Has anyone been this stuck with a locked computer?
I locked a computer remotely using JSS and creating the 6 digit code. The computer successfully locked, the student then tried to guess what the code is and got it wrong. He then brought it to me with the screen displaying "Your computer is disabled. Try again in 60 minutes" Once that time runs out it just shows "Wrong passcode. Try Again" without ever giving me the option to enter a code. I have tried booting into recovery mode and doing an internet recovery. Both times it just boots to the same screen. I took it to the Apple store and they claimed they have never seen this screen before and could not help. I then spoke with my Casper rep. They had me do a PRAM reset and a SMC reset, both times it booted to the same screen. She then told me to call Apple Support and they had me try everything listed above again. Apple Care sent this issue to the engineers and I am waiting for a response.
I am looking for any suggestions to get this fixed.
Solved! Go to Solution.
Just heard back from Apple:
They said that their is no coming back from this lock. It is a security feature that is made so if a thief enters the wrong code multiple times it turns into a paper weight. Since the computer can not tell if it has been returned to the rightful owner it just stays in this loop. Thanks for all of your input and help.
On a personal note I can't believe that Apple can't reset this lock screen when person can show proof that they rightfully own the computer.
Here's how I got out of it:
1) Hold option and when you get the black screen with the lock, enter your 6-digit code.
2) Boot to a known good OS. You can either use netboot (If you have a server) or target disk another computer.
3) Open terminal and enter the following - sudo /usr/sbin/firmwarepasswd -delete - (type in the local admin password)
4) Restart the computer and hold down cmd, opt, p, r. Wait for 2 chimes.
This did the trick for me, let me know if you have any questions.
This looks to have done the trick for me (don't want to run a test because its a 20 minute drive to the Apple Store if it doesn't work....). One of my netboot images wouldn't let me run the full finder to get to terminal, but fortunately, I had an older one that still worked.
Instead of the local admin password, I actually had to enter the known firmware passcode in terminal after entering that command, but I was then finally able to reset the pram and log in as normal.
Having tried a few of the options above to no avail I did manage to get it to work by doing the following:
Thanks for the tip @agetz! I was also able to solve this by booting into Internet Recovery.
Here are the steps I took:
- Restarted and held cmd - opt - R to boot into Internet Recovery (as @agetz stated, regular Recovery wouldn't work; it had to be Internet Recovery)
- This computer had a firmware password enabled, so I entered that
- I was prompted for the unlock code, and I entered that
- The computer restarted and asked for the unlock code again, which I entered
- The computer restarted again and booted normally
I'm really glad this worked because it was a lot easier than trying to get it resolved with Apple Support.
I have 2 macbooks in the same situation and have tried both regular and internet recovery. Both were not successful for returning control of the devices. Internet recovery would run through the steps but after the world loading screen, it would reboot back to the locked screen.
Anyone else have any luck with this? I am going to try to give apple a call to confirm if these devices are bricked. This is a terrible situation since these are returned to our school in this manner which we lose out on recovery. Why even have this feature if apple is just going to brick the device.
I was able to resolve this, but it took a call to Apple GSX support in order to get it done:
Since we have a firmware/EFI policy, we had to do the following:
We couldn't turn off the EFI policy, due to the iCloud lock, none of the normal key combinations were working correctly to get to the recovery screens to turn it off. This is why i had to turn to GSX Support.
Just throwing this out there in case it helps - I had the same issue where boot was telling me to Please Wait 60 minutes but would not display the 6 digit form that allows me to enter PIN.
I figured I would try rebooting and clearing NVRAM, but we have EFI password set. I instead held the option key down, connected to our wifi, chose a netboot image on our Deploy Studio server and booted off of that. DS netboots give you a Terminal, which I opened and issued "nvram -c" a few times. After a reboot, the pin code form came back.
I managed to figure out a fix (that worked for me), not sure if this will work for everyone else. When you see the error message 'wrong passcode, try again', activate voice control (Hold command + F5). This will highlight the first passcode field (at this stage I went off to do something else) and when I returned the passcode field was now active, I was then able to enter the passcode I had assigned and WOHLA it worked! Hope this helps everyone else!
I have had 12 of these bricks sitting on my desk and after a lot of trial and error I was able to get these recovered either one of two ways. Below is the steps I give out to my techs to fix this issue and so far it has worked on any and all version from 10.10 to 10.12 so thought I would share. Also this tells me this is not a hardware lock it is a software lock since wiping the hard drive fixes this issue which means it is not an Apple issue.
1.) Boot the imaging computer into Target mode.
2.) Connect Thunderbolt cable to computer you want to fix and turn it on while pressing the
3.) Select the Target mode hard drive of the external computer and load. If you see more then one internal hard drive you will need to load Disk Utility to format the internal drives together before you can image.
4.) Open casper imaging and check the following; Target Drive: Macintosh HD ( Should auto select the internal drive.) Check the Erase Target Drive option Name the computer (Should be named already) Configuration: Your Image Check the boot to target drive option
5.) Before clicking Image log into Jamf and delete the device you are wiping
6.) Click image and wait for the image to complete then reboot the computer
7.) Install the quick add package (You only need this if you want to get it talking faster. It will connect correctly if you deleted the item from Jamf.)
8.) Let it update and download everything then you are done.
BACKUP OPTION IF FIRST DOES NOT WORK!!!
With computer off press and Hold the Option key then power on the computer
When screen comes up with a hard drive and WiFi connect to the WiFi and wait for the two internet
options to pop up. (If no items show up after 2 minutes reboot the computer and do option again)
Sometimes the AutoCasperNBI will not load may have to reboot several times.
Select the one labled AutoCasperNBI and let it load
Jamf Imaging will auto load and once it has loaded select the following
Target Drive: Macintosh HD
Check the Erase Target Drive option
Name the computer
Configuration: Your Image
Check the boot to target drive option
Leave everything else
Before you start log into Jamf and delete the current computer record for the one you are working
Click Start and wait for the image to complete then reboot the computer
Install the quick add package (You only need this if you want to get it talking faster. It will connect correctly if you deleted the item from Jamf.)
Let it update and download everything then you are done.
I spent all day on this problem. After trying every option on this thread, I thought it this machine was permanently bricked. Finally, this combination of things worked for me, at the end:
1) Option key at startup. Presented with a firmware lock screen. Type in the firmware lock password. If you don't know this, then you'll have to go the Apple route via GSX and get an unlock hash, etc.
2) Boot the machine to your JAMF imaging environment. Mine happens to be a Thunderbolt SSD. Yours might be a Netbook or Netboot environment.
3) Launch Terminal. Type in /usr/sbin/firmwarepasswd -delete. At the prompt type in the firmware password. Note, it's NOT the local admin password that you'd normally type in when sudo'ing something. This took me a few tries to figure out. This will remove the firmware password from the machine.
4) Log into your JSS web interface. Delete the record for the machine.
5) Launch Casper Imaging. Select your options. Tell Casper Imaging to NOT restart the machine after imaging is done. When it's done, shut down the machine.
6) Power it on and quickly reset the PRAM/NVRAM by holding down COMMAND P + R. Hold for at least two chimes. I did three, even though two was probably sufficient.
7) Now, the computer should boot up successfully with no firmware password (removed in Step 3 and NVRAM reset in Step 6). And the MDM lock was removed when you deleted the record from the JSS in Step 4.
8) You'll know if it's successful if you see the "after-imaging" screen that JAMF presents -- the one that installs software like Adobe that happens upon initial enrolment into JSS but not during imaging.
I'm still not clear on what causes this cycle. In my mind, sending an MDM lock command from my JSS shouldn't also firmware lock the machine, but it does. And then the machine gets caught in this loop, stuck between the firmware lock and the MDM lock. Seems like a bug, but maybe not. This machine came very close to being a brick.
I hope this helps someone else. What an adventure. The cave trolls almost got me.
@damienbarrett Thank you for that. Ive unbricked a machine by following your instructions
For anyone else experiencing this issue - Its also worth noting that you may not be able to boot into a working OS that easily - The mac I had which was 10.12.6 (shipped on 10.12 I believe) wouldnt let me boot into 10.12.6/5 Netboot - I had to use a 10.12.4 netboot.
What an absolute ridiculous waste of time. THANKS APPLE.
We filed a ticket with enterprise support and they have confirmed it is a bug. If you have an enterprise support contract they can get your machines back online easily. I'll ask support for the ticket she submitted to engineering so others can refer to it as well..
Update for those that might read it. I went thru the entire thread trying almost every supplied solution. We have the computers on 10.12 which is connected to LDAP for users as Mobile, Admin and FileVault enabled. I was going crazy as I had the code, would get the EFI password box when trying to boot to USB, or Net Recovery or with options, it wild always go back to the wait page once it tried to reboot. I tried to send down a code again but it seems that since the disk is encrypted that it wouldn't really truly go online, I hoped doing a net recovery the unit would be seen long enough for Jamf to send updates but that never happened.
Solution - just wait it out.
Yes.. I waited out the 60 mins to get the false error message, then just let it sit on the desk, 10 to 15 mins later, the box showed up asking for the passcode again. Typed it in and was back in the computer. Really thought it was bricked by the user after the system was locked. There really needs to be a disclaimer about sending a lock code.
I had this issue on one where it wouldn't present the lock code entry, and the following worked for me.
Connected to ethernet
Booted with option key and entered our known firmware password.
Picked our CasperNetboot image and let boot.
Opened terminal and entered /usr/sbin/firmwarepasswd -delete entering firmware password when prompted.
Opened Disk Utility and erased Macintosh HD volume and disk.
Shutdown and then did a double PRAM zap.
Was then able to boot to installer and install OS normally.
Whats amazing I also had to go though all this today. If the a computer is locked with the JSS AND then the unlock code is entered incorrectly enough times the computer is disabled. At this point follow the instructions above from damienbarrett or the computer needs to have the firmware password removed. That can ONLY be done by Apple Retail, Apple authorized service providers or the customer if they are an Apple GSX self servicing provider. You will need proof of ownership and if institution owned also proof of employment such as photo work ID. As I am an Apple GSX self servicing provider I used the included apple procedure to remove the firmware password then after zapping the p-ram 3 times the system booted normally.
This definitely needs to be documented better. This was almost 2 hours of discovery today!
This happened on a returned T2 MacBook Pro from a former employee. He was a jamf admin but informed me he neither placed a lock via Jamf nor via his Apple ID. Luckily and for some reason the code was in Management History. Even more strange, the lock was only pushed when we wiped and re-enrolled it 4 weeks after he left the company. By the time I found the code we were at the 60 min lockout period and no passcode boxes were shown. What helped me was bmcdade's comment that the passcode boxes do indeed show up about 10-15 mins after the 60 min lockout period. It lives.
Hey Guys, we also came accross the same issue after sending the lock command through Jamf. However, we researched on this and found out few steps which helped us recover all the macs which were in the lockout. The steps are as follows;
• Firstly the laptop should be restarted in recovery mode.
• Then let the 60 minute countdown begin. 60 minutes have to be closely monitored and the laptop screen should not be let greyed-out/ sleep (screen should be active always and closely monitor the last 10 minutes of the countdown).
• Just as the sixty minutes are over, the laptop screen should be kept active/wake for nearly 30 min continuously; closely monitored (Do not let the screen grey-out or sleep).
• Then the six boxes for unlocking the device are meant to re-appear within the span of 10-30 min where the 6-digit unlock password should be entered.
• Thereby the device will be unlocked directing the user to the normal login screen with user accounts.
Hope this steps work for you all !
I hate to revive a long dead horse but.... During COVID Evac. 4 new T2 MAcbook Airs were put in a box and stuffed away. They were never issued to users.
The firmware is not locked.
I finally found them today. Meanwhile, I had sent a lock command to them. 3 of 4 booted and were easily unlocked.
The fourth: Never booted to a login screen, but still somehow got the MDM>Lock device command. When I do get the unlock screen it is a padlock, NOT the 6 boxes.
The unlock code works temporarily, in that it allows me to "move on" but I cannot get the device to boot to anything.
Fan rages, takes forever, gets all the way to the end of the progress bar and sits...
Tried Option; nope
Tried Shift: nope
Command R :nope
Command-Option-Shift R (wired or wireless) shows the globe, then never boots all the way to recovery.
It created a new object in Jamf. Just to confirm I did a lock device within management and sure enough it locked. However, after I put in the code I get the spinning globe. I let it sit and it hangs. No other boot commands seem to work. I also need to keep the data. Target disk mode does not work.