Posted on 07-17-2019 06:45 AM
Is there a way we can restrict Jamf's removal from macOS by any Admin users?
Any smart way that we need to supply a key/password to remove system from jamf.
Business case: A non-IT Admin user can just search the way to remove jamf Framework and MdmProfiles easily and we can't restrict that happening with a sudo command. To avoid that, a specific group of IT people with a pre-set key/password can only remove Jamf.
Posted on 07-17-2019 07:51 AM
In my Jamf Admin class we learned that you can deploy a launch a launch daemon to check if the framework had been removed. If it was removed, the LD would readd the framework and could re-enroll the machine by reinstalling the Jamf enroll package (Which would be in a hidden location).
I have not implemented it since none of our users are admin, but I will check my notes later.
Posted on 07-17-2019 08:18 AM
Thank you, @shaquir . Please share your notes if you find details on that.
Posted on 07-17-2019 08:42 AM
Step 1 - don't make your normal users admins.
Posted on 07-17-2019 02:53 PM
@kavankumar.joshi , Casper Check is great for this
Posted on 07-18-2019 04:04 AM
Thank you @JustDeWon .
@rtrouton Always a delight seeing your work.