Complying with GDPR Requests in Jamf Pro
Jamf is committed to complying with the EU General Data Protection Regulation (GDPR) and helping our customers comply with "right of access" and "right to be forgotten" requests related to GDPR. This article provides information about the remediation process that Jamf Pro customers can use in their environments if they receive GDPR-related requests from end users.
The following procedure includes steps to delete personal data collected by default and stored in the Jamf Pro database. For information on the personal data that is deleted and the database tables affected, see the GDPR Compliance Reference for Jamf Pro article.
Jamf Pro 10.4.1 or later
Jamf Pro user account with the administrator privilege set and full Jamf Pro access
For related information, see the following sections in the Jamf Pro Documentation:
In addition, see the following article: Data and Tables Affected by Log Flushing.
Other Considerations
Custom Data Collection
The above procedure deletes personal data collected by default in Jamf Pro (see GDPR Compliance Reference for Jamf Pro for more information). It does not address custom configurations you may have in place to collect data outside of the default collection. For example, some organizations may choose to create user-based smart groups, scope configurations, extension attributes, or custom scripts, or may have previously uploaded VPP codes for a user from a VPP code spreadsheet.
If you have configured these types of custom settings that use or collect personal data, you will need to identify those settings and update them to ensure that personal data is deleted. If you have questions or need assistance, contact your Jamf account representative.
Database Backups
Personal data in production instances will be removed when the data controller (i.e., customer) completes the steps necessary for deletion.
Personal data may reside in backups that must be retained for contractual, legal, or compliance reasons.
Where a request to be forgotten has been completed, personal data on backups may be restored to production; however, the data controller should take steps to honor the initial request and erase the data from production again.
Retention rules are in place to ensure data in backups is retained only as long as necessary before being automatically deleted.
Technical controls have been implemented to ensure adequate protection over backups.
Additional Information
For information on Jamf's commitment to privacy and complying with the GDPR, see jamf.com/privacy. For more information on the GDPR, see EUGDPR.org.
For a video walkthrough of this process, see the Complying with GDPR Requests in Jamf Pro Jamf video.