Skip to main content
Jamf Nation, hosted by Jamf, is a knowledgeable community of Apple-focused admins and Jamf users. If you like what you see, join us in person at the ninth annual Jamf Nation User Conference (JNUC) this October for three days of learning, laughter and IT love.

Complying with GDPR Requests in Jamf Pro

Overview

Jamf is committed to complying with the EU General Data Protection Regulation (GDPR) and helping our customers comply with "right of access" and "right to be forgotten" requests related to GDPR. This article provides information about the remediation process that Jamf Pro customers can use in their environments if they receive GDPR-related requests from end users.

Requirements

  • Jamf Pro 10.4.1 or later
  • Jamf Pro user account with the administrator privilege set and full Jamf Pro access

Procedure

The following procedure includes steps to delete personal data collected by default and stored in the Jamf Pro database. For information on the personal data that is deleted and the database tables affected, see the GDPR Compliance Reference for Jamf Pro Knowledge Base article.

  1. Log in to Jamf Pro.
  2. Click Users at the top of the page and perform a simple or advanced search for the applicable user inventory record.
    Note: If your environment is integrated with Apple School Manager, user information may be displayed in the Roster category. This user information is deleted from Jamf Pro when it is removed from Apple School Manager.

  3. If the user is assigned to any computers, they will be listed in the Computers category in the user's inventory information. To delete a computer, click the computer name to view its inventory information, click Delete at the bottom of the pane, and then click Delete again to confirm. Repeat as necessary to delete all computers that the user is assigned to.

  4. Perform a user search again to return to the applicable user inventory record.
  5. If the user is assigned to any mobile devices, they will be listed in the Mobile Devices category in the user's inventory information. To delete a mobile device, click the device name to view its inventory information, click Delete at the bottom of the pane, and then click Delete again to confirm. Repeat as necessary to delete all mobile devices that the user is assigned to.
  6. Perform a user search again to return to the applicable user inventory record.
  7. After all assigned computers and mobile devices have been deleted for the user, the user record must be deleted from Jamf Pro. To delete the user record: While viewing the user’s inventory record, click Delete at the bottom of the pane, and then click Delete again to confirm.
    Note: If the user is assigned to other items in Jamf Pro, a list of dependencies is displayed. You will need to update the listed items to remediate the dependencies before the user can be deleted. For example, if VPP content has been assigned to the user, you will need to remove the user from the scope of the assignment. The user cannot be deleted from Jamf Pro until all dependencies have been removed.

  8. Review your organization's log flushing policies to ensure that logs are scheduled to be flushed within a timeframe that meets GDPR requirements. To access Log Flushing settings in Jamf Pro, navigate to Settings > System Settings > Log Flushing.

For related information, see the following sections in the Jamf Pro Administrator's Guide:

In addition, see the following Knowledge Base article: Data and Tables Affected by Log Flushing.

Other Considerations

Custom Data Collection

The above procedure deletes personal data collected by default in Jamf Pro (see GDPR Compliance Reference for Jamf Pro for more information). It does not address custom configurations you may have in place to collect data outside of the default collection. For example, some organizations may choose to create user-based smart groups, scope configurations, extension attributes, or custom scripts, or may have previously uploaded VPP codes for a user from a VPP code spreadsheet.

If you have configured these types of custom settings that use or collect personal data, you will need to identify those settings and update them to ensure that personal data is deleted. If you have questions or need assistance, contact your Jamf account representative.

Database Backups

Consider the following when reviewing organizational policies for database backups and retention:

  • Personal data in production instances will be removed when the data controller (i.e., customer) completes the steps necessary for deletion.
  • Personal data may reside in backups that must be retained for contractual, legal, or compliance reasons.
  • Where a request to be forgotten has been completed, personal data on backups may be restored to production; however, the data controller should take steps to honor the initial request and erase the data from production again.

In addition to the above considerations, review organizational policies to ensure the following:

  • Retention rules are in place to ensure data in backups is retained only as long as necessary before being automatically deleted.
  • Technical controls have been implemented to ensure adequate protection over backups.

Additional Information

For information on Jamf's commitment to privacy and complying with the GDPR, see jamf.com/privacy. For more information on the GDPR, see EUGDPR.org.

For a video walkthrough of this process, see the Complying with GDPR Requests in Jamf Pro Knowledge Base Video.

Like Comment
Order by:
SOLVED Posted: by rkoskovich

This procedure does not cover "GDPR Requests" -- it covers requests for data subject deletion. Separately, we need guidance on Subject Access Requests, such that we can show what data is present for a user. The other FAQ page lists tables that may contain data, but not guidance on how to provide a comprehensive report to the data subject that shows all of their information in those tables.

Like
SOLVED Posted: by joe.bloom

Hello @rkoskovich,

We have just published a blog with links to sample scripts on GitHub related to GDPR "Right of Access." The Blog article is here.

I hope you find it helpful, as well as the script in GitHub. "The script is designed to get all relevant data from the API endpoints that contain a user's personal information." As this is scripted, it allows for more customization for capturing unique information.

Like