Block Users/Admins from wiping computer

New Contributor

Hi there,

I am looking for any insight or direction to block users from wiping their computers. Currently we have a department that likes to take it upon themselves to wipe their computers and start fresh whenever they run into a problem which results in JAMF being removed and no longer reports back. I've blocked Disc Utility through Restricted Software but realize this is not the solution.

Any help with knowing how to block them from doing a net boot or recovery would be greatly appreciated. Thanks for any help


New Contributor III

You will want to enforce an EFI password on the machine! This is done via a policy and is best scoped out to hit the machine just after it is enrolled into your Jamf instance for the first time.

That way when the users decide to be a major PITA, they wont be able to boot into Internet Recovery or a bootable USB drive without knowing the password.

Then they have to come to you, probably looking very sheepish at having to explain why they can't use their machine.....

Valued Contributor

EFI password should be mandatory. Literally no reason to not have on every single Mac.

Honored Contributor III

If you're a fan of EFI passwords be aware that they are not supported on Apple Silicon Macs.

Valued Contributor II

From my side, I would enroll these in DEP and make sure that you have your Pre-Stage ready to go. Let them nuke them whenever they like. They will always be reconfigured and report back after the fact. They may even be happier!

Valued Contributor

^ The real answer.

Valued Contributor

As @sdagley said, firmware passwords are not supported on Apple Silicon. If this is a feature you want or need in your environment, PLEASE contact your Apple rep, file feedback, and open an enterprise support case if you have that.