Posted on 04-14-2016 11:17 AM
Hey everyone so I am currently using the following to remove AD accounts on machines for termed employees. Not the exact script but you get the idea.
#!/bin/sh
dscl . -delete /Users/$username
sleep 10
rm -rf /Users/$username
sleep 10
jamf -recon
Now the JSS shows the account has been removed correctly and when you do a dscl read it shows the account is gone. The problem is "MDM Capable Users" still shows the old user and it won't go away unless you do something that is extremely intrusive.
#!/bin/sh
jamf -removeMdmProfile
sleep 10
jamf - manage
sleep 10
jamf -recon
This can't be by design can it? It seems like a very intrusive step to simple remove an AD user. Is there another way to get the MDM Capable User removed without having to completely unmanage and remanage the computer?
Posted on 04-14-2016 11:53 AM
We're using 9.73 and seeing similar results. While its annoying, it's not a deal breaker. I'd love to know if there is a simple fix.
Posted on 04-14-2016 12:13 PM
This is a big deal for us because we have audits and they simple won't accept the answer of "it's really gone this is just a false reading" if they see it we fail.
Posted on 04-14-2016 02:41 PM
Are you re-imaging the computers when you give it to a new person? If so if those are all the commands it takes then add a script to run on first boot that does jamf removemdmprofile
and then jamf mdm
to re-enable mdm. might get interesting results running that under the Temp Adobe Install account that Casper Imaging uses but worth a try. But yea I've also wondered why old MDM users stay behind in a computer's record.
Posted on 04-14-2016 09:49 PM
No basically we are removing tech accounts from people who ignored us (telling to login with the service account and not their AD accounts) and users who are no longer with the company. We have extremely strict audits seeing as we are a global financial institution and when we have been having said audits our compliance has been called to the forefront based on this issue. Essentially, we as admins know that these users are no longer a threat but when audit pulls the report and sees "MDM Capable User: Matt" we fail, even though Matt is no longer installed on the box and we can show them through an EA (using DSCL). Its also an annoyance. I spoke to our JAMF Account Manager and he verified that this is currently the only way to manage this situation.
1.) dscl . -delete /Users/matt
2.) rm -rf /Users/Matt or /private/var/Matt
3.) jamf removeMdmProfile -verbose (this is a very risky thing to do IMHO in production so I used verbose)
4.) jamf manage -verbose or I suppose you could use jamf mdm -verbose
5.) jamf -recon
This will:
1.) Remove the computer from the internal directory service
2.) Remove the users home folder
3.) Unmanage all users from MDM, removing Configuration Profiles for all users
4.) Re-Manage MDM for all users on the machine, downloading and installing Configuration Profiles
5.) Updating Inventory.
What we need to have happen is having the ability to have something like this
jamf -removeMdmProfile -username Matt
jamf -removeMdmProfile -userid 503
Or something to that effect which would essentially allow us to unmanage a single user by the local username or UID.
Posted on 04-15-2016 05:13 AM
@Matt Wow. I'm kinda shocked there isn't a command like you mentioned. Thanks for getting clarification on this. I'll be following this just to see if it changes in the future.
Posted on 04-15-2016 07:02 AM
I've seen this too. If I recall correctly, even a reimage of the client system with a full re-enroll with the JSS does not remove the old MDM users. Perhaps a feature request is in order?
Posted on 04-15-2016 07:06 AM
I may be wrong, especially since I've never actually tried it, but I think it might be possible to remove them using the JSS API. The "MDM capable users" show up in a computer's API record in a specific section. It may be possible to submit a new xml for inventory with null values for mdm users to the record that will remove them from it.
In fact, wasn't this discussed on another thread, now that I'm thinking about it? I seem to recall someone else experimenting with this. I'll be back if I can find that thread.
Posted on 04-15-2016 07:26 AM
Most things I've found are exactly what @Matt has found. The data is there, but no way for us to manipulate it. I've poked around the API and found nothing for that line item.
@gshackney posted a FR to purge that the whole thing. Feature Request
@joe.farage also posted here about running the two commands in one line to help clear them.
Posted on 04-15-2016 07:40 AM
Looks like you're right. Just did some quick experiments and its not possible to remove those accounts from the mdm capable users list, even with the API. Bummer!
JAMF, can you make this an available option, preferably through the GUI? But I think many would settle for being able to do it via the API in a script too. Seems crazy we can't affect that data without effectively removing mdm capability from the device record or re-enrolling it or other similarly drastic measures.
Off to see if there's a feature request already for this and if not, I'm creating one.
Posted on 04-15-2016 10:35 AM
This is a big issue on shared devices since it can get hundreds of entries and the only way to clean it is to delete it from the JSS which is not ideal.
Gabe Shackney
Princeton Public Schools