Best Practice For Being Notified When a User Removes the JAMF Framework?

lg-jbarclay
New Contributor II

Hello,

I'm working with a client that would like to be notified when a user removes the JAMF framework with ```
sudo jamf removeFramework
```. I recall one of the Facebook CPE guys talking about how they automatically remediate this, but it's a bit overkill for what my client needs, (they just want a notification that files a ticket, perhaps).

What are other folks in the community doing for this, if anything?

Thanks!

1 ACCEPTED SOLUTION

mm2270
Legendary Contributor III

The criteria name changed at some point during the later 8 series releases.. Its now called "Enrolled"instead of "Managed"
But unfortunately that information still won't do you any good. By definition, only Enrolled or Managed devices can even be in a Smart Group. so its impossible to make a Smart Group of non managed Macs. You can locate unmanaged Macs in an Advanced Search, but since these aren't groups you can't get notified of changes.

The best you may be able to do is create a Smart Group for Macs that haven't checked in within x amount of days. You will undoubtedly get legit systems appearing there, for example, someone on a long vacation or maternity leave or whatnot, but it should still alert you to systems that have potentially been unmanaged.

Also, you could look at what Rich Trouton put together based on the preso from the Facebook team. He has info on his blog on how to use his process that re-manages any un-managed systems using local LaunchDaemons and scripts and a QuickAdd package, etc. Its not perfect, because anyone that can run a sudo jamf command can also disable any LaunchDaemons, so there's still a possibility of something being permanently unmanaged. But its a first line of defense anyway.

View solution in original post

17 REPLIES 17

thoule
Valued Contributor II

I think when someone removes framework, my colleague found that they become an 'unmanaged' client. So he created a Smart Group of 'unmanaged' clients and got notification on membership change. This is by memory so testing is in order.

lg-jbarclay
New Contributor II

Thanks @thoule,

I recall this being an option in v8.x, and it was the first thing I looked for when presented with this problem.

Unfortunately, I do not see a "managed" criterion when creating a smart group in v9.32.

Am I missing something?

Simmo
Contributor II

I looked at this when I started using 9.3 and the replies I got mostly consisted of having a smart group for members who have not checked in for X days, less than ideal really.

thoule
Valued Contributor II

I just asked him - he said he does the following:
He has a script in Self Service called JAMF Remove

1- create a touch file in /tmp/unmanagedJAMF.txt
2- run Recon (there is an extension attribute for that file, if it exists, then put in smart group called 'unmanaged')
3- run jamf removeFramework

It does a bunch of other things such as removing proprietary software, etc., but that's the outline.

Simmo
Contributor II

@thoule That is a good way to do it, but does not account for when people remove the JAMF framework when you don't want them to.

mm2270
Legendary Contributor III

The criteria name changed at some point during the later 8 series releases.. Its now called "Enrolled"instead of "Managed"
But unfortunately that information still won't do you any good. By definition, only Enrolled or Managed devices can even be in a Smart Group. so its impossible to make a Smart Group of non managed Macs. You can locate unmanaged Macs in an Advanced Search, but since these aren't groups you can't get notified of changes.

The best you may be able to do is create a Smart Group for Macs that haven't checked in within x amount of days. You will undoubtedly get legit systems appearing there, for example, someone on a long vacation or maternity leave or whatnot, but it should still alert you to systems that have potentially been unmanaged.

Also, you could look at what Rich Trouton put together based on the preso from the Facebook team. He has info on his blog on how to use his process that re-manages any un-managed systems using local LaunchDaemons and scripts and a QuickAdd package, etc. Its not perfect, because anyone that can run a sudo jamf command can also disable any LaunchDaemons, so there's still a possibility of something being permanently unmanaged. But its a first line of defense anyway.

damienbarrett
Valued Contributor

This is how I do it...as mm2270 has outlined. A smart group to look for any machines that haven't checked-in in X number of days. Yes, it throws some false-positives, but it gives me a nice hit-list to work from. I can then actively call those machines in for a hands-on and examine why they've dropped out of management.

PeterG
Contributor II

I know this isn't exactly what you asked but...

If you are looking for a way to keep JAMF installed...

How about hiding a Quickadd installer on the machine and writing a script that checks for the existence of the JAMF framework and will run the quick add if the framework is not found.

It could be triggered by launchd

rtrouton
Release Candidate Programs Tester

@PeterG,

As it happens, I have a script that does that. I have a post on it available here:

https://derflounder.wordpress.com/2014/04/23/caspercheck-an-auto-repair-process-for-casper-agents/

stevewood
Honored Contributor II
Honored Contributor II

Since your client does not want to re-install the framework, how about using what @rtrouton and @mikedodge04 have done to determine if the framework is removed, and send an email from the local system. You could probably cobble something together that would use the sendmail function in OS X from the terminal to send an email to your help desk.

lg-jbarclay
New Contributor II

Thanks to everyone for all the input. It is very much appreciated.

I will discuss this further with my client, and we'll take it from there.

Best,

pblake
Contributor III

@stevewood @lg-jbarclay

Did either of you by any chance get a script or launchdaemon created that looked to see if the jam binary is missing and create an email? That is exactly what I am thinking of doing, and I would prefer not to recreate the wheel do to speak.

Thanks in advance.

elliotjordan
Contributor III

@pblake:

@lg-jbarclay and I have successfully implemented @rtrouton's CasperCheck framework. We don't have solid metrics on how many Macs it's prevented from becoming unmanaged, but it's fair to say that any number greater than zero justifies the minimal amount of time we spent making it happen.

Related feature request that you all might consider upvoting, if you haven't already: https://jamfnation.jamfsoftware.com/featureRequest.html?id=3188

nessts
Valued Contributor II

might be fun to have a launch daemon that just disables the users account and logs them off instantly, if jamf goes missing. Make them call the service desk.

kbach
New Contributor

If your company leverages a NAC agent on Mac's, IE. Forescout CounterACT, you could set up a rule to report this information AND present a browser page to the user immediately that they are no longer in compliance, call the help desk to resolve because now their Mac has been quarantined to just the external internet, nothing internal is accessible until jamf binary is back in play. This is what we leverage in our enterprise.)

jimmy-swings
Contributor II

Hi @kbach - how do you determine if the agent is up and running? are you looking for the jamf process? or using a smart group where the client hasn't checked in for n days?

pchang
New Contributor

@kbach curious if you are still using ForeScout CounterACT? What are your thoughts on it? We would likely setup up the above NAC policies in place and are about to start a proof of concept and would love to hear pros and cons regarding it from your end, if possible.