Administration
This page
Other pages
Account
Jamf Pro - Mobile Device Management Commands
Jamf Pro separates Apple devices into two categories: "Computers" (Macs), and "Mobile Devices" (iPhones, iPads). Computers and mobile devices have slightly different management capabilities. In this article, we'll cover the most common commands for both.
| Command name | Description | macOS support | iOS/iPadOS support |
|---|---|---|---|
| Update Inventory | Triggers an inventory update over MDM | Limited. For a full inventory update, Jamf uses its own binary that runs on its own schedule. | Yes |
| Enable Lost Mode | Locks the device with a message of your choosing, and optionally plays a repeated beeping sound until found. Also reports GPS location to Jamf when the device is online. Once locked, it can only be unlocked by sending the "Disable Lost Mode" command. | No (see "Lock Computer" below) | Yes (requires supervision) |
| Lock Computer | Shuts down the computer and enables a firmware lock with a 6-digit code you set in Jamf. The user must enter that code to unlock the Mac. | Yes | No (see "Enable Lost Mode" above) |
| Lock Device | Returns the device to the lock screen, similar to pressing the power button on an iPhone or iPad. | No | Yes |
| Clear Passcode | Removes the lock screen passcode | No | Yes |
| Unmanage Device | Unenrolls mobile devices from Jamf | No (see "Remove MDM Profile" below) | Yes |
| Remove MDM Profile | Removed MDM functionality from Macs. Note that if you want to fully unenroll a Mac, you will also need to remove the Jamf binary with "sudo jamf removeFramework" afterwards. | Yes | No (see "Unmanage Device" above) |
| Wipe Computer \ Wipe Device | Immediately wiped the computer/device and returns to out-of-box setup. On Macs, it may take an hour or more to reinstall the OS before the computer can be set up again. | Yes | Yes (requires supervision) |
| Send Blank Push | Sends a "high priority" command that does nothing. Useful for troubleshooting and testing MDM connectivity. | Yes | Yes |
| Set Activation Lock | Allows or disables and prevents the user from enabling activation lock through their Apple Account's "Find My" feature. | Yes | Yes (requires supervision) |
| Download and Install Updates | Downloads and immediately installs macOS updates. Note that this can force a reboot, so it is not recommended to use this on devices that may be in use. | Yes | No |
| Recommend Software Update Version | Notifies the user to install an OS update. | No | Yes |
For more information on these and more commands, please see Jamf's documentation for Remote Commands for Mobile Devices and Remote Commands for Computers.
Note that some of these commands say Supervision required. For iOS/iPadOS devices, this means they must be enrolled via Automated Device Enrollment (ADE, formerly known as DEP) at the time of device setup. More information on ADE can be found at the mobile device enrollment page.
To run these commands in the JSS:
- Click on either Computers or Mobile Devices in the sidebar
- Search inventory for the desired machine and select it
- Click the Management tab
- Click the desired command
 | These commands should be done with great care, particularly wiping the device or unmanaging it. You should test these commands before running them on a production device to ensure they do what you want them to. |
Locking iPads and iPhones with Lost Mode
iOS/iPadOS devices can be locked down by enabling Lost Mode. Once Lost Mode is enabled, the device will be unusable and will display a message on the screen, instructing the user to contact support to unlock it. If the device is enrolled in DEP, you user will not be able to bypass Lost Mode by wiping the device, so this is ideal for protecting lost or stolen devices.
To enable Lost Mode, follow these steps:
- Click on the Enable Lost Mode button in the Management Commands pane
- Enter a message to be displayed to the user on the lock screen.
- Fill in the message and footnote fields with your custom message. You can optionally specify a phone number, as well.
- Leave the "Always enforce Lost Mode" box checked
- The "Lost Mode Sound" setting is optional but recommended. If enabled, the device will get progressively louder and keep beeping until the user touches the volume-down button.
- Click Enable Lost Mode to finalize the settings and send the command.
Locating a device in Lost Mode
- Find the device record in the JSS
- Under the General tab, go to the Security pane on the left
- Scroll down to the "Approximate location" field
- Click on the coordinates to open Apple Maps. Note: if the link does nothing, try command-clicking to open it in a new tab. It should prompt you to open the Apple Maps app.
Disabling Lost Mode
- In the JSS, find the mobile device record
- Go to the management tab
- Click on the Disable Lost Mode button in the Management Commands pane
- Note: the device will need internet access to receive the unlock command. This might require an Ethernet dongle or connecting to a Mac via USB to share its internet connection.
Locking Macs
- In the JSS, open the computer record
- Go to the Management tab
- Click on the Lock Device button
- Enter a 6-digit passcode. Note that while Jamf will let you type anything in this field, it must be only numbers.
- Record this passcode and serial number and store it somewhere safe, like in LastPass.
While the passcode is also accessible within Jamf under History > Management Commands > Completed, these logs get flushed periodically so you must save the passcode somewhere permanent. - Enter a lock message. e.g. "To unlock this device, contact the MIT service desk at servicedesk@mit.edu or 617-253-1101."
- Click Lock Computer
- Users will be prompted to enter the passcode during firmware boot before they can select a boot drive.
Apple Silicon Macs must be running macOS 11.5 or later for this to function correctly. On 11.4 or earlier, the computer will simply reboot to recovery and require authentication with a Secure Token-enabled account to reactivate.
Contact
Questions? Contact us at euc-help@mit.edu.
