Jamf Pro - How to unenroll device remotely via script

New Contributor III

Hi Jamf community,

Is there any remote bash script that in use to unenroll devices from jamf rather than deleting device from the portal ?

Simply can use another remote tool to push x bash script to a targeted jamf mac device to unenroll it.

This script shall only remove jamf enrollments & jamf from the macs other stuff data, profiles..etc should be still in place

May @Chris_Hafner also help regards to this ?

Thank you


New Contributor III

@Chris_Hafner may give a hand with this, I saw you got pretty good experience there πŸ™‚


sudo /usr/local/bin/jamf removeMdmProfile -verbose

sudo /usr/sbin/jamf removeFramework -verbose

Valued Contributor II

Yes, these commands work... depending on how you deploy them (direct SSH)? During our offboarding process, we have the users initiate the process via Self-Service (Though we could remotely trigger this). There are few thigns removed by the policy itself, but for the purposes of this thread it doesn't matter. We do have the policy load a script into /tmp, which is then triggered by the "execute command" at the end of said policy. The parts of the script that are relevent to this question are included below. However, There are a number of other items that I include in this script for various bits of cleanup. Mostly dealing with the removal of launch agents and the removal of endpoint security bits. I did leave the part that I used to have the computer remove itself from the JAMF Pro instance via the API. This is NOT necessary for your question, but it's very useful to us.


# Remove any remaining profiles
profiles remove -forced -all

# Reset the "ignored" software update list.
sudo softwareupdate --reset-ignored

# This will remove the computers record in the JSS itself
CAM=`networksetup -getmacaddress en1 | cut -c19-35 |sed 's/:/./g'`

curl -k -v -u JAMF-PRO-ACCT-USER:JAMF-PRO-ACCT-PASS https://your.jamf.com:8443/JSSResource/computers/macaddress/$CAM -X DELETE

JAM=`networksetup -getmacaddress en0 | cut -c19-35 |sed 's/:/./g'`

curl -k -v -u JAMF-PRO-ACCT-USER:JAMF-PRO-ACCT-PASS https://your.jamf.com:8443/JSSResource/computers/macaddress/$JAM -X DELETE

# Quit Self-Service.
killall "Self Service"

# Uninstall the JAMF binary     
/usr/local/jamf/bin/jamf -removeFramework

# Delete the left over IT HelpDesk Admin account
/usr/bin/dscl . -delete /Users/itd

# Reboot the machine.
shutdown -r now

exit 0

New Contributor III

Thank you so much both for quick response. Question @Chris_Hafner, If we set up API user with admin privileges and simply push script remotely should do the job ? or Does it have to be API user, can we just set jamf pro admin user ?

(In our case, we wont need to delete / remove any other stuff than jamf pro from our devices, so your script will be much simplified for us)

Valued Contributor II

That's a great question! I've been using the same user I created a few years back. It ONLY has access to read, update, and delete computer and mobile records. This process exposes the password in plaintext, in the /tmp directory prior to reboot so be careful. I should probably use a better method, but it's a solidly functional method.

New Contributor III

Thank you @Chris_Hafner
So not a perfect method but with curl at least we can remove clear text with base64 encode which can be easily decoded any online tools.

echo user:password | base64 ---> this will generate a random encoded string
curl -k -v -H 'Authorization: Basic your_random_string'
https://your.jamf.com:8443/JSSResource/computers/macaddress/$CAM -X DELETE

More secure way seems documented at below link,

Valued Contributor II

@fsurucu Thanks, that's so simple!

New Contributor II

Is there a way to setup auto unenroll for devices that for example, have not checked in, in months?

Such as lost and broken devices etc that I dont have access to anymore.

New Contributor II

@Jsiebert looking for exact same thing !