Jamf Nation Community

Hello all,

I'm trying to figure out how to make an iPad that is stolen from a student unusable to the thief.

1) All my devices are in DEP and will be assigned to a PreStage enrollment.

In my testing, the iPad is always Supervised and Enrolled according to my PreStage settings if set up as new. And of course if the configuration is Applied. (Waiting for 9.41 to allow me to turn on 'Mandatory' and turn off 'Allow Removal').

If Restored from iCloud by the same user (backup has same serial number) the prompt to Apply Configuration is not shown, and the Supervision profile is (all profiles are) installed from the Restore.

If Restored from iCloud by a different user (backup has different serial number) the prompt to Apply Configuration IS shown, no profiles from the backup are restored, and the device is Supervised and Enrolled. NICE!!

I tried hooking up a DEP Supervised device to Configurator, after first putting it into DFU and wiping it with iTunes. It is not showing up in the Prepare tab.. not sure why as it has not had a chance to contact Apple. Unless there is something on the iPad indicating the Supervision or DEP program even after an iTunes restore.....

So all looks good from this standpoint. It looks like I will always have a stolen device back under management if they try to use it.

2) I'm thinking of dumping all new enrollments into a Smart Group, and install a Configuration Profile that is as restricted as possible. This part works fine. My huge question though - how do I get them out of this Smart Group without having to do it myself?

I thought of having them authenticate to the new Self Service Mobile app.. perhaps to install a Configuration Profile that is assigned to them.. but I can't get it to work yet (LDAP user signs in ok, but I don't know how to scope this). The SG criteria would check for 'does not have' this 'Profile Name'.

Are there any other thoughts or ideas? Am I missing something?

Thanks!!!!

chris :)