Posted on 02-25-2024 06:12 PM
Hi Jamf Nation!
I have some questions about what happened in a MacBook after it received the WIPE command, rebooted but without the firmware passcode being authenticated? Could the command be cancelled in any way?
We have a MacBook Air (Retina, 13-inch, 2019) with Intel chipset running macOS 14.3. WIPE command issued and it is now stuck at the user login -> reboot to firmware lock loops.
"Clear Activation Lock" option was chosen when attempting the command, but it says activation lock not found, so the WIPE command was issued without. After the command was sent, the MacBook immediately rebooted into the Firmware lock, which then we realized the passcode is unknown. Attempt to boot or reboot the machine will first goes into the user login page, and ended up at firmware lock after user authentication. We did not reach the steps to enter the 6 digits arbitrary passcode.
I read this from the previous post:
@talkingmoose wrote:If the computer has been protected with a firmware passcode, you’d need the correct PIN to clear that before the computer would be wiped.
Has the data been wiped at this stage? If not, is there a way to undo the WIPE command?
Brought it to Apple Service Center but the technician said it was impossible for them to reset the firmware passcode because it was 'locked'? They have asked for the AppleID initially, and trying to remove the FindMy lock via iCloud. I then explained to them it is a MDM managed device, and they said we have to remove the 'lock' using the managed AppleID before they could reset the firmware, but they are not able to give more details. Further investigate into the configuration profile, he functionality of "Allow iCloud Find My Mac" is enabled, so it might be possible that previous AppleID has the functions turned on. However, the Activation Lock status shown in the inventory of this MacBook is "Not Enabled". What could be the "lock" referred by the technician?
The MacBook was previously used by an ex-senior staff, way before ASM and Jamf Pro was introduced years ago to the organization. Make it worst, the firmware passcode is different from our record. Come to think of it, the firmware lock must be the reason of it not being registered in ASM during the enrollment of all the devices.
Any insights or help for the situation is greatly appreciated.
Thanks!
Doug
Solved! Go to Solution.
Posted on 02-26-2024 05:18 AM
On intel devices the erase command from MDM is very clunky and typically needs an interactive OS reinstall once done. On Intel devices the erase command also does not remove the EFI password, where on Apple Silicon Macs it does remove the Recovery Lock password.
Once the Erase Command is received by the device, there is no way to stop it. Obviously, there is also no way to undo a cryptographic erasure.
If your organization does not know the EFI password, then the device is more or less a brick. Apple CAN remove the EFI password, if they were so inclined to remove it. However, Apple identifies a device as organizationally owned by its registration in Apple School Manager. A device is added to ASM automatically at time of purchase by the authorized reseller and has nothing to do with the device having an EFI password. You can manually add devices to ABM with Apple Configurator if needed, but you need to reinstall macOS and follow steps to do it (of course which requires the EFI password). I would suggest contacting your Apple representative with proof of purchase for the MacBook and see what they suggest.
Posted on 02-26-2024 05:18 AM
On intel devices the erase command from MDM is very clunky and typically needs an interactive OS reinstall once done. On Intel devices the erase command also does not remove the EFI password, where on Apple Silicon Macs it does remove the Recovery Lock password.
Once the Erase Command is received by the device, there is no way to stop it. Obviously, there is also no way to undo a cryptographic erasure.
If your organization does not know the EFI password, then the device is more or less a brick. Apple CAN remove the EFI password, if they were so inclined to remove it. However, Apple identifies a device as organizationally owned by its registration in Apple School Manager. A device is added to ASM automatically at time of purchase by the authorized reseller and has nothing to do with the device having an EFI password. You can manually add devices to ABM with Apple Configurator if needed, but you need to reinstall macOS and follow steps to do it (of course which requires the EFI password). I would suggest contacting your Apple representative with proof of purchase for the MacBook and see what they suggest.
Posted on 02-27-2024 02:27 AM
To add the Macbook into ASM using Apple Configurator was the reason behind the wipe command. We called the Apple representative in the first place, which then directed us to that particular service center. Brought along the purchase invoice but they seems to focus on Find My Device and not trying to reset the firmware passcode. Oh well, it seems like the only way to revive the machine is by the magic code.
Thanks for the info!
Posted on 02-27-2024 05:08 AM
I don't think authorize repair centers can unlock the EFI, I think it has to be Apple themselves. Take it to an Apple Store if possible, or ship it in.
Repair centers are also used to dealing with consumer devices and probably have no idea how to deal with enterprise owned devices. Considering the service fee is probably minimal, I bet they just wanted to get rid of you rather than figuring anything out.
Posted on 02-28-2024 02:41 AM
I see, the service center was referred by Apple support and I didn't know there is such a difference. Thank you so much for the clarification, I will definitely call the Apple representative again.