Anyone using the M1 "Set Recovery Lock" Command

GabeShack
Valued Contributor III

Hey all,

Has anyone started using the new command in 11.5 as shown here:

https://developer.apple.com/documentation/devicemanagement/set_recovery_lock_command 

 

It looks like its been set up on Apple's side, but I don't see any documentation in the Jamf Admin guide related to it?  Looks like this is the closest we will get to having a firmware password on M1's.

Gabe Shackney
Princeton Public Schools
2 ACCEPTED SOLUTIONS

boberito
Valued Contributor

Not support by Jamf...yet.

View solution in original post

GabeShack
Valued Contributor III

Looks like its in the 2nd Beta of 10.32 so hopefully hits soon.

 

Gabe Shackney
Princeton Public Schools

View solution in original post

15 REPLIES 15

boberito
Valued Contributor

Not support by Jamf...yet.

GabeShack
Valued Contributor III

Is this in the next beta or should I be making a feature request?

Gabe Shackney
Princeton Public Schools

GabeShack
Valued Contributor III

Looks like its in the 2nd Beta of 10.32 so hopefully hits soon.

 

Gabe Shackney
Princeton Public Schools

Can this Set Recovery Lock Command be used in jamf10.4.2 version?

Can this Set Recovery Lock Command be used in jamf10.4.2 version?thanks😁

AJPinto
Honored Contributor III

No, not a chance in heck. The MDM command was not added for years after the release of 10.4.

 

If you are seriously still running JAMF 10.4, it's time to do some deep thinking and considerations on the viability of managing you Mac environment. 

taochunhua
New Contributor II

If I upgrade to 10.42.1 can I use the no mdm command or not😭

cboatwright
New Contributor III

So much for zero-day feature implementations - we hounded Apple for this addition, they rushed it into a patch, and yet we still have no way of utilizing...

I think what they mean by zero day support is that jamf works on the platform same day. They’ve never said zero day feature I believe.  There’s feature requests going back 3-4 years for things Apple has supported that aren’t in jamf. 

AJPinto
Honored Contributor III

zero-day feature implementations is just a sales pitch. It typically takes JAMF 3-6 months to fully support something new Apple implements. It is extremely common for JAMF to take 5+ years to add new functions (softwareupdate MDM commands anyone?).

 

Even nearly 3 months later JAMF is still having issues with DeviceLockAndRemovePasscode. I will not even try to implement this until mid to late 1st quarter next year. Let the kinks get sorted out.

dep
New Contributor II

Here is how you can set the recovery lock key for Jamf computers - https://github.com/shbedev/jamf-recovery-lock

ele_hache
New Contributor

Dep,

I was able to adapt and use your code and it does set a recovery code.  However, I'm noticing that it won't enable the recovery lock.  That is, under the device's Security tab in JAMF you can see that the security lock password is set, but right above it where it says 'Recovery Lock' it says 'Not Enabled'.

I couldn't find in the API documentation what's the method used to enable or enforce a recovery lock.  Do you have this information?  

 

EDIT: After more reading on this it looks like the recovery lock status should change to Enabled after the next inventory collection.  I'll wait.

L-plateAdmin
Contributor

Ive been able to make my own bash script to set this up using two curls so i can have this as a build item, annoyingly getting a Forbidden result even with :"Send Set Recovery Lock Command" enabled on our API account, anyone know what other perms might be needed.. we only have a few permissions set as we only really use api for one or two items

just incase anyone is wondering I realised i was missing the below perms:

Endpoint Operation Privilege Requirements Deprecation Date

/preview/mdm/commandspostView MDM command information in Jamf Pro APIN/A

/preview/mdm/commands post      This command is deprecated no??😱😱😱