@ryan.ball you're the man!!
Ok, Everyone it seems as we are temporarily solo in this endeavor I spoke with Support and they have been great. However there response was:
I did speak with a few others to ensure I wasn't missing anything and as of right now, if the users are admins and have access to terminal there isn't a way to lock down the Jamf binary.
So I might submit it as a Enhancement Request. But I am sure we all can come up with a work around that would work to our advantage soon.
I love this community!
Considering an automated re-enroll won't be an option with Big Sur and beyond, I think the best solution is to make sure Jamf is a requirement for accessing the network and company resources. If someone runs removeFramework or removes the MDM profile, make sure they lose their machine certificate as well. Our Macs would lose all network/VPN access as well as conditional access.
That said, we have security agents that are very hard to remove and require some safe mode shenanigans, so Jamf surely can do better than having removeFramework be so accessible.
We capture Macs which are not checking in for 30 days or longer, and automatically send weekly emails to users with CC to their managers. Anytime it can be easily changed with CC/BCC to HR. So, "now we have your attention" 🙂 Users who were consistently ignoring any emails from IT, now responding back
I will echo @mhasman 's idea here. The best way to track this is to capture data and build intelligence around devices not checking in or submitting inventory. 30 day threshold seems to be the a great target area. We are already doing this. Adding tamper protection to the jamf binary sounds like it will cause way more problems than it will solve.
Also, look at adding other tools to your tools stack as just having jamf is a single point of failure. Then have the other tools health check each other.