Restrict "Jamf Removal" by Admin Users

kavankumar_josh
New Contributor III

Is there a way we can restrict Jamf's removal from macOS by any Admin users?
Any smart way that we need to supply a key/password to remove system from jamf.

Business case: A non-IT Admin user can just search the way to remove jamf Framework and MdmProfiles easily and we can't restrict that happening with a sudo command. To avoid that, a specific group of IT people with a pre-set key/password can only remove Jamf.

5 REPLIES 5

shaquir
Contributor III

In my Jamf Admin class we learned that you can deploy a launch a launch daemon to check if the framework had been removed. If it was removed, the LD would readd the framework and could re-enroll the machine by reinstalling the Jamf enroll package (Which would be in a hidden location).
I have not implemented it since none of our users are admin, but I will check my notes later.

kavankumar_josh
New Contributor III

Thank you, @shaquir . Please share your notes if you find details on that.

Taylor_Armstron
Valued Contributor

Step 1 - don't make your normal users admins.

JustDeWon
Contributor III

@kavankumar.joshi , Casper Check is great for this

kavankumar_josh
New Contributor III

Thank you @JustDeWon .

@rtrouton Always a delight seeing your work.