Prepare Institution Owned Laptop For Personal Use

TomDay
Release Candidate Programs Tester

Every year we offer our graduating seniors the opportunity to purchase their school owned laptop. With that we have an off-boarding process in Jamf that is executed via Self Service by our Team to execute a script to do the following:

  • Remove all licensed software.
  • Unbind from Active directory and convert the Mobile account to a local one (cool utility found here).
  • Remove the Jamf binary with "jamf -removeframework" and use the API to delete the Jamf record.

 

This year as I test on some computers, I find it to be a bit buggy with errors and spending lots of time troubleshooting a process that has ben rock solid the last couple of years. Is anyone doing something similar and can share how you handle this type of situation? Perhaps it's time for some major cleanup of how I handle these.

10 REPLIES 10

jamf-42
Valued Contributor II

remove from ABM

send remote wipe from jamf. 

AJPinto
Honored Contributor III

As @jamf-42 said, you want to wipe the devices. Without wiping the devices, you cannot ensure all data and configurations have been removed. 

 

Remove the Devices from Apple School Manager so they dont try to re-enroll with Automated Device Enrollment and Delete your Jamf records once the devices have been wiped and confirmed to have been wiped.

TomDay
Release Candidate Programs Tester

Yes we remove from ASM as well, but wiping the devices isn't a great option for us, we allow the students to take their data with them.

jamf-42
Valued Contributor II

for compliance / DLP and just everyones sanity wiping the device (along with FV key and more) is the only option. 

You could code something to migrate user data to a cloud provider.. or they migrate data to USB

Not wiping the device once sold is a very bad idea.. 

Chris_Hafner
Valued Contributor II

Hey Tom. I know where you are coming from. And while the previous statements here are technically true... meaning that you can only guarantee things when stuff is wiped, with that said, there are plenty of ways to do this. The biggest thing would be making sure that the end-user accounts have the secure token and are admins. What are the specific issues you're having? We do this for ALL students every year, but they are BYOD so not part of ASM, though we deal with those as well. I'd be glad to help check things with you. 

TomDay
Release Candidate Programs Tester

@jamf-42 Appreciate your input but DLP isn't a concern, we are a K-12 school, FV not used, what data loss would I be concerned about?

My 2 main issues are that the computers aren't getting unbound from AD but I am retesting that today. I reached  out to the Github owner and they found the bug, made a program update that should clear that up. The secondary issue is that the jamf -removeframework command wasn't working, getting an error in the log "/bin/bash: bad interpreter: Operation not permitted". I think I might have that fixed, might have been an issue with me updating the script, retesting that after an update this am.

The mobile account gets converted to a local account and is an admin but I am looking into the secure token piece, don't know much about that.

 

Chris_Hafner
Valued Contributor II

OK, setting the AD binding aside (BTW, is this really worth continuing in your environment?), the two issues you're having should be simple enough, I hope. First, you might be playing a chicken and egg game with the removeFramework command, permissions, and which account is actually running the command. We run our offboarding script as the administrative student from the /tmp directory.

As for the secure token... I don't think you need to worry if I understand your environment properly. Since these are DEP units, they will have the bootstrap token which will grant newly created accounts a secure token. Your student accounts are created in this fashion from the sounds of it. If these were BYOD, there would be other concerns here, which is what we have to deal with. Your process has a good failure state so long as they're removed from ASM, as you say. I'll be interested to hear what you're testing today produces. 

 

 

Just to add, this could work just fine even with FV2 setup. You would just need to pay a little more attention to the tokens and volume ownership.

TomDay
Release Candidate Programs Tester

@Chris_Hafner Great news the unbind is working again after a program update. Additionally removeFramework is working too as I realized I changed the timing of it in the scripts which messed things up. We use it from the administrative student from the /tmp directory as well. Finally, verified that the secureToken is enabled. Moving on to the EOY next project, this is all wrapped up, appreciate your input!

Chris_Hafner
Valued Contributor II

Nice work!