Remote Removal of JAMF Binary

TomDay
Release Candidate Programs Tester

We have an employee that left our org, and the user was issued the laptop permanently for their personal use. Best way to accomplish them not being managed anymore would be to give them instructions for "jamf removeframework" and then delete the device from our JSS I am thinking. Any other recommendations or something I'm missing? The user is across the country now so I'll have to give them detail on how to do this themselves. Any pkgs around that would automate this so I don't have to have them using Terminal?

Thanks, Tom

1 ACCEPTED SOLUTION

mscottblake
Valued Contributor

@TomDay Have a look at this post. I think it's exactly what you're looking for. If not, it should get you there.

The script creates a launchdaemon to removeframework, but still allows it to report that it ran the policy. You can manually delete the machine afterwards, or you could modify the script to delete the computer with the API.

View solution in original post

8 REPLIES 8

thoule
Valued Contributor II

You can save a text file with the extension filename.command and it'll be double-clickable. So a shell script to 'sudo jamf removeframework' may be the easiest way. You may also want to delete the management account 'sudo jamf deleteAccount -username MGT -deleteHomeDirectory'. Also remove any company licensed software. Do you use an institutional filevault key? Maybe remove that from /Library/Keychains/.

mscottblake
Valued Contributor

@TomDay Have a look at this post. I think it's exactly what you're looking for. If not, it should get you there.

The script creates a launchdaemon to removeframework, but still allows it to report that it ran the policy. You can manually delete the machine afterwards, or you could modify the script to delete the computer with the API.

View solution in original post

TomDay
Release Candidate Programs Tester

@thoule @mscottblake Thank you both for your advice. The script worked perfectly.

-Tom

command_prompt
New Contributor

@TomDay @thoule @mscottblake , the post that was referred to is no longer there, does any of you have any info? Greatly appreciated.

-Ewa

mscottblake
Valued Contributor

@command_prompt It looks like Jamf changed the structure of the Jamf Nation URLs since that post. The post I referred to above can be found here. However, I haven't run this code in quite some time and no longer know if it works.

command_prompt
New Contributor

@mscottblake thanks, will give it a try and let you know!

TomDay
Release Candidate Programs Tester

@command_prompt Its been a really long time since I used this, luckily I still had the script archived. It is below, you'll have to modify the reference to /usr/sbin piece and then apply to a policy:

#!/bin/bash
# This script runs one last recon, updates the JSS API to show the machine is unmanaged, and then creates a launchd to remove the jamf framework.



# Identify the location of the jamf binary for the jamf_binary variable.
CheckBinary (){
    # Identify location of jamf binary.
    jamf_binary=`/usr/bin/which jamf`

    if [[ "$jamf_binary" == "" ]] && [[ -e "/usr/sbin/jamf" ]] && [[ ! -e "/usr/local/bin/jamf" ]]; then
        jamf_binary="/usr/sbin/jamf"
    elif [[ "$jamf_binary" == "" ]] && [[ ! -e "/usr/sbin/jamf" ]] && [[ -e "/usr/local/bin/jamf" ]]; then
        jamf_binary="/usr/local/bin/jamf"
    elif [[ "$jamf_binary" == "" ]] && [[ -e "/usr/sbin/jamf" ]] && [[ -e "/usr/local/bin/jamf" ]]; then
        jamf_binary="/usr/local/bin/jamf"
    fi
}

# Update the computer inventory
RunRecon (){
    $jamf_binary recon
}

# Create a temp launchd job in /private/tmp/ that uses a RunAtLoad key of false and StartInterval of 60 seconds
# This is done so that the script can return a result to the JSS before 
CreateLaunchd (){
    echo "<?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
        <key>Disabled</key>
        <false/>
        <key>Label</key>
        <string>tmp_removeframework</string>
        <key>ProgramArguments</key>
        <array>
            <string>$jamf_binary</string>
            <string>removeFramework</string>
        </array>
        <key>RunAtLoad</key>
        <false/>
        <key>StartInterval</key>
        <integer>60</integer>
    </dict>
    </plist>" > /private/tmp/removetools.plist

    chown root:wheel /private/tmp/removetools.plist
    chmod 644 /private/tmp/removetools.plist 

    /bin/launchctl load /private/tmp/removetools.plist
}

CheckBinary
RunRecon
CreateLaunch

Chris_Hafner
Valued Contributor II

That works. I did want to give an alternative thought though. We have to off-board lots of students every year. During our offboarding process a script is loaded into /tmp. There is a one-liner int he script that simply calls

/usr/local/jamf/bin/jamf -removeFramework

We also have a couple of CURL commands that remove the machine from the JSS after that's been completed. At the end fo the script, the computer reboots and the contents of /tmp are removed. Nice and clean.