Is there a way to put a macOS device into Lost Mode so it can provide the location of the device? Similar to what is available for iOS devices within Management.
I do not see that feature under Management for macOS devices.
Page 1 / 1
and:
To do this for individual devices and or more than one device use an advanced search and target the device's name and then save it then run the remote commands on them.
Thanks.
macOS currently does not have a lost mode feature as exists currently on iPads. You can lock the computer as described above, but that is a firmware lock for Intel devices (does not work on M1, as they do not have EFI), which also prevents the device from communicating back to your MDM and reporting IP address.
I have a geolocation extension attribute that gets rough estimate on where the device (at least what region the IP address is located)
#!/bin/sh
myIP=`curl -L -s --max-time 10 http://checkip.dyndns.org | egrep -o -m 1 '([[:digit:]]{1,3}\\.){3}[[:digit:]]{1,3}'`
myLocationInfo=`curl -L -s --max-time 10 http://ip-api.com/csv/?fields=country,city,lat,lon,/$myIP`
echo "<result>$myLocationInfo</result>"
So far as locking the computer, I implemented a depnotify script in our environment that displays a fullscreen message to the user stating that they need to return the device. This provides the ability for the computer to continue reporting its location to Jamf, but prevents the user from being able to use the device. Its a policy scoped to devices I have identified as needing to be returned. If they figure out how to disable depnotify, the policy runs on check-in and login, so it will nag them. Based on the script provided by https://montysmacmusings.wordpress.com/2018/10/25/depnotify-makes-a-great-user-nag-screen/
#!/bin/bash
# generic depnotify cover screen
screenTitle="${4}"
screenMainTextIn="${5}"
screenInitialstatus="${6}"
screenIcon="${7}"
#######################################
# check depnotify actually installed. #
# install if not #
#######################################
if [ ! -d /Applications/Utilities/DEPNotify.app ]; then
echo "installing DEPNotify"
jamf policy -event install-depnotify
echo "installing DEPNotify"
if [ -d /Applications/Utilities/DEPNotify.app ]; then
echo "***** installed DEPNotify"
else
echo "***** install failed! Exiting as pointless running"
fi
else
echo "DEPNotify is installed already"
fi
DepNotifyWorkingDir="/var/tmp/"
# check user is logged in
dockStatus=$(pgrep -x Dock)
while [[ "$dockStatus" == "" ]]; do
sleep 5
dockStatus=$(pgrep -x Dock)
done
loggedInUser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'`
#################################
resetDEPNotify () {
rm "$DepNotifyWorkingDir"depnotify.log
rm "$DepNotifyWorkingDir"DEPNotify.plist
rm "$DepNotifyWorkingDir"com.depnotify.agreement.done
rm "$DepNotifyWorkingDir"com.depnotify.registration.done
rm "$DepNotifyWorkingDir"com.depnotify.provisioning.done
sudo -u "$loggedInUser" defaults delete menu.nomad.DEPNotify
}
initialise_DEPNotify_Settings () {
echo "Command: MainTitle: $screenTitle" >> "$DepNotifyWorkingDir"depnotify.log
echo "Command: MainText: $screenMainTextIn " >> "$DepNotifyWorkingDir"depnotify.log
echo "Status: $screenInitialstatus" >> "$DepNotifyWorkingDir"depnotify.log
echo "Command: Image: $screenIcon" >> "$DepNotifyWorkingDir"depnotify.log
echo "Command: DeterminateManual: 1" >> "$DepNotifyWorkingDir"depnotify.log
}
displayMessage () {
sudo -u "$loggedInUser" /Applications/Utilities/DEPNotify.app/Contents/MacOS/DEPNotify -fullScreen
}
####################################################
resetDEPNotify
initialise_DEPNotify_Settings
displayMessage
Just fill in the parameters 4-7 in the policy with the information you would like to display in the message.
macOS currently does not have a lost mode feature as exists currently on iPads. You can lock the computer as described above, but that is a firmware lock for Intel devices (does not work on M1, as they do not have EFI), which also prevents the device from communicating back to your MDM and reporting IP address.
I have a geolocation extension attribute that gets rough estimate on where the device (at least what region the IP address is located)
#!/bin/sh
myIP=`curl -L -s --max-time 10 http://checkip.dyndns.org | egrep -o -m 1 '([[:digit:]]{1,3}\\.){3}[[:digit:]]{1,3}'`
myLocationInfo=`curl -L -s --max-time 10 http://ip-api.com/csv/?fields=country,city,lat,lon,/$myIP`
echo "<result>$myLocationInfo</result>"
So far as locking the computer, I implemented a depnotify script in our environment that displays a fullscreen message to the user stating that they need to return the device. This provides the ability for the computer to continue reporting its location to Jamf, but prevents the user from being able to use the device. Its a policy scoped to devices I have identified as needing to be returned. If they figure out how to disable depnotify, the policy runs on check-in and login, so it will nag them. Based on the script provided by https://montysmacmusings.wordpress.com/2018/10/25/depnotify-makes-a-great-user-nag-screen/
#!/bin/bash
# generic depnotify cover screen
screenTitle="${4}"
screenMainTextIn="${5}"
screenInitialstatus="${6}"
screenIcon="${7}"
#######################################
# check depnotify actually installed. #
# install if not #
#######################################
if [ ! -d /Applications/Utilities/DEPNotify.app ]; then
echo "installing DEPNotify"
jamf policy -event install-depnotify
echo "installing DEPNotify"
if [ -d /Applications/Utilities/DEPNotify.app ]; then
echo "***** installed DEPNotify"
else
echo "***** install failed! Exiting as pointless running"
fi
else
echo "DEPNotify is installed already"
fi
DepNotifyWorkingDir="/var/tmp/"
# check user is logged in
dockStatus=$(pgrep -x Dock)
while [[ "$dockStatus" == "" ]]; do
sleep 5
dockStatus=$(pgrep -x Dock)
done
loggedInUser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'`
#################################
resetDEPNotify () {
rm "$DepNotifyWorkingDir"depnotify.log
rm "$DepNotifyWorkingDir"DEPNotify.plist
rm "$DepNotifyWorkingDir"com.depnotify.agreement.done
rm "$DepNotifyWorkingDir"com.depnotify.registration.done
rm "$DepNotifyWorkingDir"com.depnotify.provisioning.done
sudo -u "$loggedInUser" defaults delete menu.nomad.DEPNotify
}
initialise_DEPNotify_Settings () {
echo "Command: MainTitle: $screenTitle" >> "$DepNotifyWorkingDir"depnotify.log
echo "Command: MainText: $screenMainTextIn " >> "$DepNotifyWorkingDir"depnotify.log
echo "Status: $screenInitialstatus" >> "$DepNotifyWorkingDir"depnotify.log
echo "Command: Image: $screenIcon" >> "$DepNotifyWorkingDir"depnotify.log
echo "Command: DeterminateManual: 1" >> "$DepNotifyWorkingDir"depnotify.log
}
displayMessage () {
sudo -u "$loggedInUser" /Applications/Utilities/DEPNotify.app/Contents/MacOS/DEPNotify -fullScreen
}
####################################################
resetDEPNotify
initialise_DEPNotify_Settings
displayMessage
Just fill in the parameters 4-7 in the policy with the information you would like to display in the message.
This is what I am looking for. Thanks for the info
macOS currently does not have a lost mode feature as exists currently on iPads. You can lock the computer as described above, but that is a firmware lock for Intel devices (does not work on M1, as they do not have EFI), which also prevents the device from communicating back to your MDM and reporting IP address.
I have a geolocation extension attribute that gets rough estimate on where the device (at least what region the IP address is located)
#!/bin/sh
myIP=`curl -L -s --max-time 10 http://checkip.dyndns.org | egrep -o -m 1 '([[:digit:]]{1,3}\\.){3}[[:digit:]]{1,3}'`
myLocationInfo=`curl -L -s --max-time 10 http://ip-api.com/csv/?fields=country,city,lat,lon,/$myIP`
echo "<result>$myLocationInfo</result>"
So far as locking the computer, I implemented a depnotify script in our environment that displays a fullscreen message to the user stating that they need to return the device. This provides the ability for the computer to continue reporting its location to Jamf, but prevents the user from being able to use the device. Its a policy scoped to devices I have identified as needing to be returned. If they figure out how to disable depnotify, the policy runs on check-in and login, so it will nag them. Based on the script provided by https://montysmacmusings.wordpress.com/2018/10/25/depnotify-makes-a-great-user-nag-screen/
#!/bin/bash
# generic depnotify cover screen
screenTitle="${4}"
screenMainTextIn="${5}"
screenInitialstatus="${6}"
screenIcon="${7}"
#######################################
# check depnotify actually installed. #
# install if not #
#######################################
if [ ! -d /Applications/Utilities/DEPNotify.app ]; then
echo "installing DEPNotify"
jamf policy -event install-depnotify
echo "installing DEPNotify"
if [ -d /Applications/Utilities/DEPNotify.app ]; then
echo "***** installed DEPNotify"
else
echo "***** install failed! Exiting as pointless running"
fi
else
echo "DEPNotify is installed already"
fi
DepNotifyWorkingDir="/var/tmp/"
# check user is logged in
dockStatus=$(pgrep -x Dock)
while [[ "$dockStatus" == "" ]]; do
sleep 5
dockStatus=$(pgrep -x Dock)
done
loggedInUser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'`
#################################
resetDEPNotify () {
rm "$DepNotifyWorkingDir"depnotify.log
rm "$DepNotifyWorkingDir"DEPNotify.plist
rm "$DepNotifyWorkingDir"com.depnotify.agreement.done
rm "$DepNotifyWorkingDir"com.depnotify.registration.done
rm "$DepNotifyWorkingDir"com.depnotify.provisioning.done
sudo -u "$loggedInUser" defaults delete menu.nomad.DEPNotify
}
initialise_DEPNotify_Settings () {
echo "Command: MainTitle: $screenTitle" >> "$DepNotifyWorkingDir"depnotify.log
echo "Command: MainText: $screenMainTextIn " >> "$DepNotifyWorkingDir"depnotify.log
echo "Status: $screenInitialstatus" >> "$DepNotifyWorkingDir"depnotify.log
echo "Command: Image: $screenIcon" >> "$DepNotifyWorkingDir"depnotify.log
echo "Command: DeterminateManual: 1" >> "$DepNotifyWorkingDir"depnotify.log
}
displayMessage () {
sudo -u "$loggedInUser" /Applications/Utilities/DEPNotify.app/Contents/MacOS/DEPNotify -fullScreen
}
####################################################
resetDEPNotify
initialise_DEPNotify_Settings
displayMessage
Just fill in the parameters 4-7 in the policy with the information you would like to display in the message.
Very interesting, I will test and check it out. Thank you for sharing.
It does utilize a separate policy to install depnotify if it isn’t already installed. I uploaded the package to Jamf and created an on demand policy call for it in the script, but it’s just as easy to include the package as part of the actual script policy or have the script curl depnotify down directly from the internet.
Geolocation seems to work very well for our Monterey fleet, just wanted to say. I am looking at testing the other portion.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.