Jamf Nation Community

dmitchell · ‎02-07-2018

Today I noticed that I can send a command from the JSS to remove local user accounts on Macs. It doesn't show up on all. I am trying to figure out the criteria to see this. I thought it may be High Sierra, some of my High Sierra Macs show this option, some do not so it doesn't seem like a versioning issue. Most of these Macs should have the same configs and policies. I am just trying to figure out if this is a new feature or maybe I turned something on and didn't realize it.

Sichas · ‎02-07-2018

I think I can help here! Here's the list of pre-reqs to manage Local User Accounts:

DEP enrolled macOS 10.13 or higher
Jamf Pro configured to use MDM
"Enable push notifications" Security Setting enabled
"Collect local user accounts" Computer Inventory Collection enabled

View solution in original post

Sichas · ‎02-07-2018

I think I can help here! Here's the list of pre-reqs to manage Local User Accounts:

DEP enrolled macOS 10.13 or higher
Jamf Pro configured to use MDM
"Enable push notifications" Security Setting enabled
"Collect local user accounts" Computer Inventory Collection enabled

dmitchell · ‎02-07-2018

@iMatthewCM It must be the DEP enrolled macOS 10.13 or higher. Some of the Macs with 10.13 were enrolled before we started using DEP. The ones that have the feature enabled were enrolled and setup with DEP. Thanks!

easyedc · ‎02-08-2018

@dmitchell What exactly are you trying to accomplish? There's verb with the JAMF Binary that can do this regardless of being DEP provisioned or not.

jamf help deleteaccount
Usage:   jamf deleteAccount -username <username> [-backupTo </path/to/dmg>] [-deleteHomeDirectory]
     -username       Deletes the user's account
     -backupTo       The .dmg file of the user's home directory
                 If the home directory is not specified, the default will be 
                 '/Users/Deleted Users/<user name>.dmg'.
     -deleteHomeDirectory    Do not archive the user's home directory

dmitchell · ‎02-08-2018

@easyedc I wasn't trying to do anything, I just noticed that the profiles could be removed from the JSS for some Macs and was trying to figure out why. Thanks for the script though!

lkrasno · ‎02-08-2018

@iMatthewCM could you bring previously enrolled Mac's into DEP, or would they have to be initially DEP enrolled to allow this?

Sichas · ‎02-08-2018

@lkrasno The device would have to be enrolled through DEP. So if it was added via QuickAdd, but it COULD be enrolled via DEP (i.e., it's showing up as a scope-able object in PreStage) then you'd want to wipe that device, enroll through DEP, and then you should be able to manage that stuff from the GUI in Jamf Pro. As @easyedc pointed out, a lot of that stuff can be scripted, but, there's certainly value to being able to just click on stuff in the GUI :) Your mileage may vary on whether or not it'd be worth it to wipe machines and re-enroll through DEP to enable this functionality.

easyedc · ‎02-08-2018

@lkrasno If you're trying to post-QuickAdd a DEP'able Mac, you may try a few things that have worked for others.

sudo /usr/libexec/mdmclient dep nag
sudo profiles renew -type enrollment
sudo profiles -t N

Various commands may work without wiping it. There's a few threads on this very topic.

macOS 10.13 seems to like

sudo profiles renew -type enrollment

for me.

lkrasno · ‎02-08-2018

thank you both @easyedc @iMatthewCM

we're not yet DEP, just info gathering atm, good to know =)

jdye · ‎02-08-2018

@iMatthewCM Any idea why DEP enrollment is necessary to making this work? That seems like a strange requirement to me.

Sichas · ‎02-09-2018

@jdye No idea, figure it must be an Apple thing - plenty of MDM functions are exclusive to DEP on macOS, like the management command to update the software. I'd imagine we'll see even more stuff like this with UAMDM as well.

Jamf Nation Community

Managing local user accounts from the JSS.