How to fully remove JAMF Pro from devices without wiping?

jazza1756
New Contributor

Hey all,

I'm looking to offboard a few devices from our JAMF Pro environment completely and would like some clarification. I've ran the 'Remove MDM profile' on all devices, and had users run the 'sudo jamf removeFramework' cmd to ensure that there is no underlying Jamf connection remaining. I've also removed JAMF as their connected MDM server in ABM, but noticed that even in Jamf the PC still checks in.

Same with FileVault 2, it is still active and the recovery key remains in JAMF. If I delete the record after these steps, what is expected to still remain on the device? (other than service accounts or apps that I haven't removed)? Is there a preferred way to completely remove JAMF from the device?

5 REPLIES 5

sayr01
Contributor

Hi, 

the steps you described should remove all association.  also delete the entry from JAMF.

 

 

easyedc
Valued Contributor II

If you're truly off-boarding the devices, make sure you release them in ABM as well.  Don't want to donate them or whatever is happening and have the user try to set them up the first time and they get re-enrolled into your Jamf.

AJPinto
Honored Contributor III

In addition to removing the MDM profile and MDM framework, you need to delete the device in Jamf. However, know this does not remove whatever Jamf did to a device like installed software or stuff configured by scripts. Releasing a device, you really want to wipe it.

howie_isaacks
Valued Contributor II

BEFORE YOU DELETE FROM JAMF PRO..... Get the FileVault recovery key from the inventory in case it's needed later.

roiegat
Contributor III

Almost sounds like a launchdaemon is still running to send that information in.  I would run the following command on that machine:

sudo Profiles show -type enrollment

If its still thinking its in ABM somewhere (regardless if your removed it) it would return back data with your ABM and JAMF info. If you see this run the following:

Note: you'll need the computer connected to the internet for this

sudo Profiles renew -type enrollment

What this does is reach out to Apple and ask it if this machine is associated with any MDM.  It should return back no if got rid of the record.  Run the command above to verify again.