Jamf Nation Community

jschank · ‎08-19-2022

Is there a way to put a macOS device into Lost Mode so it can provide the location of the device? Similar to what is available for iOS devices within Management.

I do not see that feature under Management for macOS devices.

jbisgett · ‎08-22-2022

macOS currently does not have a lost mode feature as exists currently on iPads. You can lock the computer as described above, but that is a firmware lock for Intel devices (does not work on M1, as they do not have EFI), which also prevents the device from communicating back to your MDM and reporting IP address.

I have a geolocation extension attribute that gets rough estimate on where the device (at least what region the IP address is located)

 #!/bin/sh
        
        myIP=`curl -L -s --max-time 10 http://checkip.dyndns.org | egrep -o -m 1 '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}'`
		myLocationInfo=`curl -L -s --max-time 10 http://ip-api.com/csv/?fields=country,city,lat,lon,/$myIP`

        echo "<result>$myLocationInfo</result>"

So far as locking the computer, I implemented a depnotify script in our environment that displays a fullscreen message to the user stating that they need to return the device. This provides the ability for the computer to continue reporting its location to Jamf, but prevents the user from being able to use the device. Its a policy scoped to devices I have identified as needing to be returned. If they figure out how to disable depnotify, the policy runs on check-in and login, so it will nag them. Based on the script provided by https://montysmacmusings.wordpress.com/2018/10/25/depnotify-makes-a-great-user-nag-screen/

#!/bin/bash

# generic depnotify cover screen

screenTitle="${4}"
screenMainTextIn="${5}"
screenInitialstatus="${6}"
screenIcon="${7}"


#######################################
# check depnotify actually installed. #
# install if not                      #
#######################################

if [ ! -d /Applications/Utilities/DEPNotify.app ]; then
	echo "installing DEPNotify"
	jamf policy -event install-depnotify
	echo "installing DEPNotify"
	if [ -d /Applications/Utilities/DEPNotify.app ]; then
		echo "***** installed DEPNotify"
	else
		echo "***** install failed! Exiting as pointless running"
	fi
else
	echo "DEPNotify is installed already"
fi

DepNotifyWorkingDir="/var/tmp/"

# check user is logged in
dockStatus=$(pgrep -x Dock)
while [[ "$dockStatus" == "" ]]; do
	sleep 5
	dockStatus=$(pgrep -x Dock)
done

loggedInUser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'`


#################################


resetDEPNotify () {
rm "$DepNotifyWorkingDir"depnotify.log 
rm "$DepNotifyWorkingDir"DEPNotify.plist
rm "$DepNotifyWorkingDir"com.depnotify.agreement.done
rm "$DepNotifyWorkingDir"com.depnotify.registration.done
rm "$DepNotifyWorkingDir"com.depnotify.provisioning.done
sudo -u "$loggedInUser" defaults delete menu.nomad.DEPNotify
	
}


initialise_DEPNotify_Settings () {

echo "Command: MainTitle: $screenTitle" >> "$DepNotifyWorkingDir"depnotify.log
echo "Command: MainText: $screenMainTextIn "  >> "$DepNotifyWorkingDir"depnotify.log
echo "Status: $screenInitialstatus" >> "$DepNotifyWorkingDir"depnotify.log
echo "Command: Image: $screenIcon" >> "$DepNotifyWorkingDir"depnotify.log
echo "Command: DeterminateManual: 1" >> "$DepNotifyWorkingDir"depnotify.log


}

displayMessage () {

sudo -u "$loggedInUser" /Applications/Utilities/DEPNotify.app/Contents/MacOS/DEPNotify -fullScreen

}

####################################################
resetDEPNotify

initialise_DEPNotify_Settings

displayMessage

Just fill in the parameters 4-7 in the policy with the information you would like to display in the message.

View solution in original post

dvasquez · ‎08-19-2022

and:

To do this for individual devices and or more than one device use an advanced search and target the device's name and then save it then run the remote commands on them.

Thanks.

jbisgett · ‎08-22-2022

macOS currently does not have a lost mode feature as exists currently on iPads. You can lock the computer as described above, but that is a firmware lock for Intel devices (does not work on M1, as they do not have EFI), which also prevents the device from communicating back to your MDM and reporting IP address.

I have a geolocation extension attribute that gets rough estimate on where the device (at least what region the IP address is located)

 #!/bin/sh
        
        myIP=`curl -L -s --max-time 10 http://checkip.dyndns.org | egrep -o -m 1 '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}'`
		myLocationInfo=`curl -L -s --max-time 10 http://ip-api.com/csv/?fields=country,city,lat,lon,/$myIP`

        echo "<result>$myLocationInfo</result>"

So far as locking the computer, I implemented a depnotify script in our environment that displays a fullscreen message to the user stating that they need to return the device. This provides the ability for the computer to continue reporting its location to Jamf, but prevents the user from being able to use the device. Its a policy scoped to devices I have identified as needing to be returned. If they figure out how to disable depnotify, the policy runs on check-in and login, so it will nag them. Based on the script provided by https://montysmacmusings.wordpress.com/2018/10/25/depnotify-makes-a-great-user-nag-screen/

#!/bin/bash

# generic depnotify cover screen

screenTitle="${4}"
screenMainTextIn="${5}"
screenInitialstatus="${6}"
screenIcon="${7}"


#######################################
# check depnotify actually installed. #
# install if not                      #
#######################################

if [ ! -d /Applications/Utilities/DEPNotify.app ]; then
	echo "installing DEPNotify"
	jamf policy -event install-depnotify
	echo "installing DEPNotify"
	if [ -d /Applications/Utilities/DEPNotify.app ]; then
		echo "***** installed DEPNotify"
	else
		echo "***** install failed! Exiting as pointless running"
	fi
else
	echo "DEPNotify is installed already"
fi

DepNotifyWorkingDir="/var/tmp/"

# check user is logged in
dockStatus=$(pgrep -x Dock)
while [[ "$dockStatus" == "" ]]; do
	sleep 5
	dockStatus=$(pgrep -x Dock)
done

loggedInUser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'`


#################################


resetDEPNotify () {
rm "$DepNotifyWorkingDir"depnotify.log 
rm "$DepNotifyWorkingDir"DEPNotify.plist
rm "$DepNotifyWorkingDir"com.depnotify.agreement.done
rm "$DepNotifyWorkingDir"com.depnotify.registration.done
rm "$DepNotifyWorkingDir"com.depnotify.provisioning.done
sudo -u "$loggedInUser" defaults delete menu.nomad.DEPNotify
	
}


initialise_DEPNotify_Settings () {

echo "Command: MainTitle: $screenTitle" >> "$DepNotifyWorkingDir"depnotify.log
echo "Command: MainText: $screenMainTextIn "  >> "$DepNotifyWorkingDir"depnotify.log
echo "Status: $screenInitialstatus" >> "$DepNotifyWorkingDir"depnotify.log
echo "Command: Image: $screenIcon" >> "$DepNotifyWorkingDir"depnotify.log
echo "Command: DeterminateManual: 1" >> "$DepNotifyWorkingDir"depnotify.log


}

displayMessage () {

sudo -u "$loggedInUser" /Applications/Utilities/DEPNotify.app/Contents/MacOS/DEPNotify -fullScreen

}

####################################################
resetDEPNotify

initialise_DEPNotify_Settings

displayMessage

Just fill in the parameters 4-7 in the policy with the information you would like to display in the message.

jschank · ‎08-22-2022

This is what I am looking for. Thanks for the info

dvasquez · ‎08-22-2022

Very interesting, I will test and check it out. Thank you for sharing.

jbisgett · ‎08-22-2022

It does utilize a separate policy to install depnotify if it isn’t already installed. I uploaded the package to Jamf and created an on demand policy call for it in the script, but it’s just as easy to include the package as part of the actual script policy or have the script curl depnotify down directly from the internet.

dvasquez · ‎09-01-2022

Geolocation seems to work very well for our Monterey fleet, just wanted to say. I am looking at testing the other portion.

Jamf Nation Community

Enable Lost Mode for macOS devices?