VPN through a laptop and working again, and it's a long-winded process.

I have read if I unlock the settings on the phone itself I can delete the ITL file that way. However **# isn't doing anything on my 9971 in terms of making the "security settings" menu not greyed out. Does anyone know if the 9971 uses a different password or something?

The users have 8945 phones but the 9971 is my personal one at home that I can test with.