Help

Restrict "Jamf Removal" by Admin Users

kavankumar_josh
New Contributor III
New Contributor III

Posted on ‎07-17-2019 06:45 AM

Is there a way we can restrict Jamf's removal from macOS by any Admin users?
Any smart way that we need to supply a key/password to remove system from jamf.

Business case: A non-IT Admin user can just search the way to remove jamf Framework and MdmProfiles easily and we can't restrict that happening with a sudo command. To avoid that, a specific group of IT people with a pre-set key/password can only remove Jamf.

0 Kudos
Reply
5 REPLIES 5

shaquir
Contributor III

Posted on ‎07-17-2019 07:51 AM

In my Jamf Admin class we learned that you can deploy a launch a launch daemon to check if the framework had been removed. If it was removed, the LD would readd the framework and could re-enroll the machine by reinstalling the Jamf enroll package (Which would be in a hidden location).
I have not implemented it since none of our users are admin, but I will check my notes later.

Reply

kavankumar_josh
New Contributor III
New Contributor III

Posted on ‎07-17-2019 08:18 AM

Thank you, @shaquir . Please share your notes if you find details on that.

0 Kudos
Reply

Taylor_Armstron
Valued Contributor

Posted on ‎07-17-2019 08:42 AM

Step 1 - don't make your normal users admins.

0 Kudos
Reply

JustDeWon
Contributor III

Posted on ‎07-17-2019 02:53 PM

@kavankumar.joshi , Casper Check is great for this

0 Kudos
Reply

kavankumar_josh
New Contributor III
New Contributor III

Posted on ‎07-18-2019 04:04 AM

Thank you @JustDeWon .

@rtrouton Always a delight seeing your work.

Reply