Jamf Nation Community

Bmuller · ‎01-17-2014

Can anyone tell me what is the best way to delete a client from the JSS and in the process remove self-service and other jamf software from their computer? Basically, I looking for the best work flow for the computer to be returned to the state it was in BEFORE it was enrolled. Thanks, Brian

mm2270 · ‎01-17-2014

Truthfully the best thing to do with a Mac to get it back to an unmanaged state is to boot to Recovery HD, repartition/reformat the drive and re-install OS X. You can shut it down just after the last reboot and it will be in a near factory state for the next person that starts it up. They'd get the OS X welcome screen and be asked to create the first local admin account, etc.

That said, there is of course a way to delete a Mac from your JSS, and a way to unmanage the Mac from the Mac itself or by policy, but you can't really do both in one shot. Once a Mac is deleted from the JSS, you can't send a policy to it to have it unenroll itself for example, and alternately once its unenrolled from the Mac or by a policy sent from the JSS, it won't necessarily show up as "unmanaged" in the JSS. It will still "look" like its managed, but will never check in again.
So you'd have to do each step separately to completely remove it from your system.

I still think re-installing OS X is your best bet though.

Bmuller · ‎01-17-2014

Mike,

Thanks for the insight. I agree with the OS X solution, but I'm really looking at the other solution, even though it is a step by step procedure.

Can you give me more insight as to exactly how to do the step by step process ... I guess the real question is from your post is how do I uneroll the mac where is doesn't communicate to the JSS. I assume that is you do that, you can't use self-service anymore?? When I've tried what I thought was correct, I was still able to use self-service and download pkgs, which is one thing we don't what to happen.

stevewood · ‎01-17-2014

On the Mac you'd run the following:

jamf removeFramework

Once that is complete, remove the machine from the JSS.

mm2270 · ‎01-17-2014

Sure, so here's something you could try, and truthfully, I haven't done this since we generally never unenroll our Macs unless for testing, and in that case we simply do it manually in Terminal.

As long as the target Mac is still communicating with your JSS, you could put a simple script together that would first delete Self Service from the Applications folder, assuming that's where its deployed.
Then have the script do a remove Framework command from the jamf binary. Sorry for being a little vague on that last bit. I'm somewhat reluctant to type the actual command here because these pages get picked up by Google and lots of users out there would love to know how to "un-manage" their Mac. That command incidentally is not in the jamf help, and I suspect by design, so a causal end user looking through help won't see it.

Anyway, once you've done those two things, Self Service, the jamf and jamfAgent binaries, any items in /Library/Application Support/ and daemons. etc will all be gone. The Mac will no longer check in with your JSS, and things like restricted software will get lifted, etc.

The only thing that might stick around is previous MCX settings. You may need to see if that's an additional item to include in your script, basically removing previous MCX settings. that is, if you're even using those.
Not sure also about Configuration Profiles since I don't currently use them. So I'm not clear if un-enrolling removes those or if they'd have to be removed by your script.

Does that help?

nigelg · ‎01-17-2014

If a machine wasn't checking in anymore I would ssh to it or use ARD and run "sudo jamf removeFramework". Assuming its got network connectivity and you can use WOL to wake it up, otherwise its a trek to its location to do the same. You would have to manually remove the machine from the JSS.

Jamf Nation Community

Best practices to remove client from JSS and remove self-service?