script to unenroll / clean a mac

LorealITG
New Contributor

Hello Guys,

i'm writing a script to allow ,our l1 support, unenroll a Mac. this script will do more than a remove framework. But I think everything go too fast. let me explain you: first thing, i grant all the local account (that are not admin) as admin

for user in $(dscl . -list /Users uid | awk '{if ( $2 >= 501 ) print $1}');do /usr/sbin/dseditgroup -o edit -a $user -t user admin echo add $user from admin group done

that part is OK.
then I launch a remove framework:

sudo jamf removeFramework sleep 20

the remove framework works but not the sleep.....

Then, I delete then entry in the Jamf console with the serial number:

serial=$(system_profiler SPHardwareDataType | grep 'Serial Number (system)' | awk '{print $NF}') curl -k -s -H "Content-Type: application/xml" -u "$5":"$6" "$4"/JSSResource/computers/serialnumber/"$serial" -X DELETE

it work too

as explained everything is almost working: grant user --> OK
removeFramwork --> OK
delete --> OK
but the sleep not, so in the device, it begin to remove the Jamf agent, but all profiles that have been push stay on it.... I think it's because it does not wait to receive the JSS order to remove them????

is there any error in the process?

thanks for your help

16 REPLIES 16

ryan_ball
Valued Contributor

I've made a few changes, just pass the jssUser as parameter 4 and jssPass as parameter 5. No need to pass the URL of the JSS as you can get that from the com.jamfsoftware.jamf.plist on the machine locally. I've not tested this but might help you.

#!/bin/bash

jssURL=$(defaults read /Library/Preferences/com.jamfsoftware.jamf.plist jss_url | sed s'/.$//')
serial=$(system_profiler SPHardwareDataType | grep 'Serial Number (system)' | awk '{print $NF}')

jssUser="$4"
jssPass="$5"

for userName in $(dscl . -list /Users uid | awk '{if ( $2 >= 501 ) print $1}');do

        /usr/sbin/dseditgroup -o edit -a "$userName" -t user admin
        echo "Added $userName to admin group."
done

# Attempt to remove all profiles on the device
echo "Attempting to remove all profiles first..."
for identifier in $(/usr/bin/profiles -L | awk "/attribute/" | awk '{print $4}'); do
    echo "Removing profile: $identifier"
    /usr/bin/profiles -R -p "$identifier"
done

sleep 10

echo "Removing MDM profile..."
/usr/local/jamf/bin/jamf removeMdmProfile

sleep 3

echo "Removing Jamf Framework..."
/usr/local/bin/jamf removeFramework

sleep 20

echo "Removing Mac from Jamf Pro Server..."
if curl -k -s -H "Content-Type: application/xml" -u "$jssUser:$jssPass" "$jssURL/JSSResource/computers/serialnumber/$serial" -X DELETE ; then
    echo "Successfully removed Mac from Jamf Pro Server."
    exit 0
else
    echo "Failed to remove Mac from Jamf Pro Server."
    exit 1
fi

LorealITG
New Contributor
# Attempt to remove all profiles on the device echo "Attempting to remove all profiles first..." for identifier in $(/usr/bin/profiles -L | awk "/attribute/" | awk '{print $4}'); do echo "Removing profile: $identifier" /usr/bin/profiles -R -p "$identifier" done sleep 10 echo "Removing MDM profile..." /usr/local/jamf/bin/jamf removeMdmProfile

I tried that part, and the return is : returned 101 (Profile is not removable)

if I launch

echo "Removing Jamf Framework..." /usr/local/bin/jamf removeFramework

before, will it work?

ryan_ball
Valued Contributor

The above part will remove any profiles it can, but many or all are not removable by anything but Jamf. It does not hurt to keep it in place. In some cases I have installed profiles via pkg, or by other means, and that for loop would take care of those.

If you don't care to see the output, you could change it to this:

# Attempt to remove all profiles on the device
echo "Attempting to remove all profiles first..."
for identifier in $(/usr/bin/profiles -L | awk "/attribute/" | awk '{print $4}'); do
    # echo "Removing profile: $identifier"
    /usr/bin/profiles -R -p "$identifier" 2&> /dev/null
done

jason_bracy
Contributor III

Try using wait instead of sleep, I've found it to be more reliable.

asanchez
New Contributor II

@ryan.ball , by jssUser/pass are you referring to Jamf management account?

mm2270
Legendary Contributor III

@asanchez That is an account with delete computer privileges to use in the API command that removes the device record from the console.

asanchez
New Contributor II

@mm2270 is this an account created in the Jamf console or locally?

mm2270
Legendary Contributor III

@asanchez
In the console. It has to be an account that would have the Jamf Pro privilege set to make changes to or delete computer records. It could be your own jamf admin account for example.

The script itself would have to be run with sudo privileges or as root to do any of this work so there shouldn’t be any need to input a local account name/password into the script itself.

ryan_ball
Valued Contributor

Create a new JSS from the "JSS User Accounts & Groups" section and give that user the computers > delete privilege. It might need something else but that is where I would start.

Then put the username of that user in the parameters section of the policy you are testing with in the first field, the password goes in the second.

You were already doing something similar based on what I see in the following line:

curl -k -s -H "Content-Type: application/xml" -u "$5":"$6" "$4"/JSSResource/computers/serialnumber/"$serial" -X DELETE

However, you don't need to pass the JSS URL with my script.

LorealITG
New Contributor

Hello Guys,

thanks to all for you help, one information: I'm testing the profile on a DEP device. and in the DEP config the option "Allow MDM Profile Removal" is not set. The goal of that script is to be able to delete all the config on a device without wip it.

What I have seen is the 'Jamf removeframework' command is not removing any profile even alone in a terminal.
I thought the remove framework was removing all the configuration. So Probably my script is working with a Non DEP device, i'll try it today. By the Way, Do you wipe all your device when you want to give it to a new user?

ryan_ball
Valued Contributor

removeFramework removes the jamf binary for sure, it might not removed the profiles installed as well.

After running the following command:

jamf help

You will see:

removeFramework      Removes the JAMF Binary and associated files from the computer.

mm2270
Legendary Contributor III

removeFramework in my experience should remove the Jamf MDM Profile, of which any APNS pushed profiles that came from your Jamf server should also be removed at the same time as well. It would not remove any manually installed profiles using, say, the profiles command. Those you would need to remove by using a loop in the script to remove any remaining profiles by their UUIDs.

If you find it's not removing those for some reason, though it really should, you could always run a jamf removeMdmProfile command prior to the removeFramework one. That will remove the Jamf Pro MDM profile and any ones associated with it.

LorealITG
New Contributor

removeFramework does not remove profiles. i can confirm that point. I had more information on that case. there is no possibility by API or script (even with the removeFramework) to remove profiles. The only way to do it are: - wipe the device - clic on Remove MDM Profile through the Jamf Console.

it is a security restriction

chmp1
New Contributor

misread post

boberito
Valued Contributor

@LorealITG that's if they were enrolled and the setting to "Allow MDM removal" is not checked. If that's unchecked, they are permanent.

Allow MDM Removal would only allow admin users to remove the MDM profiles...so if that's a concern then you may be out of luck.

LorealITG
New Contributor

@Boberto : hum good to know that..... that means we may remove that setting.... and like that able to remove profiles....
have to test that by the way there is maybe the possibility to use that : https://www.jamf.com/blog/reinstall-a-clean-macos-with-one-button/