Hackintosh Enrollment Mitigation - Suggestions

Contributor II

Looking for advice / developing hackintosh mitigation.

It does not appear to be that common with us but dealing with the second know one that enrolled in jamf, due to using one of SN's of in production machines.

Has anyone developed any good Extension(s), or Smart Group(s) for detecting, or flagging potential hackintosh machines. Been messing around with Processor type is null / blank.

Also curious if the hackintosh outside of your reach, example, another country, how you decided to try and deal with it if jamf can still manage it.


Contributor III

I'll bet this is a rare and uniquely challenging problem to have! Perhaps your best bet is to add to your Computer Management > Inventory Collection's Software tab the common directories that the various hackintosh-based bootloaders use? However, you're opening yourself up to a game of whackamole.


Since the Hackintosh breaks Apple's EULA, I would report this to your leadership and have them enforce this as a policy for all employees. I'd also suggest having regular hardware inventory audits so that this couldn't happen again. If that end-user has the means to create a Hackintosh, they are able to circumvent any policy you enforce to keep them compliant with your company's policies. This could put your organization in hot water when it comes to compliance, especially regarding software.

Check Section 2 part I --> Apple Software License Agreement

Contributor II

@Sims_ Agree, if it was done by an employee employed by the organization, I sick infosec on them.
This case was done by some random person in another country, outside the organization, that just happened to guess one of our Serial Numbers.


@jstillio Wow! Thats crazy. The only thing I can think to do if I were in your shoes would be to reach out to your Apple TAM and see if they can give some suggestions.

Valued Contributor

@jstile I'll suggest put some authentication on your PreStage enrollment with LDAP or Enrollment Customization (SSO) to further prevent those enrollments by any unknown users.

Contributor II

Sorry for the delay.

@txhaflaire - The ability to create a account was disabled from the setup wizard. The machine is renamed and bound to AD. However, did notice they installed an older 10.13 version of macOS.

Here some of the strategies we've implemented / used, appeared to dissuade them from using our SN.

Apple a crazy locked down profile, it was in Supervised state.
Created policies which deleted the initial software that pushed down to the mackintosh via jamf cloud bistro.

For detection, here's some things we used / implemented

Smart Groups that help us ID a potential mackintosh
- Lab Devices that are reporting "Last Reported IP (like) 192.168" - (We do have non-lab devices being used at home due to Covid)
- Any device showing GitHub Clover software App