Good day,
In our environment, there is a distribution group, if a user is part of that group he/she can use user-initiated option to enroll MacBook. Some users are using this option to enroll their personal devices. We were planning to use "Remote Lock" option under management commands in Jamf portal for devices that are not owned by our organization. My question is since these are not owned by us what will happen to data on device if users gets it unlocked from apple or apple authorized store. These devices are FV2 encrypted.
I would appreciate your thoughts on this.
Cheers!
Solved
BYOD "Remote Lock" functionality question
+7Best answer by Tribruin
Ok, it sounds like you have two goals here that may not require the same approach. Locking a (corporate-owned) computer if it is lost or stolen is a valid use.
But, preventing users from enrolling a personal device is probably better handled by properly managing your enrollment process. Ideally you could limit enrollment to Automated Enrollment (DEP). Or, limit enrollment to specific users (i.e. IT) and have them enroll the computers.
Finally, I think there is an argument that if users are enrolling personal devices, a proper Acceptable Use Policy is required and then it becomes an HR/Manager issue and not an IT issue.
Assuming they have already can boot, login, and unlock the FV2 encryption, they will be able to do the same once the remote lock is removed.
Why would you want to lock a personal computer? You are risking bricking a personal device of an employee. What are you trying to accomplish? If security is important enough to lock a user out of a computer, then the use of BYOD is probably not appropriate.
+7@RBlount Thanks for your response.
Users won't be able unlock unless we share remote login PIN with them. You are right once they are able to login then they can boot, login, and unlock the FV2 encryption therefore this might not be a good option.
We want to lock a personal computer to give a warning so that users should only use devices provided by company.
My goal is to protect company data in case device is stolen or lost and at the same find a solution/process that stops users to enroll personal devices.
Ok, it sounds like you have two goals here that may not require the same approach. Locking a (corporate-owned) computer if it is lost or stolen is a valid use.
But, preventing users from enrolling a personal device is probably better handled by properly managing your enrollment process. Ideally you could limit enrollment to Automated Enrollment (DEP). Or, limit enrollment to specific users (i.e. IT) and have them enroll the computers.
Finally, I think there is an argument that if users are enrolling personal devices, a proper Acceptable Use Policy is required and then it becomes an HR/Manager issue and not an IT issue.
+7That totally makes sense to me. For break/fix scenarios we are allowing users (who have MacBook assigned to them) to re-enroll devices which I believe is a loophole.
DEP was configured and is currently working without any issue. We have devices in multiple countries. Some regions still waiting for suppliers to onboard existing purchased devices. Will provide feedback to my team on this.
I would like to thank you for taking a time to reply and provide some guidance on this. Have a great day!
If we've lost the PIN (device was removed from Jamf because we'd put it in our recycle pile) how can we get it unlocked. I've contacted AppleCare Enterprise Support thinking it was an activation lock... but they say the Activation Lock isn't enabled on the machine.
+7@cwaldrip, JAMF support should be able to get device PIN for you if it was pushed using JAMF. We had similar situation, then we figured out the log flushing was set to 1 week which we changed to 6 months. This will keep management command history for 6 months.
@yadwinder.devgan do you think they can recover it if the machine is no longer in our Jamf? Once it goes on the recycle pile we delete it... :-
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.