Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

Removing Jamf Components from Computers

To remove all Jamf-related components from computers that have been managed by the JSS, execute the following command for the appropriate version of the Casper Suite:

For v9.8 or later:

/usr/local/bin/jamf removeFramework

For v9.73 or earlier:

/usr/sbin/jamf removeFramework

Note: This command also removes all package sources created with Composer.

See Components Installed on Managed Computers for more details on the files removed with this command.

Like Comment
Order by:
SOLVED Posted: by rowanquigley

For those wondering, 'sudo jamf -removeFramework' can also be used.

Like
SOLVED Posted: by mdonovan

Is there a way to prevent removal of Casper?

Or to require root access to remove it?

Like
SOLVED Posted: by ernstcs

The only real way is to not give users administrative rights and user training not to.

There are quite a few fancy ways to ensure it continues to be on there, but it essentially requires two different systems watching out for each other. I believe it was Facebook that had another service running that checked for JAMF's presence and when it was not there reinstalled it (and reported to admins this). And then JAMF watched for the other service, which I believe was for log aggregation. That was last year so my mind is fuzzy.

There are likely some additional creative ways to do it. You could have your own scheduled item checking for the existence of the needed files. If they aren't there then scripts reinstall the JAMF components with either a quickadd package you keep stashed somewhere or some other means.

Like
SOLVED Posted: by donmontalvo

@ernstcs Words to live by...

is to not give users administrative rights

'

Once a user has admin rights, all bets are off. Not just in terms of JSS, but any/every other security/accountability/liability mitigation is tossed out the window.

Don

Like
SOLVED Posted: by Eigger

One of our Teachers learned this command and remove him self of JSS and became unmanaged. Mr. Montalvo is right! But I think the other way of preventing a user to remove him/her self from casper is to take down this very KB and any traces of it in the internet! Have a Casper Admin contact a JSS Rep! Make this KB available only by request.

Like
SOLVED Posted: by talkingmoose

The knowledge is already out there. Taking down the KB won't do any good; all it takes is for one person to learn and republish it somewhere else to get it out there again.

The problem is not the knowledge. The problem is human whether lack of communication on the admin's part or dismissal of authority on the user's part.

Like
SOLVED Posted: by jcompton

Too many admins on this thread missing the point completely - your goal as a JSS admin should be that your users would NEVER want to run that command, because they would miss out on too much good stuff.

Chances are - if you have a lot of people running "jamf removeFramework" - the user experience is probably not that stellar. Make it stellar. And you will have nothing to worry about.

I'm sure some environments (schools especially) are exceptions to this - b/c kids are kids. But in a corporate environment where you have thousands of users that truly "need" admin rights to do their jobs - you want to entice users in. Not scare them away.

Like
SOLVED Posted: by mostlikelee

@jcompton thumbs up

all being said, some admins are running a launchdaemon watching for existence of the jamf binary. if it doesn't exist, it runs a staged quickadd package.

Like
SOLVED Posted: by jcompton

that works too. vast majority of my users would figure that out though.

i've heard of all kinds of clever things - like all of your corporate install packages have a quick add embedded in the package. or - the "right" way to do this - a configuration profile with a device certificate payload that gives user access to WiFi networks, VPN, etc.

If they remove jamf framework - MDM gets killed, profile gets killed, and user has not access to WiFi and VPN.

Like
SOLVED Posted: by Eigger

I wasn't really serious when I asked for the KB to be take down, Heck, Google will give you pretty much everything you need to look for a work around. And we all know the saying "You cannot please everybody" so giving an "Stellar" user experience is something I dreamed off my self. Its just some people doesnt like the idea of being managed, they are so paranoid they think they are being watched!

Anyways, creating a "Files and Processes" Policy is something I am looking at, I want something simple with no coding involve. I think the Policy can look for the "Terminal" Process and Kill it if found. We have a Local Admin account on our Images and we can login on them if we need to use the console, we can also ssh in to the machines to run a command. We can target the Policy to all managed clients.

Like
SOLVED Posted: by Chris_Hafner

@hanna.kaiser is the command /usr/local/jamf removeFramework or /usr/local/bin/jamf removeFramework

Like
SOLVED Posted: by deadlift

This was super helpful. I was just poking around activity monitor on an unmanaged personal mac and saw jamf running. it must have picked up the software from a backup from another system i had. whoops. i wonder -what- it was actually able to do, as i'm fairly sure that casper instance would have been behind a vpn. Just sitting there running for no reason probably

thanks

Like
SOLVED Posted: by el2493

I know this is an old post, but could you in theory prevent users with Admin rights from doing this by adding Terminal to the list of restricted software so that users can't ever open it to run the remove command? We have a situation where a computer needs to be added to JAMF but then a user is going to be taking it outside of our network and it won't be regularly checking in. I know restricting Terminal would make troubleshooting much more difficult, I just wasn't sure if it could also potentially break some normal behavior of the OS.

Like
SOLVED Posted: by talkingmoose

When you're an admin, you can do anything if you can find out how.

I'd work around this by simply downloading another application like iTerm and removing the framework that way.

Treat this as a people issue not a technical issue. Communicate your expectations with them.

Like
SOLVED Posted: by kneitzel

As talkinmoose said: An admin can do whatever he likes and I fully agree that this is a people issue.

You could make it harder of course. One idea could be to:
a) create a quickadd package with recon and distribute it to all computers. (Maybe protect the file with attributes so that a user cannot delete it. Hide it with a leading dot. Stuff like that.
b) simply create a new launchdaemon which monitors the jamf binary (1).
c) Create a script that is called by lauchndaemon from b) and that checks if jamf is still there (might be triggered by an update process or so) and if itis missing: installs the quickadd package from a) (-> Reenrolls the system!)

But that just makes it harder and does not prohibit the user from removing jamf. And it is just a solution in case that someone accidentialy removed the framework. In my eyes it is not really worth the effort.

The core problem is really the person who is admin on the system. He is responsible for the system and if he breaks it, then he must be claimed. You cannot make sure that the user is not breaking the system.

Like
SOLVED Posted: by RyanMav28

I connected to a open wifi while setting up my macbook and i noticed i wasn't admin and have no rights or privileges. There is something called jamf i want this removed. Is there any way to remove all of this asap?

Like

Jamf wants to hear your feedback around Jamf Pro: LDAP Servers and Reports!