Posted on 07-08-2024 03:38 PM
Best practice for devices that are lost/stolen?
Is it possible to create a group policy and or group of computers that we can select all and send a wipe command/lock when it comes online? If so what's the best approach.
Thank you!
07-08-2024 04:33 PM - edited 07-08-2024 04:33 PM
This is usually not a bulk action. But if your devices are being lost or stolen on a regular basis then you might need something more than wipe. However, what you are asking can be achieved in couple of ways.
But I think best approach would be one by one wth sending wipe device command.
If you have the list of devices and you do not want to do one by one, you can create an extension attribute like isStolen with Yes and No options. Then create a policy to run script to send erase command via api and set trigger for Recurring Check-in and scope to computer that isStolen attribute is true.
#!/bin/bash
#JAMF API VARIABLES
username="your_api_username"
password="your_api_password"
url="yourjamf.jamfcloud.com"
deviceid=$(/usr/local/bin/jamf jamf recon | grep 'computer_id' | sed 's/<.*>\(.*\)<\/.*>/\1/g' )
#Variable declarations
bearerToken=""
tokenExpirationEpoch="0"
getBearerToken() {
response=$(curl -s -u "$username":"$password" "$url"/api/v1/auth/token -X POST)
bearerToken=$(echo "$response" | plutil -extract token raw -)
tokenExpiration=$(echo "$response" | plutil -extract expires raw - | awk -F . '{print $1}')
tokenExpirationEpoch=$(date -j -f "%Y-%m-%dT%T" "$tokenExpiration" +"%s")
}
checkTokenExpiration() {
nowEpochUTC=$(date -j -f "%Y-%m-%dT%T" "$(date -u +"%Y-%m-%dT%T")" +"%s")
if [[ tokenExpirationEpoch -gt nowEpochUTC ]]
then
echo "Token valid until the following epoch time: " "$tokenExpirationEpoch"
else
echo "No valid token available, getting new token"
getBearerToken
fi
}
invalidateToken() {
responseCode=$(curl -w "%{http_code}" -H "Authorization: Bearer ${bearerToken}" $url/api/v1/auth/invalidate-token -X POST -s -o /dev/null)
if [[ ${responseCode} == 204 ]]
then
echo "Token successfully invalidated"
bearerToken=""
tokenExpirationEpoch="0"
elif [[ ${responseCode} == 401 ]]
then
echo "Token already invalid"
else
echo "An unknown error occurred invalidating the token"
fi
}
checkTokenExpiration
getComputerManagementId() {
computerdevicerecord=$(curl -s -X 'GET' \
"$url/api/v1/computers-inventory-detail/$deviceid" \
-H 'accept: application/json' \
-H "Authorization: Bearer $bearerToken")
computermanagementId=$(/usr/bin/plutil -extract "general"."managementId" raw -o - - <<< "$computerdevicerecord")
echo "Management ID: $computermanagementId"
}
getComputerManagementId
curl --request POST \
--url "$url"/api/preview/mdm/commands \
--header "Authorization: Bearer $bearerToken" \
--header 'accept: application/json' \
--header 'content-type: application/json' \
--data '
{
"clientData": [
{
"managementId": "'$computermanagementId'"
}
],
"commandData": {
"commandType": "ERASE_DEVICE",
"obliterationBehavior": "ObliterateWithWarning",
"pin": "123456"
}
}
'
checkTokenExpiration
invalidateToken
Bear in mind, this script only works if device is communicating with JSS. More info: (https://learn.jamf.com/en-US/bundle/technical-articles/page/Erase_Device_Command_Options.html)
Posted on 07-08-2024 05:11 PM
We move lost/stolen devices to a prestage that cannot complete enrollment. The main reason being the devices must be managed to receive commands, so they will constantly be burning a Jamf license in the possible event that the device ever comes online to receive the MDM command and that the MDM profile on the device has not expired causing the device to ignore the command. Also, you don’t want to automate something like wiping a device, the blast radius of that is pretty high.
07-09-2024 08:19 AM - edited 07-09-2024 11:40 AM
Hi AJPinto, out of curiosity what settings did you have to configure in the prestage for it to fail the enrollment?