mdm‐commands.sh - grahampugh/multitenant-jamf-tools GitHub Wiki

This script can perform some MDM commands on a number of computers in a single instance in one pass. It's not currently possible to select multiple instances at once. The currently available commands are:

  1. Erase All Contents And Settings
  2. Redeploy MDM Profile
  3. Set or clear Recovery Lock Password
  4. Delete All Users on Shared iPads
  5. Flush MDM Commands
  6. Logout Users
  7. Remove the MDM Profile
  8. Restart devices
  9. Toggle the Managed Software Update Plan Feature
  10. Get the status of active Managed Software Update plans
  11. Enable Bluetooth
  12. Disable Bluetooth

Usage

If you run ./mdm-commands.sh without any parameters, you will first be asked to select an instance list, and then an instance.

Next, you are asked to select one of the available MDM commands:

Select from the following supported MDM commands:
   [E] Erase All Content And Settings
   [M] Redeploy Management Framework
   [R] Set Recovery Lock
   [P] Remove MDM Enrollment Profile
   [D] Delete all users (Shared iPads)
   [S] Restart device (mobile devices)
   [L] Logout user (mobile devices)
   [B0] [B1] Disable/Enable Bluetooth (mobile devices)
   [F] Flush MDM commands
   [MSU] Get MSU Software Update Plan Status
   [T] Toggle Software Update Plan Feature

You can by-pass the prompt for selecting the MDM command type using the command line, e.g. ./mdm-commands.sh --erase. Consult ./mdm-commands.sh --help for valid options.

Depending on your selection, you may be presented with a list of computers from which you can select each one individually, e.g. 0 2 3 4. This script does not currently support typing ranges (2-4) or typing ALL.

Filtering computers using command line options

For certain actions, you can filter computers more granularly at the command line. To select all computers in a Computer Group, run the script with the --group option, e.g.:

./mdm-commands.sh --group "All Managed"

To select a single computer from its ID in Jamf, use the --id option, e.g.:

./mdm-commands.sh --id 435

To select one or more computers using their Serial Numbers, use the --serial option and supply the Serial Number or a comma-separated list of Serial Numbers, e.g.

./mdm-commands.sh --serial ABCD123456,ABDE234567,XWSA123456

Recovery Lock Password options

If you run the recovery lock MDM command without any parameters, a random Recovery Lock Password will be generated. This is also possible by adding the --random-lock-password option.

You can specify a Recovery Lock Password by adding the --recovery-lock-password option, e.g.:

./mdm-commands.sh --recovery --recovery-lock-password ABCD123456ABCD123456ABCD123456

You can clear the Recovery Lock password on one or more devices using the --clear-recovery-lock-password option, e.g.:

./mdm-commands.sh --recovery --clear-recovery-lock-password