Unenrolling a Mac from your Casper Suite JSS
We have two JSS’s, one for Development/Testing and one for Production. We want to be able to swap our test Macs back & forth as needed. Unfortunately, JAMF doesn’t provide an “unenroll” switch for the jamf command line tool. You can “removeFramework” but that deletes everything JAMF-related from the workstation so you cannot enroll programmatically and are stuck obtaining a new QuickAdd package and running from the GUI. So I wrote a script to get around that.
There are only two files you need to preserve prior to removing the JAMF framework so that you can re-enroll later:
Once those are saved, you’re good to roll. Here is the script:
#!/bin/sh # January 17, 2014, Kurt Tappe # This script will swap JSS' # Set server addresses prod="https://your.server.here:8443/" dev="https://your.otherserver.here:8443/" # Which JSS are we running from? jss=`/usr/sbin/jamf checkJSSConnection | grep https | cut -d "/" -f3` if [ "$jss" = "" ]; then echo "Error: JSS could not be determined. You may need to first enroll this Mac in a JSS using QuickAdd." exit elif [ "$jss" = "your.server.here:8443" ]; then echo "Currently connected to $jss. Switching to Dev..." newjss=$dev else echo "Currently connected to $jss. Switching to Prod..." newjss=$prod fi # Preserve prefs & binary cp /Library/Preferences/com.jamfsoftware.jamf.plist /Library/Preferences/com.jamfsoftware.jamf.backup cp /usr/sbin/jamf /usr/sbin/jamfbackup # Disconnect echo "Removing framework..." /usr/sbin/jamf removeFramework sleep 5 # Restore old prefs and modify them with the new JSS URL echo "Restoring prefs & enrolling..." cp /Library/Preferences/com.jamfsoftware.jamf.backup /Library/Preferences/com.jamfsoftware.jamf.plist cp /usr/sbin/jamfbackup /usr/sbin/jamf defaults write /Library/Preferences/com.jamfsoftware.jamf allowInvalidCertificate -boolean true defaults write /Library/Preferences/com.jamfsoftware.jamf jss_url -string $newjss defaults delete /Library/Preferences/com.jamfsoftware.jamf last_management_framework_change_id # Reconnect /usr/sbin/jamf enroll -noRecon
One thing required for this to work is for you to not be forcing the use of certificates. Yes, we use them, but for ease of management we don’t require them for enrollment, so that we can do things like run these scripts.
Hope this helps,