Help

Feature Request - Device Buyer Protection

tanny
New Contributor

Posted on ‎11-21-2016 06:26 AM

Hello all,

How does Jamf software address this issue? How are end users protected when an IT department sells their old Macs, but doesn't remove their MDM profiles before doing so? I'm the unfortunate a buyer of such a machine, and am thus forced to learn about this.

Typically when you buy a used Mac you can just wipe it clean and start over from scratch, no worries. This is different though, as I'm sure you know.

I'm experiencing MDM profiles as a persistent deadly virus I have no control over. Strangers on the other side of the country can erase my Mac at any time. And there's nothing I can do but beg them for release and hope they some day comply. There's no point in setting up the machine, and I can't even in good conscience sell it.

I'm not blaming Jamf. I'm just trying to understand if this issue has been considered and remedied in some manner. Thank you for any discussion.

0 Kudos
Reply
3 REPLIES 3

MacSysAdmin
Contributor

Posted on ‎11-21-2016 06:58 AM

Do you have your receipt from the authorized reseller? You should be able to go to the company that owns it with that information and ask them to release the device. It sounds like the device your purchased is DEP enrolled. It will need to be released from that in order for you to be able to claim it as yours.

This is not a JAMF issue. This is a reseller issue. End users are not protected when buying an item second hand unless it is from an authorized reseller.

0 Kudos
Reply

blackholemac
Valued Contributor III

Posted on ‎11-21-2016 07:02 AM

That is a hard challenge that goes beyond JAMF up to the Apple level. There are two sides to that equation really. I will speak to the other side of what you laid out, but also wax on about what could be done at the end:

The flip side your argument is this story from our organization: We buy all of our iPads/Macs straight from Apple and DEP serves as a small piece of a security tool. Without that, I don't know whether some items from our fleet are stolen or not. DEP is to us a supply chain tool. We had one iPad we couldn't locate for two years that we found when the buyer of it purchased it on eBay in ANOTHER STATE ON THE OTHER SIDE OF THE COUNTRY!! It came up asking to be enrolled in our MDM. We worked with our local police and the out of state buyer and came to a mostly happy ending though I feel bad for the poor guy who bought it having to lose what he bid on stolen property. DEP is what supplies our MDM profile. Without it, I lose one piece of my security. Not all of it, but one piece. For all you know, your seller of Apple equipment could be selling stuff that belongs to someone else. That being said room for improvement is always there.

The answer to this quandary is twofold:

  1. Organizations need to have ESTABLISHED discharge procedures of equipment that they have formally decommissioned. In our school district, the ONLY way someone gets their iPad dismissed from DEP (and MDM by extension) is to present a receipt to our department showing they purchased the device from an authorized school district official or in the case of an insurance company who has cut us a check for a defective device, they have to show proof that a check has been received by us. Only then, will we take the very nuclear step of removing a device from our DEP. That is how we work, but every org that uses the DEP responsibly MUST have some kind of established equipment discharge procedure. Ask your seller what there's are and where they source what they are selling you.

  2. As a safety valve, Apple should have some kind of procedure that an end user/organization can use in the event that such discharge procedures aren't followed. For instance, if someone can show Apple a receipt that they purchased the device legitimately from the original owner, then Apple should have an override. This should not necessarily be an easy process (much akin to their procedure for organizations to remove activation lock on corporate fleets...a slow one).

I would love to take part in a discussion on this topic as I do very much see the value on DEP for both Macs and iOS devices.

0 Kudos
Reply

michael_devins
Contributor II
Contributor II

Posted on ‎11-21-2016 11:43 AM

Only the organization that holds institutional ownership of this Mac can disown it. Unfortunately, Jamf does not play any role in this process. Even if this institution was no longer using Jamf to manage devices, the Mac could still get in an enrollment loop with Apple's Device Enrollment Program. It truly is all about this device record living inside of the organization's Device Enrollment Program registry.

In your case, your best bet would be to contact the original institution that has since sold the Mac. That institution can submit any serial numbers no longer owned by the institution through Apple's portal to relinquish ownership. By disowning the Mac, you should be able to erase it without having it come back under management.

If that's not successful, you may wish to explore returning the Mac due to these unique circumstances, if that's at all a possibility.

0 Kudos
Reply