Block Users/Admins from wiping computer
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on
12-04-2020
08:27 AM
- last edited on
03-04-2025
04:43 AM
by
kh-richa_mig
Hi there,
I am looking for any insight or direction to block users from wiping their computers. Currently we have a department that likes to take it upon themselves to wipe their computers and start fresh whenever they run into a problem which results in JAMF being removed and no longer reports back. I've blocked Disc Utility through Restricted Software but realize this is not the solution.
Any help with knowing how to block them from doing a net boot or recovery would be greatly appreciated. Thanks for any help

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-04-2020 08:31 AM
You will want to enforce an EFI password on the machine! This is done via a policy and is best scoped out to hit the machine just after it is enrolled into your Jamf instance for the first time.
That way when the users decide to be a major PITA, they wont be able to boot into Internet Recovery or a bootable USB drive without knowing the password.
Then they have to come to you, probably looking very sheepish at having to explain why they can't use their machine.....

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-04-2020 08:39 AM
EFI password should be mandatory. Literally no reason to not have on every single Mac.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-04-2020 08:42 AM
If you're a fan of EFI passwords be aware that they are not supported on Apple Silicon Macs.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-04-2020 10:37 AM
From my side, I would enroll these in DEP and make sure that you have your Pre-Stage ready to go. Let them nuke them whenever they like. They will always be reconfigured and report back after the fact. They may even be happier!

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-04-2020 10:38 AM
^ The real answer.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-04-2020 10:51 AM
As @sdagley said, firmware passwords are not supported on Apple Silicon. If this is a feature you want or need in your environment, PLEASE contact your Apple rep, file feedback, and open an enterprise support case if you have that.
