Jamf Nation Community

TomDay · ‎02-26-2016

We have an employee that left our org, and the user was issued the laptop permanently for their personal use. Best way to accomplish them not being managed anymore would be to give them instructions for "jamf removeframework" and then delete the device from our JSS I am thinking. Any other recommendations or something I'm missing? The user is across the country now so I'll have to give them detail on how to do this themselves. Any pkgs around that would automate this so I don't have to have them using Terminal?

Thanks, Tom

mscottblake · ‎02-27-2016

@TomDay Have a look at this post. I think it's exactly what you're looking for. If not, it should get you there.

The script creates a launchdaemon to removeframework, but still allows it to report that it ran the policy. You can manually delete the machine afterwards, or you could modify the script to delete the computer with the API.

View solution in original post

thoule · ‎02-26-2016

You can save a text file with the extension filename.command and it'll be double-clickable. So a shell script to 'sudo jamf removeframework' may be the easiest way. You may also want to delete the management account 'sudo jamf deleteAccount -username MGT -deleteHomeDirectory'. Also remove any company licensed software. Do you use an institutional filevault key? Maybe remove that from /Library/Keychains/.

mscottblake · ‎02-27-2016

@TomDay Have a look at this post. I think it's exactly what you're looking for. If not, it should get you there.

The script creates a launchdaemon to removeframework, but still allows it to report that it ran the policy. You can manually delete the machine afterwards, or you could modify the script to delete the computer with the API.

TomDay · ‎03-03-2016

@thoule @mscottblake Thank you both for your advice. The script worked perfectly.

-Tom

command_prompt · ‎04-16-2020

@TomDay @thoule @mscottblake , the post that was referred to is no longer there, does any of you have any info? Greatly appreciated.

-Ewa

mscottblake · ‎04-16-2020

@command_prompt It looks like Jamf changed the structure of the Jamf Nation URLs since that post. The post I referred to above can be found here. However, I haven't run this code in quite some time and no longer know if it works.

command_prompt · ‎04-16-2020

@mscottblake thanks, will give it a try and let you know!

TomDay · ‎04-16-2020

@command_prompt Its been a really long time since I used this, luckily I still had the script archived. It is below, you'll have to modify the reference to /usr/sbin piece and then apply to a policy:

#!/bin/bash
# This script runs one last recon, updates the JSS API to show the machine is unmanaged, and then creates a launchd to remove the jamf framework.



# Identify the location of the jamf binary for the jamf_binary variable.
CheckBinary (){
    # Identify location of jamf binary.
    jamf_binary=`/usr/bin/which jamf`

    if [[ "$jamf_binary" == "" ]] && [[ -e "/usr/sbin/jamf" ]] && [[ ! -e "/usr/local/bin/jamf" ]]; then
        jamf_binary="/usr/sbin/jamf"
    elif [[ "$jamf_binary" == "" ]] && [[ ! -e "/usr/sbin/jamf" ]] && [[ -e "/usr/local/bin/jamf" ]]; then
        jamf_binary="/usr/local/bin/jamf"
    elif [[ "$jamf_binary" == "" ]] && [[ -e "/usr/sbin/jamf" ]] && [[ -e "/usr/local/bin/jamf" ]]; then
        jamf_binary="/usr/local/bin/jamf"
    fi
}

# Update the computer inventory
RunRecon (){
    $jamf_binary recon
}

# Create a temp launchd job in /private/tmp/ that uses a RunAtLoad key of false and StartInterval of 60 seconds
# This is done so that the script can return a result to the JSS before 
CreateLaunchd (){
    echo "<?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
        <key>Disabled</key>
        <false/>
        <key>Label</key>
        <string>tmp_removeframework</string>
        <key>ProgramArguments</key>
        <array>
            <string>$jamf_binary</string>
            <string>removeFramework</string>
        </array>
        <key>RunAtLoad</key>
        <false/>
        <key>StartInterval</key>
        <integer>60</integer>
    </dict>
    </plist>" > /private/tmp/removetools.plist

    chown root:wheel /private/tmp/removetools.plist
    chmod 644 /private/tmp/removetools.plist 

    /bin/launchctl load /private/tmp/removetools.plist
}

CheckBinary
RunRecon
CreateLaunch

howie_isaacks · ‎04-21-2022

This is an awesome idea! I can't believe I didn't think of this.

Chris_Hafner · ‎04-16-2020

That works. I did want to give an alternative thought though. We have to off-board lots of students every year. During our offboarding process a script is loaded into /tmp. There is a one-liner int he script that simply calls

/usr/local/jamf/bin/jamf -removeFramework

We also have a couple of CURL commands that remove the machine from the JSS after that's been completed. At the end fo the script, the computer reboots and the contents of /tmp are removed. Nice and clean.

philipwoods · ‎04-21-2022

Thanks for sharing @TomDay

The launch daemon with a delay is a great idea for doing this gracefully.

We've just followed that up with a remote command to remove the MDM profile and all management removed!

Jamf Nation Community

Remote Removal of JAMF Binary