Posted on 02-28-2024 09:01 PM
Hey all,
I'm looking to offboard a few devices from our JAMF Pro environment completely and would like some clarification. I've ran the 'Remove MDM profile' on all devices, and had users run the 'sudo jamf removeFramework' cmd to ensure that there is no underlying Jamf connection remaining. I've also removed JAMF as their connected MDM server in ABM, but noticed that even in Jamf the PC still checks in.
Same with FileVault 2, it is still active and the recovery key remains in JAMF. If I delete the record after these steps, what is expected to still remain on the device? (other than service accounts or apps that I haven't removed)? Is there a preferred way to completely remove JAMF from the device?
Posted on 02-29-2024 03:00 AM
Hi,
the steps you described should remove all association. also delete the entry from JAMF.
Posted on 02-29-2024 05:58 AM
If you're truly off-boarding the devices, make sure you release them in ABM as well. Don't want to donate them or whatever is happening and have the user try to set them up the first time and they get re-enrolled into your Jamf.
Posted on 02-29-2024 06:25 AM
In addition to removing the MDM profile and MDM framework, you need to delete the device in Jamf. However, know this does not remove whatever Jamf did to a device like installed software or stuff configured by scripts. Releasing a device, you really want to wipe it.
Posted on 02-29-2024 11:40 AM
BEFORE YOU DELETE FROM JAMF PRO..... Get the FileVault recovery key from the inventory in case it's needed later.
Posted on 03-05-2024 10:52 AM
Almost sounds like a launchdaemon is still running to send that information in. I would run the following command on that machine:
sudo Profiles show -type enrollment
If its still thinking its in ABM somewhere (regardless if your removed it) it would return back data with your ABM and JAMF info. If you see this run the following:
Note: you'll need the computer connected to the internet for this
sudo Profiles renew -type enrollment
What this does is reach out to Apple and ask it if this machine is associated with any MDM. It should return back no if got rid of the record. Run the command above to verify again.