Jamf Nation Community

EmPIr3 · ‎07-08-2024

Best practice for devices that are lost/stolen?

Is it possible to create a group policy and or group of computers that we can select all and send a wipe command/lock when it comes online? If so what's the best approach.

Thank you!

A_Collins · ‎07-08-2024

This is usually not a bulk action. But if your devices are being lost or stolen on a regular basis then you might need something more than wipe. However, what you are asking can be achieved in couple of ways.

But I think best approach would be one by one wth sending wipe device command.

If you have the list of devices and you do not want to do one by one, you can create an extension attribute like isStolen with Yes and No options. Then create a policy to run script to send erase command via api and set trigger for Recurring Check-in and scope to computer that isStolen attribute is true.

#!/bin/bash

#JAMF API VARIABLES
username="your_api_username"
password="your_api_password"
url="yourjamf.jamfcloud.com"
deviceid=$(/usr/local/bin/jamf jamf recon | grep 'computer_id' | sed 's/<.*>\(.*\)<\/.*>/\1/g' )

#Variable declarations
bearerToken=""
tokenExpirationEpoch="0"

getBearerToken() {
	response=$(curl -s -u "$username":"$password" "$url"/api/v1/auth/token -X POST)
	bearerToken=$(echo "$response" | plutil -extract token raw -)
	tokenExpiration=$(echo "$response" | plutil -extract expires raw - | awk -F . '{print $1}')
	tokenExpirationEpoch=$(date -j -f "%Y-%m-%dT%T" "$tokenExpiration" +"%s")
}

checkTokenExpiration() {
    nowEpochUTC=$(date -j -f "%Y-%m-%dT%T" "$(date -u +"%Y-%m-%dT%T")" +"%s")
    if [[ tokenExpirationEpoch -gt nowEpochUTC ]]
    then
        echo "Token valid until the following epoch time: " "$tokenExpirationEpoch"
    else
        echo "No valid token available, getting new token"
        getBearerToken
    fi
}

invalidateToken() {
	responseCode=$(curl -w "%{http_code}" -H "Authorization: Bearer ${bearerToken}" $url/api/v1/auth/invalidate-token -X POST -s -o /dev/null)
	if [[ ${responseCode} == 204 ]]
	then
		echo "Token successfully invalidated"
		bearerToken=""
		tokenExpirationEpoch="0"
	elif [[ ${responseCode} == 401 ]]
	then
		echo "Token already invalid"
	else
		echo "An unknown error occurred invalidating the token"
	fi
}

checkTokenExpiration


getComputerManagementId() {
computerdevicerecord=$(curl -s -X 'GET' \
"$url/api/v1/computers-inventory-detail/$deviceid" \
-H 'accept: application/json' \
-H "Authorization: Bearer $bearerToken")
computermanagementId=$(/usr/bin/plutil -extract "general"."managementId" raw -o - - <<< "$computerdevicerecord")
echo "Management ID: $computermanagementId"
}

getComputerManagementId


curl --request POST \
--url "$url"/api/preview/mdm/commands \
--header "Authorization: Bearer $bearerToken" \
--header 'accept: application/json' \
--header 'content-type: application/json' \
--data '
{
"clientData": [
{
"managementId": "'$computermanagementId'"
}
],
"commandData": {
"commandType": "ERASE_DEVICE",
"obliterationBehavior": "ObliterateWithWarning",
"pin": "123456"
}
}
'

checkTokenExpiration
invalidateToken

Bear in mind, this script only works if device is communicating with JSS. More info: (https://learn.jamf.com/en-US/bundle/technical-articles/page/Erase_Device_Command_Options.html)

AJPinto · ‎07-08-2024

We move lost/stolen devices to a prestage that cannot complete enrollment. The main reason being the devices must be managed to receive commands, so they will constantly be burning a Jamf license in the possible event that the device ever comes online to receive the MDM command and that the MDM profile on the device has not expired causing the device to ignore the command. Also, you don’t want to automate something like wiping a device, the blast radius of that is pretty high.

junjishimazaki · ‎07-09-2024

Hi AJPinto, out of curiosity what settings did you have to configure in the prestage for it to fail the enrollment?

Jamf Nation Community

Can you create a group of computers that are lost/stolen to WIPE and LOCK when they come online?