Remote Commands for Computers

The remote commands available in Jamf Pro allow you to remotely perform tasks on computers.

You can send a remote command to a single computer. Some commands can also be sent to multiple computers at once using mass actions. For more information, see Mass Actions for Computers.

Note:

The remote commands available for a particular computer vary depending on the computer's OS version. For more information, see Computer Management Capabilities.

The following table describes the remote commands that you can send from Jamf Pro. Commands that can be sent as mass actions are indicated with an asterisk (*).


Remote Command	Description	Requirements
Lock Computer*	Logs the user out of the computer, restarts the computer, and then locks the computer (Optional) Displays a message on the computer when it locks To unlock the computer, the user must enter the passcode that you specified when you sent the Lock Computer command. Note: On computers with Apple silicon (i.e., M1 chip) with macOS 11.4 or earlier, the passcode configured in the "Lock computer" command is not set. The computer reboots to the Activation screen in macOS Recovery with the options to restart, shutdown, activate, or erase the computer. To activate the computer, the user must authenticate with an administrator account that has a SecureToken. If there are no administrators with a SecureToken, activation cannot complete and the computer must be erased. This activation step requires an internet connection.
Remove MDM Profile*	Removes the MDM profile from the computer, along with any configuration profiles that were distributed with Jamf Pro If the MDM profile is removed, you can no longer send remote commands or distribute configuration profiles to the computer. Note: Removing the MDM profile from a computer does not remove the computer from Jamf Pro, change its inventory information, or remove the jamf binary. For more information about how to remove the jamf binary after using the Remove MDM Profile command, see the Unmanaging Computers from Jamf Pro best practice workflow. .
Renew MDM Profile	Renews the MDM profile on the computer, along with the device identity certificate. The device identity certificate has a default expiration period of two years. Note: The Renew MDM Profile remote command is automatically issued when the built-in CA is renewed. The MDM profile will be renewed during the next computer check-in. For more information, see "Renewing the Built-in CA" in PKI Certificates.
Wipe Computer	Permanently erases all the data on the computer, and sets a passcode when required by the computer hardware type. Note: When the Wipe Computer command is sent to a computer with macOS 10.15 or later with an Apple T2 Security Chip, or a computer with Apple silicon (i.e., M1 chip), the computer will be erased and no passcode will be set. Before macOS can be reinstalled, the user must enter the passcode that was specified with the Wipe Computer command, if required. The passcode is saved in the computer's Management Command history for reference. Note: On computers with macOS 12 or later, macOS does not need to be reinstalled if the following conditions are met: EFI firmware passcode is not set on computers with an Apple T2 Security Chip. Bootstrap Token is escrowed to Jamf Pro on computers with Apple silicon (i.e., M1 chip). To reinstall macOS, methods may vary depending on the hardware types. For detailed information, see the following Apple documentation: About macOS Recovery on Intel-based Mac computers from Apple's support website Use macOS Recovery on a Mac with Apple silicon in the macOS User Guide Revive or restore a Mac with Apple silicon using Apple Configurator 2 in the Apple Configurator 2 User Guide Note: Wiping a computer does not remove the computer from Jamf Pro or change its inventory information. After the command is acknowledged by the computer, the computer will report in the inventory as unmanaged.
Send Blank Push	Sends a blank push notification, prompting the computer to check in with Apple Push Notification service (APNs)
Download/Download  and Install Updates*	Updates the OS version and built-in apps on the computer You can update the OS version for macOS using the following options: Target Version—You can choose to update the OS version to the latest version based on device eligibility or you can update to a specific version. When choosing to update the OS version to the latest version, you can select the Include major updates, if available checkbox to download and install the latest major update. To download and install the latest patch version, keep the checkbox deselected. Note: Updating to a specific macOS version requires computers with macOS 10.15 or later. Install Action—You can choose to download the update for users to install, download and allow macOS to install later, or to download and install the update and restart computers after installation. When choosing the Download and allow macOS to install later action, you can configure the number of times a user can defer the update on computers with macOS 12 or later. The default deferral is 7 times, but can be changed to any integer between 0–99. Note: When sending the command via a mass action, the Update OS version and built-in apps option must be selected. On computers with Apple silicon (i.e., M1 chip), users may be prompted to authenticate before an update can be installed. An alert is displayed in Jamf Pro prior to issuing the command indicating the computer may immediately restart without warning.	macOS 10.11 or later Supervised or enrolled via a PreStage enrollment Note: To have the update for computers with Apple silicon (i.e., M1 chip) installed automatically without user interaction, a Bootstrap Token for target computers must be escrowed with Jamf Pro. For more information about how Jamf Pro manages software updates, see Managing software updates for Apple devices in Apple Platform Deployment.
Unlock User	Unlocks a local user account that has been locked due to too many failed password attempts	macOS 10.13 or later Supervised or enrolled via a PreStage enrollment
Remove User	Removes a user that has an active account on the computer Note: The Remove User command cannot remove a user if they are the last user with a SecureToken granted.	macOS 10.13 or later Supervised or enrolled via a PreStage enrollment
Enable/Disable Bluetooth*	Enables/disables Bluetooth on the computer Note: When sending the command via a mass action, the Set Bluetooth option must be selected.	macOS 10.13.4 or later
Enable/Disable Remote Desktop*	Enables/disables Remote Desktop on the computer Note: When sending the command via a mass action, the Set Remote Desktop option must be selected.	macOS 10.14.4 or later
Set Activation Lock*	Allow user to enable Activation Lock directly on the computer Disable and prevent Activation Lock For more information, see the  Leveraging Apple's Activation Lock Feature with Jamf Pro article.	Supervised computers with the Apple T2 Security Chip or Apple silicon (i.e., M1 chip) In Apple School Manager or Apple Business Manager For more information on macOS compatibility, see Activation Lock for Mac from Apple's support website.

Sending a Remote Command to a Computer

Requirements

A push certificate in Jamf Pro. For more information, see Push Certificates.
The Enable certificate-based authentication and Enable push notifications settings configured. For more information, see Security Settings.

In Jamf Pro, click Computers at the top of the sidebar.
Perform a simple or advanced computer search.
Click the computer you want to send the remote command to.
If you performed a simple search for an item other than computers, you must click Expand next to an item to view the computers related to that item.
Click the Management tab, and then click the button for the remote command that you want to send.
Note:
To send the Unlock User or Remove User remote command, navigate to the Local User Accounts category in inventory information for the computer and click Manage for a user.
Depending on the command selected, additional options may be available.

The remote command runs on the computer the next time the computer checks in with Jamf Pro.

After the command is sent, you can do the following on the History tab:

To view the status of a remote command, use the Management History pane to view completed, pending, or failed commands.
To cancel a remote command, click Pending Commands. Find the command you want to cancel, and click Cancel.

Troubleshooting a Failed Status of a Remote Command

If a remote command reported a failed status, Jamf Pro will automatically resend the command every six hours for the compatible computers. To manually force the attempt, use the “Send blank push” management command. To access this feature, navigate to the Management tab in the inventory of a computer and click Management Commands.

	Jamf Pro Documentation
	Version 10.35.0 \| Other Versions