Posted on 10-31-2024 05:49 PM
Hi All,
I just need some assistance with unmanaging Macs through a script which is ran using a policy via Self Service. Our goal is for end-users to run this script themselves to unmanage the device (and lifting all the restrictions) without erasing the device.
We have a mix of MacOS Monterey, Venutra and Sonoma. We have noticed that removeMDMProfile no longer works for MacOS Venutra and higher (I think because of Apple's updated security) but it has been working for MacOS Monterey. This is the script we are using at the moment:
#Remove JAMF
echo "Deleting JAMF..." 2>>$Result_path 1>>$Result_path
sudo /usr/local/bin/jamf removeMdmProfile 2>>$Result_path 1>>$Result_path
sudo /usr/local/bin/jamf removeFramework 2>>$Result_path 1>>$Result_path
sudo /usr/local/bin/jamf -removeFramework 2>>$Result_path 1>>$Result_path
MDM_UUID=$(sudo profiles -Lv | awk '/attribute: name: MDM/,/attribute: profileUUID:/' | awk '/attribute: profileUUID:/ {print $NF}')
if [ -z "$MDM_UUID" ]
then
echo "MDM profile NOT found." 2>>$Result_path 1>>$Result_path
else
echo "MDM profile found. Removing MDM" 2>>$Result_path 1>>$Result_path
sudo profiles -R -p "$MDM_UUID" 2>>$Result_path 1>>$Result_path
fi
At the moment, we have been instructing the users to run the script/policy via Self Service (which removes jamf binaray/framework) and once completed, we send out a remove Remove MDM Profile command to remove the config profiles. However we have 400 computers to do this with so it's very time consuming. Is there a way to make this more seamless without needing us to constantly monitor the progress?
In the past, we also had issues where restrictions are still active on the Mac after running the script or some sort of profile or certificate is preventing the user from making changes to their computer such as connecting to new wifi certificates/profiles.
The MDM Profile on the Macs are also non-removable as it's originally enrolled through DEP and a pre-stage enrolment which restricts users to remove the MDM Profile themselves. So we can't instruct the users to remove the profiles themselves.
Any advice would be greatly appreciated! Thanks!
Posted on 11-01-2024 05:37 AM
I think the only way you can script this is by using Jamf API to tell the Jamf console to remove the MDM profile and baking authentication into the script which is risky.
Generally speaking, you do want to reinstall macOS to make sure everything the MDM installed is actually removed. Removing the MDM framework and MDM profile does not remove installed applications or organizational data.
Posted on 11-01-2024 07:44 AM
HI @AN_M ,
You can check the below script.
https://github.com/kc9wwh/removeJamfProMDM/blob/master/removeMDM.sh
Thanks