Remote Commands for Computers

The remote commands available in Jamf Pro allow you to remotely perform tasks on computers.

You can send a remote command to a single computer. Some commands can also be sent to multiple computers at once using mass actions. For more information, see Mass Actions for Computers.

Note:

The remote commands available for a particular computer vary depending on the computer's OS version. For more information, see Computer Management Capabilities.

The following table describes the remote commands that you can send from Jamf Pro. Commands that can be sent as mass actions are indicated with an asterisk (*).

Remote Command

Description

Requirements

Lock Computer*

Logs the user out of the computer, restarts the computer, and then locks the computer

(Optional) Displays a message on the computer when it locks

To unlock the computer, the user must enter the passcode that you specified when you sent the Lock Computer command.

Note:

On computers with Apple silicon (i.e., M1 chip) with macOS 11.4 or earlier, the passcode configured in the "Lock computer" command is not set. The computer reboots to the Activation screen in macOS Recovery with the options to restart, shutdown, activate, or erase the computer. To activate the computer, the user must authenticate with an administrator account that has a SecureToken. If there are no administrators with a SecureToken, activation cannot complete and the computer must be erased. This activation step requires an internet connection.

Remove MDM Profile*

Removes the MDM profile from the computer, along with any configuration profiles that were distributed with Jamf Pro

If the MDM profile is removed, you can no longer send remote commands or distribute configuration profiles to the computer.

Note:

Removing the MDM profile from a computer does not remove the computer from Jamf Pro, change its inventory information, or remove the jamf binary. For more information about how to remove the jamf binary after using the Remove MDM Profile command, see the Unmanaging Computers from Jamf Pro best practice workflow. .

Renew MDM Profile

Renews the MDM profile on the computer, along with the device identity certificate. The device identity certificate has a default expiration period of two years.

Note:

The Renew MDM Profile remote command is automatically issued when the built-in CA is renewed. The MDM profile will be renewed during the next computer check-in. For more information, see "Renewing the Built-in CA" in PKI Certificates.

Wipe Computer

Permanently erases all the data on the computer, and sets a passcode when required by the computer hardware type.

Note:

When the Wipe Computer command is sent to a computer with macOS 10.15 or later with an Apple T2 Security Chip, or a computer with Apple silicon (i.e., M1 chip), the computer will be erased and no passcode will be set.

Before macOS can be reinstalled, the user must enter the passcode that was specified with the Wipe Computer command, if required. The passcode is saved in the computer's Management Command history for reference.

Note:

On computers with macOS 12 or later, macOS does not need to be reinstalled if the following conditions are met:

  • EFI firmware passcode is not set on computers with an Apple T2 Security Chip.
  • Bootstrap Token is escrowed to Jamf Pro on computers with Apple silicon (i.e., M1 chip).

To reinstall macOS, methods may vary depending on the hardware types. For detailed information, see the following Apple documentation:

Note:

Wiping a computer does not remove the computer from Jamf Pro or change its inventory information. After the command is acknowledged by the computer, the computer will report in the inventory as unmanaged.

Send Blank Push

Sends a blank push notification, prompting the computer to check in with Apple Push Notification service (APNs)

Download/Download
 and Install Updates*

Updates the OS version and built-in apps on the computer

You can update the OS version for macOS using the following options:

  • Target VersionYou can choose to update the OS version to the latest version based on device eligibility or you can update to a specific version. When choosing to update the OS version to the latest version, you can select the Include major updates, if available checkbox to download and install the latest major update. To download and install the latest patch version, keep the checkbox deselected.
    Note:

    Updating to a specific macOS version requires computers with macOS 10.15 or later.

  • Install ActionYou can choose to download the update for users to install, download and allow macOS to install later, or to download and install the update and restart computers after installation. When choosing the Download and allow macOS to install later action, you can configure the number of times a user can defer the update on computers with macOS 12 or later. The default deferral is 7 times, but can be changed to any integer between 0–99.
Note:
  • When sending the command via a mass action, the Update OS version and built-in apps option must be selected.
  • On computers with Apple silicon (i.e., M1 chip), users may be prompted to authenticate before an update can be installed.
  • An alert is displayed in Jamf Pro prior to issuing the command indicating the computer may immediately restart without warning.

macOS 10.11 or later

Supervised or enrolled via a PreStage enrollment

Note:

To have the update for computers with Apple silicon (i.e., M1 chip) installed automatically without user interaction, a Bootstrap Token for target computers must be escrowed with Jamf Pro.

For more information about how Jamf Pro manages software updates, see Managing software updates for Apple devices in Apple Platform Deployment.

Unlock User

Unlocks a local user account that has been locked due to too many failed password attempts

 

macOS 10.13 or later

Supervised or enrolled via a PreStage enrollment

Remove User

Removes a user that has an active account on the computer

Note:

The Remove User command cannot remove a user if they are the last user with a SecureToken granted.

macOS 10.13 or later

Supervised or enrolled via a PreStage enrollment

Enable/Disable Bluetooth*

Enables/disables Bluetooth on the computer

Note:

When sending the command via a mass action, the Set Bluetooth option must be selected.

macOS 10.13.4 or later

Enable/Disable Remote Desktop*

Enables/disables Remote Desktop on the computer

Note:

When sending the command via a mass action, the Set Remote Desktop option must be selected.

macOS 10.14.4 or later

Set Activation Lock*

Allow user to enable Activation Lock directly on the computer

Disable and prevent Activation Lock

For more information, see the 
Leveraging Apple's Activation Lock Feature with Jamf Pro article.

  • Supervised computers with the Apple T2 Security Chip or Apple silicon (i.e., M1 chip)
  • In Apple School Manager or Apple Business Manager

For more information on macOS compatibility, see Activation Lock for Mac from Apple's support website.

Sending a Remote Command to a Computer

Requirements
  • A push certificate in Jamf Pro. For more information, see Push Certificates.

  • The Enable certificate-based authentication and Enable push notifications settings configured. For more information, see Security Settings.

  1. In Jamf Pro, click Computers at the top of the sidebar.
  2. Perform a simple or advanced computer search.
  3. Click the computer you want to send the remote command to.

    If you performed a simple search for an item other than computers, you must click Expand next to an item to view the computers related to that item.

  4. Click the Management tab, and then click the button for the remote command that you want to send.
    Note:

    To send the Unlock User or Remove User remote command, navigate to the Local User Accounts category in inventory information for the computer and click Manage for a user.

    Depending on the command selected, additional options may be available.

The remote command runs on the computer the next time the computer checks in with Jamf Pro.

After the command is sent, you can do the following on the History tab:

  • To view the status of a remote command, use the Management History pane to view completed, pending, or failed commands.

  • To cancel a remote command, click Pending Commands. Find the command you want to cancel, and click Cancel.

Troubleshooting a Failed Status of a Remote Command

If a remote command reported a failed status, Jamf Pro will automatically resend the command every six hours for the compatible computers. To manually force the attempt, use the “Send blank push” management command. To access this feature, navigate to the Management tab in the inventory of a computer and click Management Commands.