Does anyone know of a way to record when a mac is wiped for auditing purposes? Like SOC?
Question
Record macOS wipe actions
+17
+25@danlaw777 If you're asking about the Wipe Computer management command, that should still be in the computer record for the device, but only until the Mac is re-enrolled so I don't think that'll meet your adit data interest. If you're asking about the user initiating an Erase All Contents and Setting on the Mac itself that's no persistent log on that either.
+11It may help or give you an idea on how to achieve the result you are after.
For my different wipe policies eg. (Wipe and back to school / circulation, Sold Laptops for release..) I will add a command to update the asset tag field before the process starts.
I'm left with items in Jamf that I can search / export on based on that field.
eg.
jamf recon -assetTag "Sold Laptops $myYear $myDate [$serialNumber]"
+26So long as the devices inventory record is not deleted, this event should be logged in the inventory record under History > Audit. It will tell you who did the thing and when. Im not sure if this can be redirected to something like Splunk for SOC or not though.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.