Help

Migrating From Airwatch to JAMF

alexmcclements
Contributor

Posted on ‎08-08-2019 12:47 AM

I am standing up a JAMF Cloud for a firm that currently use Airwatch, I have a script to remove the agent and the majority of the profiles. I've hit a snag with profiles marked non-removable, SIP has invalidated the good old -forced option and I can't find airwatch's version of sudo jamf removeFramework.

Has anyone else had any luck with this?

Labels:
0 Kudos
8 REPLIES 8

mainelysteve
Valued Contributor II

Posted on ‎08-08-2019 04:58 AM

@alexmcclements How many machines are we talking about here? If Air Watch doesn't have the ability to remove the MDM profile from its console then you'll need to boot each machine into the recovery partition and dump the remaining profiles using terminal. See here.

My suggestion is to not remove the contents of the ConfigurationProfiles directory rather cd into the Setup folder(/var/db/ConfigurationProfiles/Setup) and empty its contents. Just make sure you're in the correct volume i.e. /Volumes/Macintosh HD and not the recovery partition volume. While you're there remove the apsd.keychain file as well in the root /Library/Keychains/ directory. You can then issue a dep enrollment from terminal once you've booted into the os.

Unless there is an easier option I'm not aware of that's what I've done in the past with mostly successful results.

0 Kudos

alexmcclements
Contributor

Posted on ‎08-08-2019 05:19 AM

Sweet, I'll give that a go.

0 Kudos

KyleEricson
Valued Contributor II

Posted on ‎08-08-2019 05:41 AM

@alexmcclements I made this guide on how to do this Read here

Read My Blog: https://www.ericsontech.com

smpotter
New Contributor III

Posted on ‎08-08-2019 06:16 AM

I'm currently in the process of doing this at my company, below is how i'm handing it...
- Create package with LaunchDaemon, script, and quickAdd pkg.
- Deploy package
- Once package is installed send Enterprise Wipe from AW

We have successfully done over 300 devices so far with very little issues.

0 Kudos

marklamont
Contributor III

Posted on ‎08-08-2019 12:35 PM

I have exactly this at a client and deleting the device from airwatch removes the mdm profile and all the other profiles.
My method checks for the mdm profile being there and messages and stops. If it has gone it deletes all the airwatch program, using their own uninstall script then enrolls in jamf and does some other stuff.

Just make sure your migration toolset is deployed prior to deleting and delete just prior to migrating as the airwatch binary starts nagging the user to death!

0 Kudos

alexmcclements
Contributor

Posted on ‎08-15-2019 02:06 AM

@smpotter I take it your LaunchDaemon checks to see if the airwatch profile is gone before installing the quickadd? Otherwise wouldn't you need to re-enroll the device with JAMF?

0 Kudos

smpotter
New Contributor III

Posted on ‎08-22-2019 02:15 PM

Actually the LaunchDaemon just runs a script that does a check for numerous things and profiles is one of them. If the profiles are still installed the script then exits and the LaunchDaemon will retry again in 30mins.

This process has been working well for us so far...

0 Kudos

mbezzo
Contributor III

Posted on ‎10-21-2019 02:17 PM

@smpotter Are you willing to share a sanitized version of your script? We're just starting down this road and looking for the best method.

Thanks!
Matt

0 Kudos