Removing Users from a Machine, MDM Capable???

Matt
Valued Contributor

Hey everyone so I am currently using the following to remove AD accounts on machines for termed employees. Not the exact script but you get the idea.

#!/bin/sh

dscl . -delete /Users/$username
sleep 10
rm -rf /Users/$username
sleep 10
jamf -recon

Now the JSS shows the account has been removed correctly and when you do a dscl read it shows the account is gone. The problem is "MDM Capable Users" still shows the old user and it won't go away unless you do something that is extremely intrusive.

#!/bin/sh

jamf -removeMdmProfile
sleep 10
jamf - manage
sleep 10
jamf -recon

This can't be by design can it? It seems like a very intrusive step to simple remove an AD user. Is there another way to get the MDM Capable User removed without having to completely unmanage and remanage the computer?

10 REPLIES 10

millersc
Valued Contributor

We're using 9.73 and seeing similar results. While its annoying, it's not a deal breaker. I'd love to know if there is a simple fix.

Matt
Valued Contributor

This is a big deal for us because we have audits and they simple won't accept the answer of "it's really gone this is just a false reading" if they see it we fail.

bpavlov
Honored Contributor

Are you re-imaging the computers when you give it to a new person? If so if those are all the commands it takes then add a script to run on first boot that does jamf removemdmprofile and then jamf mdm to re-enable mdm. might get interesting results running that under the Temp Adobe Install account that Casper Imaging uses but worth a try. But yea I've also wondered why old MDM users stay behind in a computer's record.

Matt
Valued Contributor

No basically we are removing tech accounts from people who ignored us (telling to login with the service account and not their AD accounts) and users who are no longer with the company. We have extremely strict audits seeing as we are a global financial institution and when we have been having said audits our compliance has been called to the forefront based on this issue. Essentially, we as admins know that these users are no longer a threat but when audit pulls the report and sees "MDM Capable User: Matt" we fail, even though Matt is no longer installed on the box and we can show them through an EA (using DSCL). Its also an annoyance. I spoke to our JAMF Account Manager and he verified that this is currently the only way to manage this situation.

1.) dscl . -delete /Users/matt
2.) rm -rf /Users/Matt or /private/var/Matt
3.) jamf removeMdmProfile -verbose (this is a very risky thing to do IMHO in production so I used verbose)
4.) jamf manage -verbose or I suppose you could use jamf mdm -verbose
5.) jamf -recon

This will:

1.) Remove the computer from the internal directory service
2.) Remove the users home folder
3.) Unmanage all users from MDM, removing Configuration Profiles for all users
4.) Re-Manage MDM for all users on the machine, downloading and installing Configuration Profiles
5.) Updating Inventory.

What we need to have happen is having the ability to have something like this

jamf -removeMdmProfile -username Matt
jamf -removeMdmProfile -userid 503

Or something to that effect which would essentially allow us to unmanage a single user by the local username or UID.

millersc
Valued Contributor

@Matt Wow. I'm kinda shocked there isn't a command like you mentioned. Thanks for getting clarification on this. I'll be following this just to see if it changes in the future.

etippett
Contributor II

I've seen this too. If I recall correctly, even a reimage of the client system with a full re-enroll with the JSS does not remove the old MDM users. Perhaps a feature request is in order?

mm2270
Legendary Contributor III

I may be wrong, especially since I've never actually tried it, but I think it might be possible to remove them using the JSS API. The "MDM capable users" show up in a computer's API record in a specific section. It may be possible to submit a new xml for inventory with null values for mdm users to the record that will remove them from it.

In fact, wasn't this discussed on another thread, now that I'm thinking about it? I seem to recall someone else experimenting with this. I'll be back if I can find that thread.

millersc
Valued Contributor

Most things I've found are exactly what @Matt has found. The data is there, but no way for us to manipulate it. I've poked around the API and found nothing for that line item.

@gshackney posted a FR to purge that the whole thing. Feature Request

@joe.farage also posted here about running the two commands in one line to help clear them.

mm2270
Legendary Contributor III

Looks like you're right. Just did some quick experiments and its not possible to remove those accounts from the mdm capable users list, even with the API. Bummer!

JAMF, can you make this an available option, preferably through the GUI? But I think many would settle for being able to do it via the API in a script too. Seems crazy we can't affect that data without effectively removing mdm capability from the device record or re-enrolling it or other similarly drastic measures.

Off to see if there's a feature request already for this and if not, I'm creating one.

GabeShack
Valued Contributor III

This is a big issue on shared devices since it can get hundreds of entries and the only way to clean it is to delete it from the JSS which is not ideal.

Gabe Shackney
Princeton Public Schools

Gabe Shackney
Princeton Public Schools