Skip to main content

So, from time to time we get computers stolen, and more often than one might think, they don't get erased but rather just gets a new admin account (using the .applesetupdone trick).
Our users aren't too happy about us collecting geo-location on a daily basis so we crafted a nifty little script that gives us the adress of the stolen computer. The script gets scoped to a static group containing all computers that are stolen (or lost) and set to run ongoing on all triggers (to get as much data as possible). As soon as the computer reports back in to the JSS, these scripts starts collecting data.



Along with the adress-script we have another script that prints the safari surf history of the current logged in user to stdin so it gets into the policy log to be viewed and finally one script that prints out the external IP and DNS name of the computer.



The adress scripts works by listing all the wifi networks seen by the computer and crafts a URL that requests data from google. The result is the approximate adress of the computers present location and the coordinates and finally the accuracy of the positioning.
We have recovered several computers using these scripts as all we have to do is provide law enforcement with location, IP/ISP and some "proof" of who we think is using the computer (you can often tell by the surf log since people tend to log into sites like Facebook and email which nicely prints out the name in the page title and therefore gets logged using the surf history part).
The record shows that the script is amazingly correct, or rather, Google is extremely good at provide location just using wifi networks. Most of the time, Google reports an accuracy of "150" which I guess would refer to 150 meters but from experience, that could easily be 15 meters, it's that accurate!



These scripts work for us, your mileage may vary, computers may catch fire, the scripts may contains bugs and so on...



Nevertheless, here are the scripts:



To get external IP:



#!/bin/sh

IP=$(dig +short myip.opendns.com @resolver1.opendns.com)

DNS=$(host $IP | awk '{print $5}' | sed "s/.$//g")

echo "$IP - $DNS"


To log the surf history to the JSS (nb does not work in 10.10 as Safari now saves the history in a sqlite 3-file):



#!/bin/sh



unset LANG



#echo "START"



PREFIX="/tmp/safari-log"



USER=$(w | grep console | awk '{print $1}')

eval cp ~$USER/Library/Safari/History.plist $PREFIX-history-bin.plist

plutil -convert xml1 -o $PREFIX-history-xml.plist $PREFIX-history-bin.plist

split -p "WebHistoryDomains.v2" $PREFIX-history-xml.plist $PREFIX-

tail -n +5 $PREFIX-aa | egrep -o "(<string>.*</string>)|(<dict>)" | sed -E "s/</?string>//g" | sed "s/<dict>//g" | grep -v "^http://www.google.*,d.Yms$" > $PREFIX-history.txt



OLD_IFS=$IFS

IFS=""

exec 5<$PREFIX-history.txt

while read -u 5 LINE

do

    echo $LINE | egrep -s "^[0-9.]+$" > /dev/null

    if [ $? -ne 0 ] ; then

        echo $LINE

    else

        TIME=$(expr $(echo $LINE | egrep -o "^[0-9]*") + 978307200)

        date -r $TIME

    fi

done

IFS=$OLD_IFS



rm $PREFIX-*



#echo "END"


And finally the one that prints out the address (location):



#!/bin/sh

INTERFACE=$(networksetup -listallhardwareports | grep -A1 Wi-Fi | tail -1 | awk '{print $2}')

STATUS=$(networksetup -getairportpower $INTERFACE | awk '{print $4}')

if [ $STATUS = "Off" ] ; then

    sleep 5

    networksetup -setairportpower $INTERFACE on

fi



/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -s | tail -n +2 | awk '{print substr($0, 34, 17)"$"substr($0, 52, 4)"$"substr($0, 1, 32)}' | sort -t $ -k2,2rn | head -12 > /tmp/gl_ssids.txt



if [ $STATUS = "Off" ] ; then

    networksetup -setairportpower $INTERFACE off

fi



OLD_IFS=$IFS

IFS="$"

URL="https://maps.googleapis.com/maps/api/browserlocation/json?browser=firefox&sensor=false"

exec 5</tmp/gl_ssids.txt

while read -u 5 MAC SS SSID

do

    SSID=`echo $SSID | sed "s/^ *//g" | sed "s/ *$//g" | sed "s/ /%20/g"`

    MAC=`echo $MAC | sed "s/^ *//g" | sed "s/ *$//g"`

    SS=`echo $SS | sed "s/^ *//g" | sed "s/ *$//g"`

    URL+="&wifi=mac:$MAC&ssid:$SSID&ss:$SS"

done

IFS=$OLD_IFS



#echo $URL

curl -s -A "Mozilla" "$URL" > /tmp/gl_coordinates.txt

LAT=`cat /tmp/gl_coordinates.txt | grep "lat" | awk '{print $3}' | tr -d ","`

LONG=`cat /tmp/gl_coordinates.txt | grep "lng" | awk '{print $3}' | tr -d ","`

ACC=`cat /tmp/gl_coordinates.txt | grep "accuracy" | awk '{print $3}' | tr -d ","`

#echo "LAT:  $LAT"

#echo "LONG: $LONG"

#echo "ACC: $ACC"



curl -s -A "Mozilla" "http://maps.googleapis.com/maps/api/geocode/json?latlng=$LAT,$LONG&sensor=false" > /tmp/gl_address.txt

ADDRESS=`cat /tmp/gl_address.txt | grep "formatted_address" | head -1 | awk '{$1=$2=""; print $0}' | sed "s/,$//g" | tr -d " | sed "s/^ *//g"`



if [ $EA -ne 0 ] ; then

    echo "<result>$ADDRESS (lat=$LAT, long=$LONG, acc=$ACC)</result>"

else

    echo "$ADDRESS (lat=$LAT, long=$LONG, acc=$ACC)"

fi



rm /tmp/gl_ssids.txt /tmp/gl_coordinates.txt /tmp/gl_address.txt

Thanks @Xaviermlp your script has worked a charm and Prey has installed on the stolen laptop. Now to pass the info over to the Police an hopefully we will get the MacBook back.

Prey is awesome. The very first screenshot we got was the user creating a new Apple ID with their full name and address. Less then an hour later the police had our laptop. It still took a few months before we were able to take possession of it.

Thank you @Xaviermlp !
It works great on Mojave too, but..... the Privacy alert for the camera pops up.



Is there any way to force-allow that? The PPPC only gives the option to deny access.

Ok, that's new, thanks for sharing.
I would start here : https://derflounder.wordpress.com/2018/08/31/creating-privacy-preferences-policy-control-profiles-for-macos/ .

Oh man, just found this : https://blog.fleetsmith.com/tcc-a-quick-primer/ and it states that :



Camera and Microphone access can only be denied via the Payload Profile. They cannot be allowed/whitelisted.

@Xaviermlp Thanks. I already found that it can only be set to deny ;-)
Checked the prey-forum: https://community.preyproject.com/t/mojave-pppc-with-camera-captures-in-lost-mode/1644
but no answers there (yet).
Really hope for a workaround there.

Hi there,



I am really interested in the Prey app. I have a stolen laptop and did successfully install using the scripts. But I can't seem to add the stolen computer to my Prey account. How is that done? Thanks....

@aks if you set your API_KEY in the script the device will automatically be added to your prey account when the install completes.

Thanks! I pushed the script out, then nothing happened for a few days. Then all of a sudden, it was there. I was tracking it and had my local PD call the PD where the laptop was (1/2 way across the continent) and they picked it up at a McDonalds. Ends up the thief had 2 felony warrants out for his arrest. No telling when I will actually get the laptop back now that the PD has it, but that's ok. Neat app! Thanks for recommending it!

Thanks for the help @Xaviermlp ! Would you mind sharing the details around the policy that you use to scope this script to the target computers, such as Triggers, execution frequency, etc?

@jzarate Here's a shot of mine and I just add any serial numbers reported as missing to the scope.



Looks like if you want to silently deploy Prey on a stolen device, you're out of luck on newer machines due to PPPC limitations. Official response from Prey: "This can’t be done, I’m sorry. This Apple policy can’t be bypassed via MDM.".



I wish Apple would come up with a "Lost Mode" for macOS devices (similar to what already exists for supervised iOS devices). That way, users would be assured that IT could only retrieve geolocation data in the event of the device being lost, with full transparency and an audit trail.

I officially deactivated our Prey account because of this @sim.brar

@TomDay, will the script no longer install Prey at all, or would it just no longer install secretly? Have you found any other solutions?

@bollman
Did you ever figure out a way to fix this script? Or any way to track down a lost mac?
I know a lot of people were using prey, but since it cant be installed silently on Catalina its not an option for us.

Old post, but we just had a new MBA swiped. Would love a way to track it down if possible. Anyone have a way that works with Mojave and later?

Sadly no, I haven't had the time to investigate this further. I was hoping that some open source alternative to google's wifi location service would pop up, but the last time I checked I couldn't find anything.

Nowadays, I usually trust Geoip, but for pinpointing exactly where the computer is, well, that's not good enough.

I've tried to update the script but critical part of it will not work on Sonoma+ systems due to deprecation of airport cli utility... I've tried to use some 3d party solutions but all of them needs to be whitelisted with Location Services permissions. Google Location API works fine with new token system and JSON body requests.

Reply


Terms & ConditionsCookie settings