Dealing with legacy devices can be a challenge, we decided to lock the devices remotely, that we can’t account for, while providing a phone message in the lock message.

Ultimately, it then becomes a choice between cutting your loses, or keeping them in Jamf to see if anybody comes forward with a locked device. In our case, we locked the devices, had a grace period of several months for anyone to come forward, and then removed the devices before our Jamf renewal. 

I think the possibility of company data, being in the hands of an unknown person can definitely warrant a strong handed approach, through the lock functionality in Jamf, or the script you mentioned.

Similar note to Daley.

Do you have an asset mangement, ticketing system in place now to keep track?

Is your Jamf tied to LDAP, so it can be assigned to someone?

Personally, I don’t think that’s aggresive. You could send other prompts or notifications that are lighter. But when IT needs to know their hardware inventory, this warrants action. It’s possible you could get buy in from your HR or managers, or whoever. Maybe send a notification prior so your organization knows this asset tracking project is coming.

For the Macs that won’t get MDM commands but do run policies, there are options to fix this without a wipe. Others on Jamf Nation have posted fixes. A wipe and re-install is simpler, but there are other options to fix, like attempts to re-enroll the device.

What others have said.  If the company you work for has PII, PCI, etc. style of data, then I’d be doing my darnedest to lock/control those computers.  The company OWNS those assets, so getting them back into the fold should be priority.  If there isn’t any pertinent data on the devices, then I’d consider cutting your losses and moving forward with standards.  As far as primary users (owners) of the device(s), having something like PSSO or Jamf Connect would give you better insight into who is using the device going forward.  Please don’t bind your Macs...just don’t.  

We’ve had good success by locking device screens with a “Property of XYZ Company” message and a phone number for return, which prompted quick call-ins from people who left the company and had not returned them. For devices confirmed as stolen, we deployed a recurring popup PDF on company letterhead stating that the device was stolen. The message said we know that might not be aware, and we offered to remove our tools and let them keep the device if they told us where they got it from. We also enabled an extension attribute to capture the logged-in iCloud user’s email, identified a couple of users, and even reached out via LinkedIn (with no response). We came very close to calling them on FaceTime, but our legal team told us no. 

We’ve also had a few brand-new devices disappear. Since they are in ABM with mandatory SSO for enrollment and no way to bypass it, those devices are effectively unusable.

I run a highly configured environment, I don’t think I have ever seen a rogue device checking in we could not account for. Devices require authentication to enroll, everything uses ADE. If someone got their hands on a lost device thy would not be able to enroll it.

When a device is reported as lost or stolen I usually issue an erase all contents and settings command and move it to a prestage I have for lost and stollen devices that no one has access to enroll from.