Remote Commands for Computers
The remote commands available in Jamf Pro allow you to remotely perform tasks on computers.
You can send a remote command to a single computer. Some commands can also be sent to multiple computers at once using mass actions. For more information, see Mass Actions for Computers.
The remote commands available for a particular computer vary depending on the computer's OS version. For more information, see Computer Management Capabilities.
The following table describes the remote commands that you can send from Jamf Pro. Commands that can be sent as mass actions are indicated with an asterisk (*).
Remote Command |
Description |
Requirements |
---|---|---|
Lock Computer* |
Logs the user out of the computer, restarts the computer, and then locks the computer (Optional) Displays a message on the computer when it locks To unlock the computer, the user must enter the passcode that you specified when you sent the Lock Computer command. Note:
On computers with Apple silicon (i.e., M1 chip) with macOS 11.4 or earlier, the passcode configured in the "Lock computer" command is not set. The computer reboots to the Activation screen in macOS Recovery with the options to restart, shutdown, activate, or erase the computer. To activate the computer, the user must authenticate with an administrator account that has a SecureToken. If there are no administrators with a SecureToken, activation cannot complete and the computer must be erased. This activation step requires an internet connection. | |
Remove MDM Profile* |
Removes the MDM profile from the computer, along with any configuration profiles that were distributed with Jamf Pro If the MDM profile is removed, you can no longer send remote commands or distribute configuration profiles to the computer. Note:
Removing the MDM profile from a computer does not remove the computer from Jamf Pro, change its inventory information, or remove the jamf binary. For more information about how to remove the jamf binary after using the Remove MDM Profile command, see the Unmanaging Computers from Jamf Pro best practice workflow. . | |
Renew MDM Profile |
Renews the MDM profile on the computer, along with the device identity certificate. The device identity certificate has a default expiration period of two years. Note:
The Renew MDM Profile remote command is automatically issued when the built-in CA is renewed. The MDM profile will be renewed during the next computer check-in. For more information, see "Renewing the Built-in CA" in PKI Certificates. | |
Wipe Computer |
Permanently erases all the data on the computer, and sets a passcode when required by the computer hardware type. Note:
When the Wipe Computer command is sent to a computer with macOS 10.15 or later with an Apple T2 Security Chip, or a computer with Apple silicon (i.e., M1 chip), the computer will be erased and no passcode will be set. Before macOS can be reinstalled, the user must enter the passcode that was specified with the Wipe Computer command, if required. The passcode is saved in the computer's Management Command history for reference. Note:
On computers with macOS 12 or later, macOS does not need to be reinstalled if the following conditions are met:
To reinstall macOS, methods may vary depending on the hardware types. For detailed information, see the following Apple documentation:
Note:
Wiping a computer does not remove the computer from Jamf Pro or change its inventory information. After the command is acknowledged by the computer, the computer will report in the inventory as unmanaged. | |
Send Blank Push |
Sends a blank push notification, prompting the computer to check in with Apple Push Notification service (APNs) | |
Download/Download and Install Updates* |
Updates the OS version and built-in apps on the computer You can update the OS version for macOS using the following options:
Note:
|
macOS 10.11 or later Supervised or enrolled via a PreStage enrollment Note:
To have the update for computers with Apple silicon (i.e., M1 chip) installed automatically without user interaction, a Bootstrap Token for target computers must be escrowed with Jamf Pro. For more information about how Jamf Pro manages software updates, see Managing software updates for Apple devices in Apple Platform Deployment. |
Unlock User |
Unlocks a local user account that has been locked due to too many failed password attempts
|
macOS 10.13 or later Supervised or enrolled via a PreStage enrollment |
Remove User |
Removes a user that has an active account on the computer Note:
The Remove User command cannot remove a user if they are the last user with a SecureToken granted. |
macOS 10.13 or later Supervised or enrolled via a PreStage enrollment |
Enable/Disable Bluetooth* |
Enables/disables Bluetooth on the computer Note:
When sending the command via a mass action, the Set Bluetooth option must be selected. |
macOS 10.13.4 or later |
Enable/Disable Remote Desktop* |
Enables/disables Remote Desktop on the computer Note:
When sending the command via a mass action, the Set Remote Desktop option must be selected. |
macOS 10.14.4 or later |
Set Activation Lock* |
Allow user to enable Activation Lock directly on the computer Disable and prevent Activation Lock For more information, see the Leveraging Apple's Activation Lock Feature with Jamf Pro article. |
For more information on macOS compatibility, see Activation Lock for Mac from Apple's support website. |
Sending a Remote Command to a Computer
A push certificate in Jamf Pro. For more information, see Push Certificates.
The Enable certificate-based authentication and Enable push notifications settings configured. For more information, see Security Settings.
The remote command runs on the computer the next time the computer checks in with Jamf Pro.
After the command is sent, you can do the following on the History tab:
To view the status of a remote command, use the Management History pane to view completed, pending, or failed commands.
To cancel a remote command, click Pending Commands. Find the command you want to cancel, and click Cancel.
Troubleshooting a Failed Status of a Remote Command
If a remote command reported a failed status, Jamf Pro will automatically resend the command every six hours for the compatible computers. To manually force the attempt, use the “Send blank push” management command. To access this feature, navigate to the Management tab in the inventory of a computer and click Management Commands.