Unmanaging computers


Hi there,

I am not sure if this is something someone could be interested in, but we had a very big need for it. Long story short, we are leasing our Student/Teacher computers for 36 month. That means after 36 month we need to remove everything from the client regarding the Management Framework, as well as the JSS needs to be cleaned up for each computer you send back on Lease return. It's easy to just start Recovery HD and reinstall the machine. But I love Casper Suite so much, that I wanted to get this managed by using Casper Imaging and a special configuration.

So basically what I do is:
- Create a new configuration
- Add the blank OS image (created by AutoDMG)
- and my unmanageDaemon.dmg (incl. Launch Daemon, Script and the FWpassword tool setregproptool)
- Start into my NetBoot Image
- Start the specific configuration
- Restart the machine to loginwindow
- from here launchd starts my Daemon and runs the script
- Script restarts again, and the machine boots into Apple's Setup Assistant

The script does some checks like network connection, removes the EFI password which was set with the very first imaging process, if JAMF REST API is available, pulls the Computer_ID by serialnumber, deletes the computer from the JSS, removes all MCX as well as profiles, deletes all JAMF related files, creates a new script which removes the parent script and deletes the daemon.

Maybe this is helpful for anyone here who is working in a similar environment and has the same needs.

Also I really would appreciate any feedback...maybe there are ways to do things better.

# Author: Fabian Ulmrich
# Bavarian International School e.V.
# Version 1.0
# Removes the whole management Framework from the client
# as well it deletes the EFI password if set and removes
# the Computer Data from the JSS tables using JAMF REST API
# This script runs after imaging to a blank OS 10.9
# Afer imaging, it restarts to the loginwindow
# from here it takes up to 3 minutes until it restarts
# to Apples Setup Assistant

# =====Please edit the following variables=====
# Variables need to match your environment
JSSURL="" # Please enter your valid JSS URL (https://my.jss.com:8443)
LOGIN="" # Please enter your valid JSS API username
PASS="" # Please enter your valid JSS API password
OLDEFIPW="" #Please enter your EFI password which needs to be deleted
LOGFILE="" # Please enter your logfile path
MNGTACC="" # Please enter your management account here
WIFINAME="" # Plese enter your Wi-Fi (SSID) name here
WIFIPASS="" # Please enter your Wi-Fi password here
# =====
# Variables which don't need to be changed
SERIALNO=`system_profiler SPHardwareDataType | grep 'Serial Number (system):' | awk -F': ' '{print $2}'`
MACHINEID=`/usr/bin/curl -sS -k -u "${LOGIN}:${PASS}" -g "${JSSURL}/JSSResource/computers/serialnumber/${SERIALNO}/subset/General" | awk -F "<id>" '{print $2}' | awk -F "</id>" '{print $1}'` 2>&1 >> "${LOGFILE}"
MACHINEGENERAL=`/usr/bin/curl -sS -k -u "${LOGIN}:${PASS}" -g "${JSSURL}/JSSResource/computers/serialnumber/${SERIALNO}/subset/General" | head -1` 2>&1 >> "${LOGFILE}"
DATE=`date "+%d.%m.%Y - %H:%M:%S"`
# =====Main Script starts here=====

# Lets sleep here for 60 seconds to make sure everything is up
sleep 60

# Creating Log file
/usr/bin/touch "${LOGFILE}"
    /bin/echo "" >> "${LOGFILE}"
    /bin/echo "" >> "${LOGFILE}"
    /bin/echo "${DATE}___Logfile created" >> "${LOGFILE}"

# Checking for Wifi device and setting up connection
# Since we are using Wi-Fi for all our mobile clients
# I am checking if the client is connected to it - if not, connect
# You also could use a profile to connect to Wi-Fi provided through the imaging process
/bin/echo "${DATE}___Connecting to Wi-Fi network" >> "${LOGFILE}"
WIFIDEVICE=`/usr/sbin/networksetup -listallhardwareports | awk '/^Hardware Port: Wi-Fi/,/^Ethernet Address/' | head -2 | tail -1 | cut -c 9-` 
    if [ `/usr/sbin/networksetup -getairportpower ${WIFIDEVICE} | awk '{print $4}'` == "On" ]; then
        /usr/sbin/networksetup -setairportnetwork ${WIFIDEVICE} "${WIFINAME}" "${WIFIPASS}" 2>&1 >> "${LOGFILE}"
        /bin/echo "Airport is disabled - enable first"
        /usr/sbin/networksetup -setairportpower ${WIFIDEVICE} on 2>&1 >> "${LOGFILE}"
        /usr/sbin/networksetup -setairportnetwork ${WIFIDEVICE} "${WIFINAME}" "${WIFIPASS}" 2>&1 >> "${LOGFILE}"
        /bin/echo "${DATE}___Connection to Wi-Fi network established" >> "${LOGFILE}"

# Check if we are connected to the right network
# I am checking for our Wi-Fi network, so make sure 
# to change this fitting your environment
IPADD=`/sbin/ifconfig ${WIFIDEVICE} | grep inet | tail -1 | awk '{print $2}' | cut -c1-4`
while [ "${IPADD}" != "10.3" ]
    /bin/echo "${DATE}___Computer is not connected to network" >> "${LOGFILE}"
    /bin/echo "Sleeping for the next second" >> "${LOGFILE}"
    IPADD=`/sbin/ifconfig ${WIFIDEVICE} | grep inet | tail -1 | awk '{print $2}' | cut -c1-4`
    sleep 1
        if [ "${IPADD}" == "10.3" ]; then
            /bin/echo "${DATE}___Computer is now connected" >> "${LOGFILE}"

# Because we all need some sleep ;)
sleep 10

# Removing EFI password
# I am using setregproptool which I extracted from the Recovery HD before
# and deployed it with this script and the LaunchDaemon to run this script
# Use the following Options
# -c Check wether Password is set - if set return status is 0, if not it's 1
# -d Deletes the current password - make sure you provide the old password
# -p Sets a new password or changes the old one (needs old password provided)
# -m Specifies security mode "full" or "command"
# -o Old password
/bin/echo "${DATE}___Running script to remove EFI password" >> "${LOGFILE}"
    /bin/chmod a+x /Library/JSSScripts/setregproptool 
    /Library/JSSScripts/setregproptool -d -o "${OLDEFIPW}"

# /bin/echo Machine name, serial number and JSS Computer_ID
/bin/echo "${DATE}___Machine name is: ${MACHINENAME}" >> "${LOGFILE}"
/bin/echo "${DATE}___Serial number is: ${SERIALNO}" >> "${LOGFILE}"
if [ -z ${MACHINEID} ] || [ ${MACHINEGENERAL} == "<html>" ]; then
    /bin/echo "${DATE}___Could not find any Computer_ID for machine ${SERIALNO}" >> "${LOGFILE}"
    /bin/echo "${DATE}___JSS ID for machine is: ${MACHINEID}" >> "${LOGFILE}"

# Here we delete the machines JSS SQL tables via JAMF REST API
if [ -z ${MACHINEID} ] || [ ${MACHINEGENERAL} == "<html>" ]; then
    /bin/echo "${DATE}___Could not find any Computer_ID for machine ${SERIALNO} - proceeding with Script" >> "${LOGFILE}"
    /bin/echo "${DATE}___Deleting ${MACHINENAME} with Computer_ID ${MACHINEID} from the JAMF System" >> "${LOGFILE}"
    /usr/bin/curl -sS -k -u "${LOGIN}:${PASS}" -X 'DELETE' "${JSSURL}/JSSResource/computers/id/${MACHINEID}" 2>&1 >> "${LOGFILE}"

# The following section removes all MCX, Profiles and the Management Account
# Removes .AppleSetupDone to start into Apple Setup Assistant after restart
/bin/echo "${DATE}___Deleting /var/db/.AppleSetupDone to enable SetupAssistant at Startup" >> "${LOGFILE}"
    /bin/rm -Rf /var/db/.AppleSetupDone 2>&1 >> "${LOGFILE}"

# Removes all MCX files/folders as well as specific User MCX settings
/bin/echo "${DATE}___Deleting JAMFs Management Account from the OS and related settings" >> "${LOGFILE}"
    if [ -e /Library/Managed Preferences/ ]; then
        /bin/rm -Rf /Library/Managed Preferences/ 2>&1 >> "${LOGFILE}"

    # Deletes MCX on computer level
    /usr/bin/dscl . -list Computers | grep -v "^localhost$" | while read computer_name ; do sudo /usr/bin/dscl . -delete Computers/"$computer_name" ; done 2>&1 >> "${LOGFILE}"

    # Deletes MCX on user level
    LIST=$(dscl . -list /Users | grep -v "^_" | grep -v root | grep -v daemon | grep -v nobody)
    for i in $LIST

    /usr/bin/dscl . -delete /Users/$i MCXSettings 2>&1 >> "${LOGFILE}"
    /usr/bin/dscl . -delete /Users/$i MCXFlags 2>&1 >> "${LOGFILE}"
    /usr/bin/dscl . -delete /Users/$i cached_groups 2>&1 >> "${LOGFILE}"


    # Removes Management Account
    /usr/bin/dscl . -delete /Users/${MNGTACC} 2>&1 >> "${LOGFILE}"

# Removes all profiles on the the computer
/bin/echo "${DATE}___Deleting all Computer profiles" >> "${LOGFILE}"
    /usr/bin/profiles -Df 2>&1 >> "${LOGFILE}"

# Finds all files and folders which has jamf or the name of the Management Account included
/bin/echo "${DATE}___Deleting JAMF binary and related files on /" >> "${LOGFILE}"
    /usr/bin/find / -fstype local ( -iname "*jamf*" -o -iname "*${MNGTACC}*" ) -exec /bin/rm -Rf {} ; 2>&1 >> "${LOGFILE}"

# Sleeping again
sleep 30

# Here we create a whole new script in /tmp to
# remove all Scripts and Daemons we used to run this script
#! /bin/bash

sleep 5

# Removing LaunchDaemon and Scripts
/bin/rm -f /Library/LaunchDaemons/com.bis-school.unmanageclients.plist
/bin/rm -f /Library/JSSScripts/unmanageClients.sh
/bin/rm -Rf /Library/JSSScripts/
/bin/rm -Rf /Library/Application Support/JAMF/
/bin/rm -Rf /Applications/Casper Suite/
/sbin/shutdown -r now

# Writes previous command lines into a new Script
# sets correct permission and runs it
/bin/echo "${SCRIPT}" > /tmp/rmScript.sh
/bin/chmod a+x /tmp/rmScript.sh
/bin/sh /tmp/rmScript.sh 2>&1 > /dev/null &

exit 0

The Launch Daemon looks like this

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">