Jamf Nation Community

gc · ‎01-19-2022

I am looking for option or script, before Un-enrolling the MAC I would like to remove all the application removed and unenroll

Kindly share some of ideas or solution if anyone already implemented

Regards,

Girish

ljcacioppo · ‎01-19-2022

I'm not sure if this is what you're looking for, but are you looking for this:

sudo jamf removeFramework

Details:
https://docs.jamf.com/best-practice-workflows/jamf-pro/unmanaging-mobile-devices-computers/Unmanagin...

gc · ‎01-19-2022

Yes we do this, but I am looking for removing few selected apps upon Un-enroll

sdagley · ‎01-19-2022

@gc That isn't a feature built-in to Jamf Pro. If you want to do some sort of cleanup of your Macs when removing them from Jamf Pro it might be more expedient to set up a "decommission" script that (I'd suggest one triggered by a LaunchDaemon so it's not being run by the jamf binary as its parent process) which removes the Jamf framework and then runs the macOS installer with the --eraseinstall option (or incorporate https://github.com/grahampugh/erase-install). If you're running macOS Monterey on a Mac with an Apple Silicon processor or an x86 Mac with a T2 chip just use the Erase All Contents and Settings... command in System Preferences, and you can invoke that from your Jamf Pro console using the Wipe Computer management command.

Danolman · ‎01-19-2022

Hey @gc are you planning to re-deploy the machine? If so, completely wiping and reinstalling macOS would be the cleanest way to do this. If not, you could go through a cleanup process, but there are a lot of moving parts.

You'll need the Jamf agent to issue all of these commands, so save the sudo jamf removeFramework until the end.

Some of the things you may need to clean up are apps, supporting files, other agents. It's best to use the native uninstallers if possible. Here's a script to remove files/folders/apps. If you remove the Self Service app, keep in mind that it will reinstall on Jamf's next check in.

#!/bin/sh
## postinstall

pathToScript=$0
pathToPackage=$1
targetLocation=$2
targetVolume=$3

#log all to jamf client log
exec 1>>/var/log/jamf.log
exec 2>>/var/log/jamf.log

directory='/Applications/AppToRemove.app'
#Look for Application You'd Like To Remove and remove files if found
echo "Looking for $directory"
if [ -d "$directory" ] ; then
echo "$directory found."
rm -rf "$directory"
echo "$directory removed"
else
echo "$directory not found"
fi

exit 0 ## Success
exit 1 ## Failure

You may also want to remove local accounts. You can create a policy and use the Local Accounts item.

If you'd like to remove certificates, you can use this script. You'll first need to find the shasum by locating the path of the certificate. You'd use that shasum to run the security delete-certificate command. You'll have to direct it to the correct keychain.

#!/bin/bash

#shasum info:
shasum -a 1 /path/certificate1.cer
#9879879879879879879876546546546546546544 /path/certificate1.cer

security delete-certificate -Z 9879879879879879879876546546546546546544 /Library/Keychains/System.keychain

exit 0

You may also want to remove config profiles scoped to that machine.

Also check for Restricted Software items that might be scoped to this machine.

Finally, you can sudo jamf removeFramework.

You may want to create a static group that has all of these scoped items so that if you ever need to re-issue a machine, you'll just need to add that machine to this static group and have all of this done automatically.

Exclude Static Group from all Config Profiles and Restricted Software items.

Scope Static Group to all Removal policies. Make sure you remove the Jamf Agent last.

There may be a few more things to remember, but at least this covers a bunch of things you might also want to remove besides apps.

Good luck!

Jamf Nation Community

Mac Device Un-enroll