Hi Jamf community,
Is there any remote bash script that in use to unenroll devices from jamf rather than deleting device from the portal ?
Simply can use another remote tool to push x bash script to a targeted jamf mac device to unenroll it.
This script shall only remove jamf enrollments & jamf from the macs other stuff data, profiles..etc should be still in place
May @Chris_Hafner also help regards to this ?
Yes, these commands work... depending on how you deploy them (direct SSH)? During our offboarding process, we have the users initiate the process via Self-Service (Though we could remotely trigger this). There are few thigns removed by the policy itself, but for the purposes of this thread it doesn't matter. We do have the policy load a script into /tmp, which is then triggered by the "execute command" at the end of said policy. The parts of the script that are relevent to this question are included below. However, There are a number of other items that I include in this script for various bits of cleanup. Mostly dealing with the removal of launch agents and the removal of endpoint security bits. I did leave the part that I used to have the computer remove itself from the JAMF Pro instance via the API. This is NOT necessary for your question, but it's very useful to us.
#!/bin/bash # Remove any remaining profiles profiles remove -forced -all # Reset the "ignored" software update list. sudo softwareupdate --reset-ignored # This will remove the computers record in the JSS itself CAM=`networksetup -getmacaddress en1 | cut -c19-35 |sed 's/:/./g'` curl -k -v -u JAMF-PRO-ACCT-USER:JAMF-PRO-ACCT-PASS https://your.jamf.com:8443/JSSResource/computers/macaddress/$CAM -X DELETE JAM=`networksetup -getmacaddress en0 | cut -c19-35 |sed 's/:/./g'` curl -k -v -u JAMF-PRO-ACCT-USER:JAMF-PRO-ACCT-PASS https://your.jamf.com:8443/JSSResource/computers/macaddress/$JAM -X DELETE # Quit Self-Service. killall "Self Service" # Uninstall the JAMF binary /usr/local/jamf/bin/jamf -removeFramework # Delete the left over IT HelpDesk Admin account /usr/bin/dscl . -delete /Users/itd # Reboot the machine. shutdown -r now exit 0
Thank you so much both for quick response. Question @Chris_Hafner, If we set up API user with admin privileges and simply push script remotely should do the job ? or Does it have to be API user, can we just set jamf pro admin user ?
(In our case, we wont need to delete / remove any other stuff than jamf pro from our devices, so your script will be much simplified for us)
That's a great question! I've been using the same user I created a few years back. It ONLY has access to read, update, and delete computer and mobile records. This process exposes the password in plaintext, in the /tmp directory prior to reboot so be careful. I should probably use a better method, but it's a solidly functional method.
Thank you @Chris_Hafner
So not a perfect method but with curl at least we can remove clear text with base64 encode which can be easily decoded any online tools.
echo user:password | base64 ---> this will generate a random encoded string
curl -k -v -H 'Authorization: Basic your_random_string'
https://your.jamf.com:8443/JSSResource/computers/macaddress/$CAM -X DELETE
More secure way seems documented at below link,