Prevent or Restore MDM Profile Removal

galihrengga
New Contributor II

Greetings.

 

My Company use JAMF Pro to manage our macbooks and they had policy that user must have admin access because most of them are Programmer and they must had full capability to their macbooks. 

One day i found that if i delete MDM Profiles, i cannot restore it again unless i re enroll the laptop to JAMF. i already implement self heal script, but it doesn't work because JAMF binary still there and i still can use the command. 

My friend suggesting for restriction access to "Profiles", but it can't help since our users must have access to this menu for testing or allowing their mobileconfig.

 

Is there any possibility to restore deleted MDM profiles automatically or prevent it to be delete withouth restricting Profiles Menu?

5 REPLIES 5

nelsoni
Contributor II

In your prestige enrollment, you will want to un check the box to prevent removal of the MDM profile. This will prevent even admins from removing it through the profiles pane in System Preferences.

This will not prevent admins from being able to run the commands in terminal to remove the MDM framework all together though.

Screen Shot 2021-07-28 at 7.52.12 AM.png

damienbarrett
Valued Contributor

I believe you are asking how to limit access to the Profile system preferences pane. This is doable, but a better option would be to make certain of your MDM profiles not-removable. However, this requires your Macs to be supervised and enrolled in Apple's DEP (Apple Business Manager). Do you know if you have ABM (and DEP) set up?

bwoods
Contributor III

@galihrengga if your users weren't enrolled via ADE, I created a script to limit admin user "sudo" permissions. This will prevent them from running commands like "sudo jamf removeMDMProfile" and "sudo jamf removeFramework". This also works on machines enrolled via ADE. (But I'm assuming that the settings @nelsoni mentioned above would be in place.)

 

#!/bin/bash

# Identify the username of the logged-in user

currentUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "\n");'`

# Create file named "standard" and place in /private/tmp/

touch /private/tmp/standard 

# Populate "standard" file with desired permissions

echo "$currentUser	ALL= (ALL) ALL
$currentUser	ALL= !/usr/bin/passwd root, !/usr/bin/defaults, !/usr/sbin/visudo, !/usr/bin/vi /etc/sudoers, !/usr/bin/vi /private/etc/sudoers, !/usr/bin/sudo -e /etc/sudoers, !/usr/bin/sudo -e /private/etc/sudoers, !/usr/local/bin/jamf" >> /private/tmp/standard

# Move "standard" file to /etc/sudoers.d

mv /private/tmp/standard /etc/sudoers.d

# Change permissions for "standard" file

chmod 644 /etc/sudoers.d/standard

exit 0;		## Sucess
exit 1;		## Failure

 

 

AJPinto
Contributor III

If they are all admins they should have sudo access also. I don't think there is a way to restrict the JAMF terminal commands. If someone knows the JAMF removemdmprofile command there is not really anything you can do to stop them from removing the MDM profile as far as I am aware without messing with sudoers.

 

May want to consider managing suders as @bwoods suggested. Caution on removing your ability to run the sudo jamf removemdmprofile command incase you ever need to troubleshoot a device. may also want to restrict jamf removeFramework while you are at it. Be very careful messing with sudoers and only use visudo to modify sudoers or sudoers.d. Its best to mess with suders.d rather than sudoers itself. 

bwoods
Contributor III

The script above only manages sudoers.d by the way.  It also only affects the logged in user. If you have an IT account, you can continue running jamf binary commands with it. If you want to revert the changes made, simply run the script below.

 

#!/bin/bash

rm /etc/sudoers.d/standard

exit 0;		## Sucess
exit 1;		## Failure