Jamf is committed to complying with the EU General Data Protection Regulation (GDPR) and helping our customers comply with "right of access" and "right to be forgotten" requests related to GDPR. This article provides information about the remediation process that Jamf Pro customers can use in their environments if they receive GDPR-related requests from end users.
The following procedure includes steps to delete personal data collected by default and stored in the Jamf Pro database. For information on the personal data that is deleted and the database tables affected, see the GDPR Compliance Reference for Jamf Pro Knowledge Base article.
Click Users at the top of the page and perform a simple or advanced search for the applicable user inventory record.
If the user is assigned to any computers, they will be listed in the Computers category in the user's inventory information. To delete a computer, click the computer name to view its inventory information, click Delete at the bottom of the pane, and then click Delete again to confirm. Repeat as necessary to delete all computers that the user is assigned to.
After all assigned computers and mobile devices have been deleted for the user, the user record must be deleted from Jamf Pro. To delete the user record: While viewing the user’s inventory record, click Delete at the bottom of the pane, and then click Delete again to confirm.
Review your organization's log flushing policies to ensure that logs are scheduled to be flushed within a timeframe that meets GDPR requirements. To access Log Flushing settings in Jamf Pro, navigate to Settings > System Settings > Log Flushing.
For related information, see the following sections in the Jamf Pro Administrator's Guide:
In addition, see the following Knowledge Base article: Data and Tables Affected by Log Flushing.
The above procedure deletes personal data collected by default in Jamf Pro (see GDPR Compliance Reference for Jamf Pro for more information). It does not address custom configurations you may have in place to collect data outside of the default collection. For example, some organizations may choose to create user-based smart groups, scope configurations, extension attributes, or custom scripts, or may have previously uploaded VPP codes for a user from a VPP code spreadsheet.
If you have configured these types of custom settings that use or collect personal data, you will need to identify those settings and update them to ensure that personal data is deleted. If you have questions or need assistance, contact your Jamf account representative.
Consider the following when reviewing organizational policies for database backups and retention:
In addition to the above considerations, review organizational policies to ensure the following:
For a video walkthrough of this process, see the Complying with GDPR Requests in Jamf Pro Knowledge Base Video.