+3Hi !
Can someone suggest me how to set up a custom analytic to get an alarm if a user (yes, they need to have adminrights sadly) removes the MDM profile?
I had some cases in the last weeks where all profiles went missing and i do not want to suspect someone falsely.
Thanks !
Best answer by hüseyinusta12
You can also do this; it will most likely work. Based on the YAML content provided by Jamf for Unified Log, go to Custom Analytics > Filter Text View:
$event.subsystem == "com.apple.ManagedClient" AND
$event.eventMessage CONTAINS "Removed configuration profile: MDM Profile" AND
$event.eventMessage CONTAINS "Source: Manual"
https://github.com/jamf/jamfprotect/blob/main/unified_log_filters/mdm_profile_manual_removal.yaml
+26There should not need to be an alert for this. Also the moment the MDM profile is removed, Jamf Protect loses all of its permissions. I'm not sure if it could reliably report on this event.
My suggestion, ensure you are using Automated Device Enrollment and check the box to disallow removal of the MDM profile. Once you do this not even an Admin can remove the MDM profile.
Another suggestion is to look in to an Endpoint Permissions Tool to handle elevated access situations, remove admin access from users and write policies with the tool to auto escalate the function they need to perform and nothing else.
+3Are you looking for a solution other than the built-in "Jamf Pro Binary Modified" analytic, or does it meet your needs?
+3You can also do this; it will most likely work. Based on the YAML content provided by Jamf for Unified Log, go to Custom Analytics > Filter Text View:
$event.subsystem == "com.apple.ManagedClient" AND
$event.eventMessage CONTAINS "Removed configuration profile: MDM Profile" AND
$event.eventMessage CONTAINS "Source: Manual"
https://github.com/jamf/jamfprotect/blob/main/unified_log_filters/mdm_profile_manual_removal.yaml
+3Thanks, but this seems perfect.
https://github.com/jamf/jamfprotect/blob/main/unified_log_filters/mdm_profile_manual_removal.yaml
+3There should not need to be an alert for this. Also the moment the MDM profile is removed, Jamf Protect loses all of its permissions. I'm not sure if it could reliably report on this event.
My suggestion, ensure you are using Automated Device Enrollment and check the box to disallow removal of the MDM profile. Once you do this not even an Admin can remove the MDM profile.
Another suggestion is to look in to an Endpoint Permissions Tool to handle elevated access situations, remove admin access from users and write policies with the tool to auto escalate the function they need to perform and nothing else.
Yes, but we had problems with profiles from time to time, so the IT must have a possibility to remove them manually without deleting the device.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.