Posted on 09-06-2020 10:41 AM
Hi Jamf community,
Is there any remote bash script that in use to unenroll devices from jamf rather than deleting device from the portal ?
Simply can use another remote tool to push x bash script to a targeted jamf mac device to unenroll it.
This script shall only remove jamf enrollments & jamf from the macs other stuff data, profiles..etc should be still in place
May @Chris_Hafner also help regards to this ?
Thank you
Posted on 09-06-2020 10:55 AM
@Chris_Hafner may give a hand with this, I saw you got pretty good experience there :)
Posted on 09-06-2020 06:52 PM
sudo /usr/local/bin/jamf removeMdmProfile -verbose
sudo /usr/sbin/jamf removeFramework -verbose
Posted on 09-07-2020 06:20 AM
Yes, these commands work... depending on how you deploy them (direct SSH)? During our offboarding process, we have the users initiate the process via Self-Service (Though we could remotely trigger this). There are few thigns removed by the policy itself, but for the purposes of this thread it doesn't matter. We do have the policy load a script into /tmp, which is then triggered by the "execute command" at the end of said policy. The parts of the script that are relevent to this question are included below. However, There are a number of other items that I include in this script for various bits of cleanup. Mostly dealing with the removal of launch agents and the removal of endpoint security bits. I did leave the part that I used to have the computer remove itself from the JAMF Pro instance via the API. This is NOT necessary for your question, but it's very useful to us.
#!/bin/bash
# Remove any remaining profiles
profiles remove -forced -all
# Reset the "ignored" software update list.
sudo softwareupdate --reset-ignored
# This will remove the computers record in the JSS itself
CAM=`networksetup -getmacaddress en1 | cut -c19-35 |sed 's/:/./g'`
curl -k -v -u JAMF-PRO-ACCT-USER:JAMF-PRO-ACCT-PASS https://your.jamf.com:8443/JSSResource/computers/macaddress/$CAM -X DELETE
JAM=`networksetup -getmacaddress en0 | cut -c19-35 |sed 's/:/./g'`
curl -k -v -u JAMF-PRO-ACCT-USER:JAMF-PRO-ACCT-PASS https://your.jamf.com:8443/JSSResource/computers/macaddress/$JAM -X DELETE
# Quit Self-Service.
killall "Self Service"
# Uninstall the JAMF binary
/usr/local/jamf/bin/jamf -removeFramework
# Delete the left over IT HelpDesk Admin account
/usr/bin/dscl . -delete /Users/itd
# Reboot the machine.
shutdown -r now
exit 0
Posted on 09-07-2020 10:20 AM
Thank you so much both for quick response. Question @Chris_Hafner, If we set up API user with admin privileges and simply push script remotely should do the job ? or Does it have to be API user, can we just set jamf pro admin user ?
(In our case, we wont need to delete / remove any other stuff than jamf pro from our devices, so your script will be much simplified for us)
Posted on 09-07-2020 10:45 AM
That's a great question! I've been using the same user I created a few years back. It ONLY has access to read, update, and delete computer and mobile records. This process exposes the password in plaintext, in the /tmp directory prior to reboot so be careful. I should probably use a better method, but it's a solidly functional method.
Posted on 09-07-2020 02:25 PM
Thank you @Chris_Hafner
So not a perfect method but with curl at least we can remove clear text with base64 encode which can be easily decoded any online tools.
echo user:password | base64 ---> this will generate a random encoded string
curl -k -v -H 'Authorization: Basic your_random_string'
https://your.jamf.com:8443/JSSResource/computers/macaddress/$CAM -X DELETE
More secure way seems documented at below link,
"https://medium.com/@thoferon/sharing-passwords-with-git-gpg-and-pass-628c2db2a9de"
Posted on 09-07-2020 02:33 PM
@fsurucu Thanks, that's so simple!
Posted on 09-08-2020 03:44 PM
Is there a way to setup auto unenroll for devices that for example, have not checked in, in months?
Such as lost and broken devices etc that I dont have access to anymore.
Posted on 06-04-2021 04:01 AM
@Jsiebert looking for exact same thing !