Help

Prevent removal of JAMF binary by local admin

j_meister
Contributor II

Posted on ‎11-09-2018 05:07 AM

Is there a way to prevent local administrators from removing the JAMF Binary with 

jamf removeFramework

?

We still need local administrator accounts for our professors but don't want them to be able to delete the JAMF Framework.

Labels:
Reply
46 REPLIES 46

ImAMacGuy
Valued Contributor II

Posted on ‎07-03-2019 04:55 AM

@jameson it's not always within our control. But as admins I (we) rarely find out until it's been a while. Be it from a bug in the JSS upgrades that breaks the connection or users, knowingly or not, break it. A failsafe should be in place. I've seen it with AV products and other security focused products that actively prevent tampering with their binaries. Why not jamf? Until jamf adds it, we as admins need to have some sort of mechanism to fill the need.

0 Kudos
Reply

CorpIT_eB
Contributor II

Posted on ‎07-03-2019 05:36 AM

@ryan.ball you're the man!!

Ok, Everyone it seems as we are temporarily solo in this endeavor I spoke with Support and they have been great. However there response was:

I did speak with a few others to ensure I wasn't missing anything and as of right now, if the users are admins and have access to terminal there isn't a way to lock down the Jamf binary.

CHALLENGE ACCEPTED!!

So I might submit it as a Enhancement Request. But I am sure we all can come up with a work around that would work to our advantage soon.

I love this community!

Reply

kevin_v
Contributor

Posted on ‎03-10-2021 03:45 PM

Bump to the need of password protecting jamf removeframework OR a health check/re-enroll launchdaemon

macOS Supervision is just not as robust as mobile OSes

0 Kudos
Reply

tomt
Valued Contributor

Posted on ‎03-10-2021 04:44 PM

Give one warning and then fire the next person who does it. Odds are good they will stop messing with it. Some solutions do not require technical expertise.

0 Kudos
Reply

alexjdale
Valued Contributor III

Posted on ‎03-10-2021 08:04 PM

Considering an automated re-enroll won't be an option with Big Sur and beyond, I think the best solution is to make sure Jamf is a requirement for accessing the network and company resources. If someone runs removeFramework or removes the MDM profile, make sure they lose their machine certificate as well. Our Macs would lose all network/VPN access as well as conditional access.

That said, we have security agents that are very hard to remove and require some safe mode shenanigans, so Jamf surely can do better than having removeFramework be so accessible.

0 Kudos
Reply

mhasman
Valued Contributor

Posted on ‎03-10-2021 08:47 PM

We capture Macs which are not checking in for 30 days or longer, and automatically send weekly emails to users with CC to their managers. Anytime it can be easily changed with CC/BCC to HR. So, "now we have your attention" :) Users who were consistently ignoring any emails from IT, now responding back

Reply

tlarkin
Honored Contributor

Posted on ‎03-22-2021 09:48 AM

I will echo @mhasman 's idea here. The best way to track this is to capture data and build intelligence around devices not checking in or submitting inventory. 30 day threshold seems to be the a great target area. We are already doing this. Adding tamper protection to the jamf binary sounds like it will cause way more problems than it will solve.

Also, look at adding other tools to your tools stack as just having jamf is a single point of failure. Then have the other tools health check each other.

Reply