Skip to main content
Question

Custom Analytic for Detecting Device Unenrollment in Jamf Pro

  • November 4, 2025
  • 1 reply
  • 31 views
T
Forum|alt.badge.img+5

Hello,

Is it possible to configure Custom Analytic if someone unenrolls their device from Jamf Pro (i.e., uninstalls the Jamf MDM profile)?

1 reply

h1431532403240
Forum|alt.badge.img+6

Hi test_qweqwe,

Great question! Yes, it is absolutely possible to configure a Custom Analytic in Jamf Protect to detect when someone attempts to unenroll a device from Jamf Pro. There are several approaches you can take depending on what specific action you want to monitor.

Option 1: Detect Execution of jamf Commands (Recommended)

You can create a Custom Analytic to detect when someone runs the jamf removeFramework or jamf removeMdmProfilecommands:

Sensor Type: Process Event
Predicate:

$event.process.signingInfo.appid == "com.jamfsoftware.jamf" AND 
($event.process.args CONTAINS "removeFramework" OR 
 $event.process.args CONTAINS "removeMdmProfile" OR 
 $event.process.args CONTAINS "removeMDMProfile")

Option 2: Monitor the profiles Binary Execution

To detect when someone uses the native profiles command to remove configuration profiles:

Sensor Type: Process Event
Predicate:

$event.process.path == "/usr/bin/profiles" AND 
($event.process.args CONTAINS "remove" OR $event.process.args CONTAINS "-R")

Option 3: Monitor File System Changes

You can also monitor when MDM profile-related files are deleted:

Sensor Type: File System Event
Predicate:

$event.path BEGINSWITH "/var/db/ConfigurationProfiles" AND $event.type == 1

(Event type 1 = Deletion)

Important Considerations:

  1. Jamf Protect persists independently - Even if the MDM profile is removed, Jamf Protect will continue running on the device as long as the Jamf Protect agent isn't uninstalled.
  2. Configure Actions - Set up the analytic to:
    • Send an alert to your SIEM or email
    • Add to Jamf Pro Smart Group (so you can trigger remediation workflows)
    • Log the event for audit purposes
  3. Prevention vs. Detection - For supervised Macs enrolled via Automated Device Enrollment (ADE/DEP), you can prevent MDM profile removal by unchecking "Allow MDM Profile Removal" in your PreStage Enrollment. This Custom Analytic would then serve as a detection layer for any bypass attempts.
  4. Remediation Workflow - Consider setting up a Smart Group in Jamf Pro that triggers an alert or policy when a device's MDM enrollment status changes.

Reference:

Let me know if you need help with the specific predicate syntax or setting up the remediation workflow!

Terms & ConditionsCookie settingsAccessibility statement