JSS Lock Computer

lpadmin
Contributor

Has anyone been this stuck with a locked computer?

I locked a computer remotely using JSS and creating the 6 digit code. The computer successfully locked, the student then tried to guess what the code is and got it wrong. He then brought it to me with the screen displaying "Your computer is disabled. Try again in 60 minutes" Once that time runs out it just shows "Wrong passcode. Try Again" without ever giving me the option to enter a code. I have tried booting into recovery mode and doing an internet recovery. Both times it just boots to the same screen. I took it to the Apple store and they claimed they have never seen this screen before and could not help. I then spoke with my Casper rep. They had me do a PRAM reset and a SMC reset, both times it booted to the same screen. She then told me to call Apple Support and they had me try everything listed above again. Apple Care sent this issue to the engineers and I am waiting for a response.

I am looking for any suggestions to get this fixed.

1 ACCEPTED SOLUTION

lpadmin
Contributor

Just heard back from Apple:

They said that their is no coming back from this lock. It is a security feature that is made so if a thief enters the wrong code multiple times it turns into a paper weight. Since the computer can not tell if it has been returned to the rightful owner it just stays in this loop. Thanks for all of your input and help.

On a personal note I can't believe that Apple can't reset this lock screen when person can show proof that they rightfully own the computer.

View solution in original post

67 REPLIES 67

mm2270
Legendary Contributor II

Similar thread here: https://jamfnation.jamfsoftware.com/discussion.html?id=18887
Seems there may be some type of issue with this MDM command that can cause it to get stuck. Apple probably should address this, but they likely won't bother.

lpadmin
Contributor

@mm2270 I found that post when I first started looking for a fix. All the Apple tech told me when I took it to the store was that he does not recognize the lock screen and that I needed to talk to JAMF.

davidacland
Honored Contributor II
Honored Contributor II

What happens if you hold down Cmd, Alt, Ctrl, Shift + S on startup?

bpavlov
Honored Contributor

I was under the impression that Apple could unlock it. It might wipe the device in the process, but at least the computer will be usable again. Are you saying they aren't able to do even that because that's strange?

lpadmin
Contributor

@davidacland Tried holding down those keys and it just booted to the same lock screen.

lpadmin
Contributor

@bpavlov Yes, the Apple genius at the store said the lock screen was not an Apple lock and did not know what to do with it. The AppleCare rep did not know what to do with the screen either. See attached for the screenshot of the lock screen after the timer runs out.
a6c2e0e834de4eb8bc91e689cee8080d

isradame
Contributor

Have you tried pressing the Option key at startup?, I had the same issue and after manually selecting the partition. I was able to enter the unlock pin.

lpadmin
Contributor

When I boot holding down the option key, I get the prompt for the firmware password, I enter that. The only drive that pops up is Macintosh HD. I selected the drive and hit enter. It then booted back to the same lock screen.

Also wiping this machine and starting from zero is something I am willing to do to solve this.

davidacland
Honored Contributor II
Honored Contributor II

If it gets that far holding down the alt key you will hopefully be able to boot to netboot or an external drive with OS X installed and wipe the internal Macintosh HD.

lpadmin
Contributor

@davidacland I have tried booting to flash drive that is configured to install 10.11. When I try to boot to that drive it allows me to select it, but it never starts the install process. It just boots to the lock screen. I have also tried booting the machine in target disk mode, which does not work either.

davidacland
Honored Contributor II
Honored Contributor II

Are you launching disk utility first and wiping the drive?

lpadmin
Contributor

@davidacland It does not give me the option to open disk utility. I see language preferences appear in the top left corner for half a second and then it pops back to the lock screen.

mm2270
Legendary Contributor II

Is the Mac connected to a network when you're booting into your flash drive? I believe the lock screen is coming from MDM, despite what Apple seems to think, though I'm really not certain on that. Have you tried booting it up off that flash drive completely disconnected from any network connection to see what happens?

lpadmin
Contributor

@mm2270 The mac is not connected to the network via an ethernet cable, it could be connected via wi/fi though. Not sure if there is a point during boot up that a Mac will turn on wi/fi and connect. I could try going off campus and doing a reboot.

bpavlov
Honored Contributor

just curious, are you able to target disk mode into it? not sure how much that will help but this is all very interesting behavior. haven't seen it before.

lpadmin
Contributor

@bpavlov I am not able to boot into target disk mode.

mm2270
Legendary Contributor II

Hmm, well, you could try that I guess. I'm not sure what happens exactly when a Mac receives that lock command. I'm actually thinking now that it sets a state in the firmware that the Mac is forced to boot into a lock mode, so even if it can't connect to a network it will likely still boot into that screen. It wouldn't be the most secure if one could bypass it simply by making sure it wasn't connected to the internet.

I'm really surprised Apple is saying they can't help here. I believe MDM lock commands, among other things are coming from Apple's APNs and not really from Casper. The Casper Suite simply sends APNs a command to go out and lock the Mac in question and APNs does the rest. IOW, I think once the command is handed over to Apple's servers, the JSS has nothing to do with it from there. But I may be wrong, since its been awhile now since I closely examined all this. And what is JAMF saying about this situation?

lpadmin
Contributor

@mm2270 You are probably right that going offline will not help since that would be a security flaw. But I am willing to try anything at this point.

I am also surprised that both Apple and JAMF do not know where to go from here. JAMF has basically said that there is nothing more they can do and handed the issue off to Apple to fix.

mm2270
Legendary Contributor II

I'm going to side with JAMF here, because as I said, unless I'm way off, all the JSS is doing is sending a request to Apple's APNs to send a lock command down to the MDM managed device. I don't see how this is JAMF's issue to solve. The way its actually supposed to work is if the passcode is entered incorrect a couple of times, it increments a time to wait value, and gets increasingly larger with each incorrect attempt, so it should be indicating that you can't try another passcode for x more minutes or something, not just a "wrong password" screen. It looks almost like a bug in the way the firmware is handling the lock issue to me, which is not very comforting if that's the case. Talk about bricking Macs. For an environment that needs to rely heavily on the MDM commands feature, this could be a potential nightmare.
If I can think of anything else to try I'll post back, but honestly, I'm running out of ideas myself. Hopefully someone else has some good suggestions for you.

jchurch
Contributor II

i haven't come across this in macs yet, but have in ios. according to apple this in "expected behavior"... in ios anyway. when you set the pass code you have to option to automatically wipe the device if the wrong code is entered 10 times. if you choose not to auto erase the device it just gets bricked after 10 incorrect passcode attempts. at that point your only option is a DFU wipe and restore.... apple calls this a "security feature"

i call it a pain in the ass.

it wouldn't surprise me at all to see the same behavior in mac os too.

is it accessible over the network? can you ssh into it? or maybe can the JSS issue a wipe command?

luisgiraldo
New Contributor II

@lpadmin try booting the machine from a recovery partition on an external disk. I've seen this happen when a computer has a bad recovery partition, and essentially the lock procedure never successfully completes. Once it boots to the external recovery volume, you should be able to unlock on the next boot.

lpadmin
Contributor

@jchurch I tried to send the wipe command from JSS and it just sits at pending after restarting the computer 5 times while wired with an ethernet cable.

@luisgiraldo I tried finding how to create a recovery disk on a flash drive for 10.11. It appears that Mac stopped using them after Mountain Lion. Newer macs replaced it with internet recovery, which I have tried and does not work. Do you know how to create one for 10.11?

jchurch
Contributor II

if you take another working 10.11 laptop and put it in target disk mode your bricked laptop should see both the OS and Recovery partitions.

lpadmin
Contributor

UPDATE

I was able to get the computer to boot into target disk mode. From there I plugged it into my computer and after 5 attempts Disk Utility was able to wipe the computer. Now when I boot it, I get the folder with ? flashing on the screen. I then tried using my OS X install flash drive and after selecting the drive it still goes to the lock screen. I then tried internet recovery and @jchurch suggestion and still getting the lock screen.

mpermann
Valued Contributor II

@lpadmin is there a record for the computer in Casper still? I'm wondering what would happen if you deleted the computer record from Casper, wiped the drive completely, put on a fresh OS, then boot the computer up does it still go to the lock screen? If it does, then the lock screen likely isn't being caused by Casper. Then you may need to get Apple involved to determine what is still causing the lock screen.

taugust04
Valued Contributor

The lock screen is implemented in the EFI firmware of the Mac. Wiping the drive is not going to unlock it from what I understand... it needs to be unlocked by Apple, if it can't be done through the JSS.

lpadmin
Contributor

Just heard back from Apple:

They said that their is no coming back from this lock. It is a security feature that is made so if a thief enters the wrong code multiple times it turns into a paper weight. Since the computer can not tell if it has been returned to the rightful owner it just stays in this loop. Thanks for all of your input and help.

On a personal note I can't believe that Apple can't reset this lock screen when person can show proof that they rightfully own the computer.

View solution in original post

mm2270
Legendary Contributor II

I suspected it was something along those lines, although I agree with you that there really should be some way to get out of it if the device is wiped. I can understand them not being able to bypass it when in the normal lock mode, but once its been reformatted, it would be sensible to allow it to be used again by the rightful owner.
Although, given some of the stuff in the news recently about locked iPhones and such, it doesn't really surprise me they designed it this way. In fact, I think this will only get more impossible to bypass as time goes on.

bpavlov
Honored Contributor

That's horrible news. I can understand the reasoning in deterring thieves, but if you can prove you purchased the device, what's the problem with wiping it and returning it into a useful state? The data is gone at that point anyways. Imagine the repercussions if say an automobile company did something like that? Sorry, you attempted to turn the car on incorrectly too many times. That wouldn't fly in that situation so why would it be OK for a computer? If they can't unlock it then at least provide a replacement device of the same model.

mpermann
Valued Contributor II

@lpadmin so is Apple saying once it's been locked like this they are unable to remove the lock and return the computer to working order if the person in possession of the computer can prove they are the owner? If they are saying the computer is permanently bricked that would be a horrible. I've had a user forget a EFI firmware password before and I was able to get Apple to unlock the computer once we proved we owned it. I'm not sure why Apple wouldn't be able to do something similar in this case.

lwindram
Contributor

@lpadmin I would suggest taking it back to the Apple Store and talking to a different employee. If they stick to the same story then try a different Apple Store. I've had more than a dozen devices with this issue and it's never been a problem getting them unlocked.

jgrubbs
New Contributor III

@lpadmin I have good news for you. You absolutely can get this resolved by contacting GSX. We had a similar issue, after calling AppleCare Education, I got a rep that used to work in GSX. He instructed me to open GSX chat and ask for assistance unlocking an unknown firmware password. Don't say anything about a code from Casper. Just say you have a laptop with an unknown firmware password.

Once they have confirmed you own the device (you simply say, Yes, I own the device) they will walk you through the steps to obtain the computer specific code. Once you get this code, you send it to GSX. They then will configure a binary boot file and send it along with instructions on how to copy it to a bootable flash drive.

The flash drive erases the firmware password, which enables you to reset the PRAM. Once you do that, the code should be gone.

davidacland
Honored Contributor II
Honored Contributor II

Still worth trying again, but the key combination to generate the unlock code (Cmd, Alt, Ctrl, Shift + S) didn't work earlier which is needed to generate the unlock file.

brushj
New Contributor III

Just wanted to give an update to this as we just had it happen. You can get ahold of GSX support and they will be able to unlock it while retaining the users data as @jgrubbs stated.

mgerhardt
New Contributor

I believe Apple Stores have resources to reverse these issues but Apple Care over the phone do not. At least years ago when I worked as a Genius, we could unlock EFI and iCloud locks if we needed to, but it was a lengthy process to do so.

Apple Care over the phone is really Tier 1.5 in most cases from my experience, where the stores are hit and miss with a larger wealth of resources at their disposal.

Snickasaurus
Contributor

Yesterday I had the issue of picking up a MacBook that our Asset Management team locked. It's now to be re-imaged and deployed to a new hire. When I got the machine to my desk I plugged it in and started it up only to find I couldn't enter the 6 digit code our AM team set. Also when trying to boot to my Casper drive it was asking for a firmware password (set to the same thing as the lock code). The lock code screen would not let me enter anything using the built in laptop keyboard or either of the two external Mac keyboards I tried to plug in. No numbers/letters would enter and the cursor wouldn't advance. Nothing I tried worked BUT I found that the six digit code WOULD work on the firmware lock screen. So I booted to my Casper drive and unlocked the internal SSD when prompted. I then did the following:

1) Imaged the machine but chose not to boot into the target drive after imaging.
2) Shut the machine down and started it up holding OPTION. Choose the newly laid down recovery partition (which it ignored).
3) Instead of booting into the recovery partition it came up with jamfhelpers Casper Imaging screen, you all know the one.

After that I have been able to boot, shut down, start up and login then reboot many times and it seems to the lock screen is gone.

Hope this may help someone that finds this post in the future and doesn't have a GSX account.

mrcamuti
New Contributor II

https://orvtech.com/atacar-efi-pin-macbook-pro-en.html

It doesn't surprise me that Apple chose to do this, and yeah, I agree that's nuts.

delbrown
New Contributor II

This worked for me! Your results may vary...

  1. I waited until the disabled device countdown timer expired and I got the screen saying "wrong passcode try again" (no way to enter the code still)

  2. I sent the "Lock Computer" command using the same original 6 digit lockdown code that was previously used.

  3. When the computer restarted, the 6 boxes were back!. I put in the code and the computer restarted...

  4. The lock screen returned upon reboot with the 6 boxes. I put in the code again and the computer rebooted normally.

The reason for the 2 unlock screens was to satisfy each of the "Lock Computer" commands.

Del

Npotter229
New Contributor II

@lpadmin I used to deal with a few thousand laptops and found this happening every time we locked a student. From what I was able to deduce is that it is indeed a firmware loop. If you have a firmware passcode on the EFI it will essentially brick the laptop/device. If you do a GSX chat and break the firmware with the provided BIN file from support you can recover the machine. Hope this helps anyone out there as I know the thread is a little old.