Best way to unenroll a computer

Morningside
Contributor II

in order to overcome an issue with the Guest User not showing up in the Login Screen, I need to change my Jamf Admin account to a non-hidden account. As such, I need to unenroll my test computer and re-enroll it so it can get the Jamf framework with the new, unhidden, admin account.

In the Manage Computer section I see an option for removing the MDM Profile, but not for explicitly unenrolling the computer. I am also aware of the terminal command 'sudo jamf removeFramework'.

What is the best, fastest way to unenroll a computer so that I can turn around and re-enroll it again with new creds?

5 REPLIES 5

casafrancisco
New Contributor III

Remove the Profile then delete from within the Jamf Portal I would assume.

JustDeWon
Contributor III

I think my confusion lies as to what type of account is the JAMF Admin account? Are you talking about the management account or are you talking about the local admin account on the Mac?(hoping you're not using your management account as the local admin account on the machine to perform local administrator tasks) I'm also assuming you are logged in, since you stated you can run sudo jamf removeframework in terminal. You don't have to unenroll a Mac to show hidden admin accounts, so I'm not understanding why you would need to un-enroll the Mac to do so..

Morningside
Contributor II

Through experimenting today I was able to confirm what was suggested four years ago in a different thread: Using a hidden jamf management account for user-initiated enrollings will cause the guest user to also be hidden. While I suspected that this was a bug with jamf, I am now thinking it is a limitation with macOS. I say this because within /Library/Preferences/com.apple.LoginWindow I saw the line: "500LevelAcountsHidden=True" (or something to that effect). Which leads me to believe that either you hide all special accounts, or none.

But I am not completely sure about that.

The bottom line is that if you want to make use of the Guest User in your school you must use a non-hidden jamf management account for your user-initiated enrollings. Sucks, but there it is. So in order to not have two admin accounts showing on the login screen, I am using my regular admin account as the jamf management account as well.

Chris_Hafner
Valued Contributor II

There are several parts to this and a lot depends on what you're specifically trying to do. In your case, you probably don't have to do much. Meaning, I don't think you need to unenroll it as @JustDeWon says. Simply create a new management account, delete the old one and update the management info in the JSS record.

However, to go further the "removeFramework" does just that. Removes the binary and a few other small things like some of the preference files, Self-Service etc. It "should" also disassociate profiles, but it REALLY depends on how the profiles were installed. This is ALL from the client side. removeFramework doesn't change a thing on the JSS. Since you asked about re-enrolling, that's why you may or may not was to remove the entry from the JSS. This will more closely emulate a new user enrolling if that's what you're trying to get to.

When I programmatically unenroll devices, we hit this from multiple angles. Aside from the various apps and settings we may remove/change we also run a script that deletes the computer entry from the JSS, run's removeFramework, manually deletes the management account and restores user admin privileges amongst other things.

PorkChopExpress
New Contributor II
New Contributor II

https://docs.jamf.com/best-practice-workflows/jamf-pro/unmanaging-mobile-devices-computers/Introduction.html