Skip to main content
Question

Unmanaging Macs via Script


Forum|alt.badge.img+2
  • New Contributor
  • 1 reply

Hi All,

I just need some assistance with unmanaging Macs through a script which is ran using a policy via Self Service. Our goal is for end-users to run this script themselves to unmanage the device (and lifting all the restrictions) without erasing the device.

We have a mix of MacOS Monterey, Venutra and Sonoma. We have noticed that removeMDMProfile no longer works for MacOS Venutra and higher (I think because of Apple's updated security) but it has been working for MacOS Monterey. This is the script we are using at the moment:

 

 

#Remove JAMF echo "Deleting JAMF..." 2>>$Result_path 1>>$Result_path sudo /usr/local/bin/jamf removeMdmProfile 2>>$Result_path 1>>$Result_path sudo /usr/local/bin/jamf removeFramework 2>>$Result_path 1>>$Result_path sudo /usr/local/bin/jamf -removeFramework 2>>$Result_path 1>>$Result_path MDM_UUID=$(sudo profiles -Lv | awk '/attribute: name: MDM/,/attribute: profileUUID:/' | awk '/attribute: profileUUID:/ {print $NF}') if [ -z "$MDM_UUID" ] then echo "MDM profile NOT found." 2>>$Result_path 1>>$Result_path else echo "MDM profile found. Removing MDM" 2>>$Result_path 1>>$Result_path sudo profiles -R -p "$MDM_UUID" 2>>$Result_path 1>>$Result_path fi

 

 

At the moment, we have been instructing the users to run the script/policy via Self Service (which removes jamf binaray/framework) and once completed, we send out a remove Remove MDM Profile command to remove the config profiles. However we have 400 computers to do this with so it's very time consuming. Is there a way to make this more seamless without needing us to constantly monitor the progress?

In the past, we also had issues where restrictions are still active on the Mac after running the script or some sort of profile or certificate is preventing the user from making changes to their computer such as connecting to new wifi certificates/profiles.

The MDM Profile on the Macs are also non-removable as it's originally enrolled through DEP and a pre-stage enrolment which restricts users to remove the MDM Profile themselves. So we can't instruct the users to remove the profiles themselves.

Any advice would be greatly appreciated! Thanks!

2 replies

AJPinto
Forum|alt.badge.img+26
  • Legendary Contributor
  • 2716 replies
  • November 1, 2024

I think the only way you can script this is by using Jamf API to tell the Jamf console to remove the MDM profile and baking authentication into the script which is risky. 

 

Generally speaking, you do want to reinstall macOS to make sure everything the MDM installed is actually removed. Removing the MDM framework and MDM profile does not remove installed applications or organizational data.


karthikeyan_mac
Forum|alt.badge.img+17
  • Honored Contributor
  • 281 replies
  • November 1, 2024

HI @AN_M , 

You can check the below script.

https://github.com/kc9wwh/removeJamfProMDM/blob/master/removeMDM.sh

Thanks


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings