Jamf Pro - How to unenroll device remotely via script

@Chris_Hafner may give a hand with this, I saw you got pretty good experience there :)

sudo /usr/local/bin/jamf removeMdmProfile -verbose

sudo /usr/sbin/jamf removeFramework -verbose

Yes, these commands work... depending on how you deploy them (direct SSH)? During our offboarding process, we have the users initiate the process via Self-Service (Though we could remotely trigger this). There are few thigns removed by the policy itself, but for the purposes of this thread it doesn't matter. We do have the policy load a script into /tmp, which is then triggered by the "execute command" at the end of said policy. The parts of the script that are relevent to this question are included below. However, There are a number of other items that I include in this script for various bits of cleanup. Mostly dealing with the removal of launch agents and the removal of endpoint security bits. I did leave the part that I used to have the computer remove itself from the JAMF Pro instance via the API. This is NOT necessary for your question, but it's very useful to us.

#!/bin/bash

# Remove any remaining profiles
profiles remove -forced -all

# Reset the "ignored" software update list.
sudo softwareupdate --reset-ignored

# This will remove the computers record in the JSS itself
CAM=`networksetup -getmacaddress en1 | cut -c19-35 |sed 's/:/./g'`

curl -k -v -u JAMF-PRO-ACCT-USER:JAMF-PRO-ACCT-PASS https://your.jamf.com:8443/JSSResource/computers/macaddress/$CAM -X DELETE

JAM=`networksetup -getmacaddress en0 | cut -c19-35 |sed 's/:/./g'`

curl -k -v -u JAMF-PRO-ACCT-USER:JAMF-PRO-ACCT-PASS https://your.jamf.com:8443/JSSResource/computers/macaddress/$JAM -X DELETE

# Quit Self-Service.
killall "Self Service"

# Uninstall the JAMF binary     
/usr/local/jamf/bin/jamf -removeFramework

# Delete the left over IT HelpDesk Admin account
/usr/bin/dscl . -delete /Users/itd

# Reboot the machine.
shutdown -r now

exit 0

Thank you so much both for quick response. Question @Chris_Hafner, If we set up API user with admin privileges and simply push script remotely should do the job ? or Does it have to be API user, can we just set jamf pro admin user ?

(In our case, we wont need to delete / remove any other stuff than jamf pro from our devices, so your script will be much simplified for us)

That's a great question! I've been using the same user I created a few years back. It ONLY has access to read, update, and delete computer and mobile records. This process exposes the password in plaintext, in the /tmp directory prior to reboot so be careful. I should probably use a better method, but it's a solidly functional method.

Thank you @Chris_Hafner
So not a perfect method but with curl at least we can remove clear text with base64 encode which can be easily decoded any online tools.

echo user:password | base64 ---> this will generate a random encoded string
curl -k -v -H 'Authorization: Basic your_random_string'
https://your.jamf.com:8443/JSSResource/computers/macaddress/$CAM -X DELETE

More secure way seems documented at below link,
"https://medium.com/@thoferon/sharing-passwords-with-git-gpg-and-pass-628c2db2a9de"

@fsurucu Thanks, that's so simple!

Is there a way to setup auto unenroll for devices that for example, have not checked in, in months?

Such as lost and broken devices etc that I dont have access to anymore.

@Jsiebert looking for exact same thing !