Help

Jamf Protect Analytic - MDM removal

Go to solution
Rehmann
New Contributor II

Saturday

Hi !

Can someone suggest me how to set up a custom analytic to get an alarm if a user (yes, they need to have adminrights sadly) removes the MDM profile?

I had some cases in the last weeks where all profiles went missing and i do not want to suspect someone falsely. 

 

Thanks !

0 Kudos
Reply
1 ACCEPTED SOLUTION

Go to solution
hüseyinusta
New Contributor II

Sunday

You can also do this; it will most likely work. Based on the YAML content provided by Jamf for Unified Log, go to Custom Analytics > Filter Text View:

$event.subsystem == "com.apple.ManagedClient" AND
$event.eventMessage CONTAINS "Removed configuration profile: MDM Profile" AND
$event.eventMessage CONTAINS "Source: Manual"

 

https://github.com/jamf/jamfprotect/blob/main/unified_log_filters/mdm_profile_manual_removal.yaml

 

View solution in original post

Reply
5 REPLIES 5

Go to solution
AJPinto
Esteemed Contributor

Sunday

There should not need to be an alert for this. Also the moment the MDM profile is removed, Jamf Protect loses all of its permissions. I'm not sure if it could reliably report on this event.

 

My suggestion, ensure you are using Automated Device Enrollment and check the box to disallow removal of the MDM profile. Once you do this not even an Admin can remove the MDM profile.

 

Another suggestion is to look in to an Endpoint Permissions Tool to handle elevated access situations, remove admin access from users and write policies with the tool to auto escalate the function they need to perform and nothing else.

Reply

Go to solution
Rehmann
New Contributor II
In response to AJPinto

yesterday

Yes, but we had problems with profiles from time to time, so the IT must have a possibility to remove them manually without deleting the device. 

0 Kudos
Reply

Go to solution
hüseyinusta
New Contributor II

Sunday

Are you looking for a solution other than the built-in "Jamf Pro Binary Modified" analytic, or does it meet your needs?Screenshot 2025-03-24 at 08.23.29.png

Reply

Go to solution
hüseyinusta
New Contributor II

Sunday

You can also do this; it will most likely work. Based on the YAML content provided by Jamf for Unified Log, go to Custom Analytics > Filter Text View:

$event.subsystem == "com.apple.ManagedClient" AND
$event.eventMessage CONTAINS "Removed configuration profile: MDM Profile" AND
$event.eventMessage CONTAINS "Source: Manual"

 

https://github.com/jamf/jamfprotect/blob/main/unified_log_filters/mdm_profile_manual_removal.yaml

 

Reply