Skip to content

mdm‐commands.sh

Jump to bottom
Graham Pugh edited this page Sep 10, 2025 · 7 revisions

Introduction

This script can perform a number of MDM commands on a number of computers in a single instance in one pass.

The currently available commands are:

  1. Erase All Contents And Settings
  2. Redeploy MDM Profile
  3. Set or clear Recovery Lock Password
  4. Delete All Users on Shared iPads
  5. Flush MDM Commands
  6. Logout Users
  7. Remove the MDM Profile
  8. Restart devices
  9. Toggle the Managed Software Update Plan Feature
  10. Create Managed Software Update plans
  11. Get the status of active Managed Software Update plans
  12. Get the status of active Managed Software Update statuses
  13. Enable Bluetooth
  14. Disable Bluetooth

Usage

This tool does not have any external dependencies. Instances and actions can be pre-assigned at the command line, or selected interactively.

Selecting Instances

Instances can be chosen interactively when running the script. However, you may also specify the instances using command line parameters if desired.

Interactive selection

To interactively select the instance list and instances, run the tool without any instance parameters. You will be first asked to select one or more instance lists, and then asked to select the instances you wish to act upon:

./mdm-commands.sh

Pre-select an instance list

You can pre-select an instance list so that you aren't asked to select one. To do this, add the -il or --instance-list option, and the name of the instance list, omitting the .txt suffix. Remember that the instance list must be in the instance-list folder within the multitenant-jamf-tools folder unless an alternative location is specified in the AutoPkg preferences.

If you pre-select an instance list but not an instance, you will be asked to select an instance list via interactive menu.

Example:

./mdm-commands.sh --instance-list prod

Pre-select an instance

You can pre-select one instance so that you aren't asked to select one. This can be done in conjunction with a pre-selected instance list, so that you can run the command non-interactively. If the instance is not in the instance list, you will be asked to select a valid instance from the list.

Example:

./mdm-commands.sh --instance-list prod --instance https://myinstance.jamfcloud.com

You may also supply a URL without the script verifying that it is in a supplied instance list using the --nointeraction flag. Remember that the credentials for the instance need to be stored in the Keychain for it to work.

Example:

./mdm-commands.sh --instance https://myinstance.jamfcloud.com --nointeraction

Defining actions

Actions can be predefined at the command line, or selected interactively. For example, you could flush failed MDM commands on computers in a defined group non-interactively with the following command:

./mdm-commands.sh --flushmdm --failed —-instance "https://myinstance.jamfcloud.com" --group "All Managed" --nointeraction

To see all available actions that can be pre-defined, run ./mdm-commands.sh --help.

If no actions are predefined at the command line, you are asked to select one of the available commands:

Select from the following supported MDM commands:
   [E] Erase All Content And Settings
   [M] Redeploy Management Framework
   [R] Set Recovery Lock
   [P] Remove MDM Enrollment Profile
   [D] Delete all users (Shared iPads)
   [S] Restart device (mobile devices)
   [L] Logout user (mobile devices)
   [B0] [B1] Disable/Enable Bluetooth (mobile devices)
   [F] Flush MDM commands
   [MSUP] Get MSU Software Update Plan Status
   [MSUS] Get MSU Software Update Status
   [MSUC] Create MSU Software Update Plan
   [T] Toggle Software Update Plan Feature

Depending on your selection, you may be presented with a list of computers from which you can select each one individually, e.g. 0 2 3 4. This script does not currently support typing ranges (2-4) or typing ALL.

Examples

Filtering computers using command line options

For certain actions, you can filter computers more granularly at the command line. To select all computers in a Computer Group, run the script with the --group option, e.g.:

./mdm-commands.sh —-<some-action> --group "All Managed"

To select a single computer from its ID in Jamf, use the --id option, e.g.:

./mdm-commands.sh —-<some-action> --id 435

To select one or more computers using their Serial Numbers, use the --serial option and supply the Serial Number or a comma-separated list of Serial Numbers, e.g.

./mdm-commands.sh —-<some-action> --serial ABCD123456,ABDE234567,XWSA123456

Recovery Lock Password options

If you run the recovery lock MDM command without any parameters, a random Recovery Lock Password will be generated. This is also possible by adding the --random-lock-password option.

You can specify a Recovery Lock Password by adding the --recovery-lock-password option, e.g.:

./mdm-commands.sh --recovery --recovery-lock-password ABCD123456ABCD123456ABCD123456

You can clear the Recovery Lock password on one or more devices using the --clear-recovery-lock-password option, e.g.:

./mdm-commands.sh --recovery --clear-recovery-lock-password

Clone this wiki locally