- Jamf Nation Community
- Products
- Jamf Pro
- Re: Remove software before removing Self-Service
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Remove software before removing Self-Service
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-17-2017 07:08 AM
Hi all,
I am wondering about some way to trigger policies when a user execute sudo jamf removeFramework
In fact I would like to avoid users installing Self-Service, getting software from there and then just removing Self-Service and keeping the installed software for ever.
I would appreciate any idea that might help doing this !
Thanks !
Vincent
Labels:
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-17-2017 07:27 AM
If users are admins on their machines, you're not going to prevent them them from doing anything. Additionally, jamfRemoveFramework can't invoke and other pre-actions.
That said, you have two options. You can create a LaunchD which runs a script to look for Jamf. If found, exit nicely. If not found, delete a list of applications... Or you can have a button in self service which deletes the apps in question, then removes the jamf binary. Neither is a great options, but they are the only two that quickly come to mind.
You could also make sure CasperCheck is installed so removeFramework will just reinstall. But sadly, and repetitively, if the users are admins - you're not going to prevent anything...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-17-2017 11:41 AM
Agreed with all above. However, you CAN get notified in several ways. That said, I'd go with CasperCheck.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-17-2017 11:52 AM
IOW, you can't prevent it from happening, but you can "repair" the damage with things like CasperCheck.
Outside of this though, this is really a people problem, not a technical one. You may want to discuss the issue with folks in HR in your organization. Explain that there is no fool proof technical solution to the problem, but you can make it harder for people to remove the management tools. But see if they are willing to put down a policy that would have some consequences for those who go above and beyond to remove the framework. Its not like jamf removeFramework runs itself! These users are actively seeking out the information and then using it, so there's no excuse they can come up with to create plausible deniability here. They know what they are doing, and without some type of policy on the books that forbids this, they are just going to keep doing it. Even things like CasperCheck can be circumvented pretty easily if they know where to look and have the requisite technical skills.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-18-2017 06:41 AM
Hi,
Many thanks for your replies !
Well I don't care if people removes Self-Service : I even do not force them to install.
I just do not want having some Macs with licensed software (for which we manage distributed licenses) not managed by JAMF, cause then I have no way to know which licenses could be unactivated and used for someone else.
It will probably stay as it is now, and the case is not showing up too often, but I would have liked to be able to create some "before removing" actions.
Thank you again for having taken the time to reply :)
Cheers,
Vincent
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-18-2017 08:55 AM
Ah, OK, I see what you mean now. Its more about making sure the licensed software leaves with the management when its removed. Well, in that case, I believe the only effective way would be to use a process like @thoule mentioned. Use a LaunchDaemon deployed with a custom script, which can run maybe once a day to check to see if the jamf binary and Self Service are present, or some other way of identifying unmanaged systems. If it comes back positive, have the script remove a list of applications it knows about. IOW, it would need to be a local process, not dependent on anything Casper/Jamf Pro related since once the framework is removed, you can't run any policies on it. And there are no "run before framework removal" triggers available to you.
It would be nice if there was some way to tie deployed apps to the framework, and have them auto removed when the latter is, similar to how apps can be removed from iOS devices when the device management configuration profiles are deleted. I suspect eventually Apple may implement something like this, but we're not there yet I believe.
