Find Macs where users have removed Jamf

hulahoophurler
New Contributor

Many of our users are admins or can easily elevate to admins on their Macbooks. Some of them have removed Jamf, so we can no longer push updates to their workstations. What is the best way to detect new people who this? Does it show up somewhere in logs either in Jamf console or on the workstation (or both)?

Thanks.

3 REPLIES 3

pbenware1
Contributor II

Devices are supposed to check in for policy updates multiple times per day, and at least once every 24 hours with an inventory update.

All of our users are admins; it s legacy practice that we have had zero success in reining in.

Our practice has been to keep a SMART group of devices that have not checked in or submitted inventory after 15 days. 15 days helps account for computers that may not be used every day or people taking PTO.

If we find they go longer than 15 days with no contact, we start investigating.

 

Also, I vaguely recall someone had once written a self repair tool of some kind that checks for a functioning jamf binary, and if it doesn't find it, reinstalls.  (not sure where I saw that or if I'm remembering it correctly, but it seemed a great way to resolve this type of problem)

mcrispin
Contributor II

You have devices in ABM, you provision as pre-stage, you get Jamf Protect to warn you if the user plays a game, you set your alarms and you keep separate records to manage asset disposition and check regularly. You have clear policies in place that gets HR involved if they break your ISSP, and you enforce them.

dennisnardi
Contributor

There isn't anything able to show this kind of thing by default, but like others mentioned you can make a smart group for machines that haven't checked in for a while. The self heal was also mentioned, you can read about that here: https://www.modtitan.com/2022/02/jamf-binary-self-heal-with-jamf-api.html. You could potentially make an API script to run this action automatically for new members of the smart group you create to automate this. I think the only downside to that would be if you have triggers for enrollment, that may need to be modified.