How do you manage Mac offboarding?

yann_palacios
New Contributor II

We have in self service one button for off-boarding process, it will erase disk and reinstall a clean macOS (https://bitbucket.org/prowarehouse-nl/erase-install/). This computer could be resigned to someone or unsubscribe definitely. In this last case, we want to keep information in Jamf inventory but for sure, not pay jamf licence for for years.... so we need to change the status from managed to unmanaged.(is this the correct answer?)

We don't know what's the best approach to do it.... any suggestion? Thanks :)

3 REPLIES 3

sdamiano
Contributor II

I've added this to my script to accomplish exactly what you are trying to do with an erase-install script. You will need to create a service account in your JSS that has permission to update users and computer objects.

#Use Jamfs encrypted parameter tool to log in to JSS
#This is found at https://github.com/jamf/Encrypted-Script-Parameters
function DecryptString() {
    # Usage: ~$ DecryptString "Encrypted String" "Salt" "Passphrase"
    echo "${1}" | /usr/bin/openssl enc -aes256 -d -a -A -S "${2}" -k "${3}"
}

jsspw=$(DecryptString $stringtodecrypt $salt $k)

# Get JSS ID for current computer. 
#get serial number and look up JSS ID  
serial=$(system_profiler SPHardwareDataType | awk '/Serial Number/{print $NF}')
echo "the computers serial is $serial"
computerID=$(curl -sku $jssapiuser:$jsspw $jssurl/JSSResource/computers/serialnumber/$serial -H "Accept: text/xml" -X GET | xmllint --xpath '/computer/general/id/text()' -)
echo "the computers JSS ID is $computerID"


#Unmanage device in JSS
/usr/bin/curl -sku $jssapiuser:$jsspw $jssurl/JSSResource/computers/id/$computerID -H "Content-Type: text/xml" -X PUT -d "<computer><general><remote_management><managed>false</managed></remote_management></general></computer>"
/usr/bin/curl -sku $jssapiuser:$jsspw $jssurl/JSSResource/computercommands/command/UnmanageDevice/id/$computerID -X POST

#Flush All Logs
/usr/local/jamf/bin/jamf flushPolicyHistory

yann_palacios
New Contributor II

Thanks for your reply! It looks interesting but I will like to avoid to use user API

sdagley
Esteemed Contributor II

@yann.palacios If you don't want to use the API you'll need to manually edit the computer record in your Jamf Pro console to mark the machine as unmanaged.