How to manage/track a device after it's fully erased?

AdamKolt
New Contributor

I work in the infosec team of my company and we are doing some tests and use cases related to Mac security incidents. The IT team uses Jamf Pro as MDM for Mac. The use case is the following: a tech savvy and malicious user formats the hard disk, turn off the Internet and set up the Mac as if it was new, then uses the computer as usual, but now we don't have any control over the device.

My questions are:

1. Is it possible to enforce the Jamf Pro install after this?

2. Is it possible to contact Apple so they can track/lock the device if we provide the serial number?

3. If the answers for both question above are no. Is there any way to achieve this with technology alone, or would we have to contact the authorities?

3 REPLIES 3

user-dIrrpGXxza
New Contributor III

You need to purchase devices as DEP devices. Otherwise, there's no enforcement of re-enrollment.

sdagley
Honored Contributor III

@AdamKolt Since you mention using Jamf Pro as your MDM _and_ a malicious user turning off Internet to setup their Mac I'm guessing your Macs are enrolled in ABM and you're aware that isn't a guarantee of MDM enrollment. It is a valid problem, but one Apple has shown no signs of being interested in solving by making Internet access mandatory to complete the Setup Assistant process. From the technical standpoint you should be doing something to ensure a Mac that isn't enrolled with your Jamf Pro system and configured as expected cannot access your network. Cisco's Identity Services Engine (ISE) would be an example of that. At least that way if you aren't in control of the device it can't access your network. As for preventing the issue in the first place, it's essentially an HR problem. If you've got an employee intentionally bypassing company policy that would be grounds for making them an ex-employee, especially if they do it repeatedly. 

mm2270
Legendary Contributor III

@AdamKolt wrote:

a tech savvy and malicious user formats the hard disk


That right there can be stopped by assigning an EFI password for Intel Macs and a Recovery Password for M1 Macs.
With those in place, it will prevent even the savviest of users from formatting the hard disk. If they can't do that, they can't set up the device as unenrolled.

But of course, this only solves the issue for existing devices, not new ones out of the box, if they are being sent to the users to set up using automated device enrollment. The problem of bypassing internet connectivity still applies for those.

Also, as @sdagley stated, this sounds a little like an HR problem, especially if you're expecting or seeing that employees are trying to bypass management by wiping their Macs. You can't really solve issues like that with technology alone.