Prevent removal of JAMF binary by local admin

j_meister
Contributor II

Is there a way to prevent local administrators from removing the JAMF Binary with

jamf removeFramework

?

We still need local administrator accounts for our professors but don't want them to be able to delete the JAMF Framework.

46 REPLIES 46

jwojda
Valued Contributor II

@jameson it's not always within our control. But as admins I (we) rarely find out until it's been a while. Be it from a bug in the JSS upgrades that breaks the connection or users, knowingly or not, break it. A failsafe should be in place. I've seen it with AV products and other security focused products that actively prevent tampering with their binaries. Why not jamf? Until jamf adds it, we as admins need to have some sort of mechanism to fill the need.

CorpIT_eB
Contributor II

@ryan.ball you're the man!!

Ok, Everyone it seems as we are temporarily solo in this endeavor I spoke with Support and they have been great. However there response was:

I did speak with a few others to ensure I wasn't missing anything and as of right now, if the users are admins and have access to terminal there isn't a way to lock down the Jamf binary.

CHALLENGE ACCEPTED!!

So I might submit it as a Enhancement Request. But I am sure we all can come up with a work around that would work to our advantage soon.

I love this community!

kevin_v
Contributor

Bump to the need of password protecting jamf removeframework OR a health check/re-enroll launchdaemon

macOS Supervision is just not as robust as mobile OSes

tomt
Valued Contributor

Give one warning and then fire the next person who does it. Odds are good they will stop messing with it. Some solutions do not require technical expertise.

alexjdale
Valued Contributor III

Considering an automated re-enroll won't be an option with Big Sur and beyond, I think the best solution is to make sure Jamf is a requirement for accessing the network and company resources. If someone runs removeFramework or removes the MDM profile, make sure they lose their machine certificate as well. Our Macs would lose all network/VPN access as well as conditional access.

That said, we have security agents that are very hard to remove and require some safe mode shenanigans, so Jamf surely can do better than having removeFramework be so accessible.

mhasman
Valued Contributor

We capture Macs which are not checking in for 30 days or longer, and automatically send weekly emails to users with CC to their managers. Anytime it can be easily changed with CC/BCC to HR. So, "now we have your attention" :) Users who were consistently ignoring any emails from IT, now responding back

tlarkin
Honored Contributor

I will echo @mhasman 's idea here. The best way to track this is to capture data and build intelligence around devices not checking in or submitting inventory. 30 day threshold seems to be the a great target area. We are already doing this. Adding tamper protection to the jamf binary sounds like it will cause way more problems than it will solve.

Also, look at adding other tools to your tools stack as just having jamf is a single point of failure. Then have the other tools health check each other.