Remote Commands for Computers

The remote commands available in Jamf Pro allow you to remotely perform tasks on computers.

You can send a remote command to a single computer. Some commands can also be sent to multiple computers at once using mass actions. For more information, see Mass Actions for Computers.

Note: The remote commands available for a particular computer vary depending on the computer's OS version. For more information, see Computer Management Capabilities.

The following table describes the remote commands that you can send from Jamf Pro:

Remote Command

Description

Available as a Mass Action

Requirements

Lock Computer

Logs the user out of the computer, restarts the computer, and then locks the computer

(Optional) Displays a message on the computer when it locks

To unlock the computer, the user must enter the passcode that you specified when you sent the Lock Computer command.

Note: On computers with Apple silicon (i.e., M1 chip) with macOS 11.4 or earlier, the passcode configured in the "Lock computer" command is not set. The computer reboots to the Activation screen in macOS Recovery with the options to restart, shutdown, activate, or erase the computer. To activate the computer, the user must authenticate with an administrator account that has a SecureToken. If there are no administrators with a SecureToken, activation cannot complete and the computer must be erased. This activation step requires an internet connection.

images/download/thumbnails/85396285/checkmark.png

--

Remove MDM Profile

Removes the MDM profile from the computer, along with any configuration profiles that were distributed with Jamf Pro

If the MDM profile is removed, you can no longer send remote commands or distribute configuration profiles to the computer.

Note: Removing the MDM profile from a computer does not remove the computer from Jamf Pro or change its inventory information.

 

--

Renew MDM Profile

Renews the MDM profile on the computer, along with the device identity certificate. The device identity certificate has a default expiration period of two years.

Note: The Renew MDM Profile remote command is automatically issued when the built-in CA is renewed. The MDM profile will be renewed during the next computer check-in. For more information, see "Renewing the Built-in CA" in PKI Certificates.

images/download/thumbnails/85396285/checkmark.png

--

Wipe Computer

Permanently erases all the data on the computer, and sets a passcode when required by the computer hardware type.

Note: When the Wipe Computer command is sent to a computer with macOS 10.15 or later with an Apple T2 Security Chip, or a computer with Apple silicon (i.e., M1 chip), the computer will be erased and no passcode will be set.

Before macOS can be reinstalled, the user must enter the passcode that was specified with the Wipe Computer command, if required. The passcode is saved in the computer's Management Command history for reference.

To reinstall macOS, methods may vary depending on the hardware types. For detailed information, see the following articles from Apple's support website:

Note: Wiping a computer does not remove the computer from Jamf Pro or change its inventory information. After the command is acknowledged by the computer, the computer will report in the inventory as unmanaged.

 

--

Send Blank Push

Sends a blank push notification, prompting the computer to check in with Apple Push Notification service (APNs)

 

--

 

Download/Download
and Install Updates

Updates the OS version and built-in apps on the computer

You can choose to download the update for users to install, or to download and install the update and restart computers after installation.

Notes:

  • When sending the command via a mass action, the Update OS version and built-in apps option must be selected.

  • On computers with Apple silicon (i.e., M1 chip), users may be prompted to authenticate before an update can be installed.

images/download/thumbnails/85396285/checkmark.png

macOS 10.11 or later

Supervised or enrolled via a PreStage enrollment

Note: To have the update for computers with Apple silicon (i.e., M1 chip) installed automatically without user interaction, a Bootstrap Token for target computers must be escrowed with Jamf Pro.

For more information about how Jamf Pro manages software updates, see Managing software updates for Apple devices in Apple's Mobile Device Management Settings.

Unlock User

Unlocks a local user account that has been locked due to too many failed password attempts

 

 

macOS 10.13 or later

Supervised or enrolled via a PreStage enrollment

Remove User

Removes a user that has an active account on the computer

Note: The Remove User command cannot remove a user if they are the last user with a SecureToken granted.

 

macOS 10.13 or later

Supervised or enrolled via a PreStage enrollment

Enable/Disable Bluetooth

Enables/disables Bluetooth on the computer

Note: When sending the command via a mass action, the Set Bluetooth option must be selected.

images/download/thumbnails/85396285/checkmark.png

macOS 10.13.4 or later

Enable/Disable Remote Desktop

Enables/disables Remote Desktop on the computer

Note: When sending the command via a mass action, the Set Remote Desktop option must be selected.

images/download/thumbnails/85396285/checkmark.png

macOS 10.14.4 or later

Set Activation Lock

Allow user to enable Activation Lock directly on the computer

Disable and prevent Activation Lock

For more information, see the
Leveraging Apple's Activation Lock Feature with Jamf Pro article.

images/download/thumbnails/85396285/checkmark.png

  • Supervised computers with the Apple T2 Security Chip or Apple silicon (i.e., M1 chip)

  • In Apple School Manager or Apple Business Manager

For more information on macOS compatibility, see the following articles from Apple's support website:

Sending a Remote Command to a Computer

Requirements

  • A push certificate in Jamf Pro
    For more information, see Push Certificates.

  • The Enable certificate-based authentication and Enable push notifications settings configured
    For more information, see Security Settings.

Procedure

  1. Log in to Jamf Pro.

  2. Click Computers at the top of the page.

  3. Perform a simple or advanced computer search.

  4. Click the computer you want to send the remote command to.
    If you performed a simple search for an item other than computers, you must click Expand images/download/thumbnails/85396285/Icon_Expand.png next to an item to view the computers related to that item.

  5. Click the Management tab, and then click the button for the remote command that you want to send.

    Note: To send the Unlock User or Remove User remote command, navigate to the Local User Accounts category in inventory information for the computer and click Manage for a user.

    Depending on the command selected, additional options may be available.

The remote command runs on the computer the next time the computer checks in with Jamf Pro.

After the command is sent, you can do the following on the History tab:

  • To view the status of a remote command, use the Management History pane to view completed, pending, or failed commands.

  • To cancel a remote command, click Pending Commands. Find the command you want to cancel, and click Cancel.

Troubleshooting a Failed Status of a Remote Command

If a remote command reported a failed status, Jamf Pro will automatically resend the command every six hours for the compatible computers. To manually force the attempt, use the “Send blank push” management command. To access this feature, navigate to the Management tab in the inventory of a computer and click Management Commands.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2021 Jamf. All rights reserved.