BYOD "Remote Lock" functionality question

ysdevgan
New Contributor III

Good day,
In our environment, there is a distribution group, if a user is part of that group he/she can use user-initiated option to enroll MacBook. Some users are using this option to enroll their personal devices. We were planning to use "Remote Lock" option under management commands in Jamf portal for devices that are not owned by our organization. My question is since these are not owned by us what will happen to data on device if users gets it unlocked from apple or apple authorized store. These devices are FV2 encrypted. I would appreciate your thoughts on this.
Cheers!

1 ACCEPTED SOLUTION

Tribruin
Valued Contributor II

Ok, it sounds like you have two goals here that may not require the same approach. Locking a (corporate-owned) computer if it is lost or stolen is a valid use.

But, preventing users from enrolling a personal device is probably better handled by properly managing your enrollment process. Ideally you could limit enrollment to Automated Enrollment (DEP). Or, limit enrollment to specific users (i.e. IT) and have them enroll the computers.

Finally, I think there is an argument that if users are enrolling personal devices, a proper Acceptable Use Policy is required and then it becomes an HR/Manager issue and not an IT issue.

View solution in original post

8 REPLIES 8

Tribruin
Valued Contributor II

Assuming they have already can boot, login, and unlock the FV2 encryption, they will be able to do the same once the remote lock is removed.

Why would you want to lock a personal computer? You are risking bricking a personal device of an employee. What are you trying to accomplish? If security is important enough to lock a user out of a computer, then the use of BYOD is probably not appropriate.

ysdevgan
New Contributor III

@RBlount Thanks for your response.
Users won't be able unlock unless we share remote login PIN with them. You are right once they are able to login then they can boot, login, and unlock the FV2 encryption therefore this might not be a good option.
We want to lock a personal computer to give a warning so that users should only use devices provided by company.

My goal is to protect company data in case device is stolen or lost and at the same find a solution/process that stops users to enroll personal devices.

Tribruin
Valued Contributor II

Ok, it sounds like you have two goals here that may not require the same approach. Locking a (corporate-owned) computer if it is lost or stolen is a valid use.

But, preventing users from enrolling a personal device is probably better handled by properly managing your enrollment process. Ideally you could limit enrollment to Automated Enrollment (DEP). Or, limit enrollment to specific users (i.e. IT) and have them enroll the computers.

Finally, I think there is an argument that if users are enrolling personal devices, a proper Acceptable Use Policy is required and then it becomes an HR/Manager issue and not an IT issue.

ysdevgan
New Contributor III

That totally makes sense to me. For break/fix scenarios we are allowing users (who have MacBook assigned to them) to re-enroll devices which I believe is a loophole.

DEP was configured and is currently working without any issue. We have devices in multiple countries. Some regions still waiting for suppliers to onboard existing purchased devices. Will provide feedback to my team on this.

I would like to thank you for taking a time to reply and provide some guidance on this. Have a great day!

cwaldrip
Valued Contributor

If we've lost the PIN (device was removed from Jamf because we'd put it in our recycle pile) how can we get it unlocked. I've contacted AppleCare Enterprise Support thinking it was an activation lock... but they say the Activation Lock isn't enabled on the machine.

ysdevgan
New Contributor III

@cwaldrip, JAMF support should be able to get device PIN for you if it was pushed using JAMF. We had similar situation, then we figured out the log flushing was set to 1 week which we changed to 6 months. This will keep management command history for 6 months.
a8b0a0b67ea4437399afa79e3f6af35e

cwaldrip
Valued Contributor

@yadwinder.devgan do you think they can recover it if the machine is no longer in our Jamf? Once it goes on the recycle pile we delete it... :-

ysdevgan
New Contributor III

@cwaldrip This is a tricky one. I would lodge a ticket with JAMF to get an answer for this.