JSS Lock Computer

lpadmin
Contributor

Has anyone been this stuck with a locked computer?

I locked a computer remotely using JSS and creating the 6 digit code. The computer successfully locked, the student then tried to guess what the code is and got it wrong. He then brought it to me with the screen displaying "Your computer is disabled. Try again in 60 minutes" Once that time runs out it just shows "Wrong passcode. Try Again" without ever giving me the option to enter a code. I have tried booting into recovery mode and doing an internet recovery. Both times it just boots to the same screen. I took it to the Apple store and they claimed they have never seen this screen before and could not help. I then spoke with my Casper rep. They had me do a PRAM reset and a SMC reset, both times it booted to the same screen. She then told me to call Apple Support and they had me try everything listed above again. Apple Care sent this issue to the engineers and I am waiting for a response.

I am looking for any suggestions to get this fixed.

1 ACCEPTED SOLUTION

lpadmin
Contributor

Just heard back from Apple:

They said that their is no coming back from this lock. It is a security feature that is made so if a thief enters the wrong code multiple times it turns into a paper weight. Since the computer can not tell if it has been returned to the rightful owner it just stays in this loop. Thanks for all of your input and help.

On a personal note I can't believe that Apple can't reset this lock screen when person can show proof that they rightfully own the computer.

View solution in original post

68 REPLIES 68

maxapen
New Contributor II

I used to work at the Apple Store as a genius and I can confirm it's definitely possible for them to unlock it for you. Just like @jgrubbs mentioned earlier, the will create a binary boot file that can be used to clear the firmware password.

Pacers31Colts18
New Contributor

I'm 3/3 on this issue...let the time run out. Re-send the lock code, eventually it will get the code. use the same code.

rusty_adams
New Contributor III

@Pacers31Colts18

Do you have a firmware passcode on there as well? I'm not having any luck with resending the code and getting the 6 boxes to reappear. I had to take one to the Apple Store last week for this same issue and am faced with a second one today.

Pacers31Colts18
New Contributor

@rusty.adams

Mixed bag...some of our deployments have a firmware password, some do not.

zacloka
New Contributor

I am having the same issue here and I am totally a newbie to codes and commands May I know what is the advise of solving this issue? Need help desperately.

eissey
New Contributor II

Here's how I got out of it:

1) Hold option and when you get the black screen with the lock, enter your 6-digit code.

2) Boot to a known good OS. You can either use netboot (If you have a server) or target disk another computer.

3) Open terminal and enter the following - sudo /usr/sbin/firmwarepasswd -delete - (type in the local admin password)

4) Restart the computer and hold down cmd, opt, p, r. Wait for 2 chimes.

This did the trick for me, let me know if you have any questions.

rusty_adams
New Contributor III

@eissey

This looks to have done the trick for me (don't want to run a test because its a 20 minute drive to the Apple Store if it doesn't work....). One of my netboot images wouldn't let me run the full finder to get to terminal, but fortunately, I had an older one that still worked.

Instead of the local admin password, I actually had to enter the known firmware passcode in terminal after entering that command, but I was then finally able to reset the pram and log in as normal.

Thanks!

d1ck063
New Contributor

Having tried a few of the options above to no avail I did manage to get it to work by doing the following:

  • We have a "MacBook return" image set up which is a basic MacOS install with the .AppleSetupDone file removed so I re-imaged from Casper Netboot using this option.
  • As it wouldn't boot from a recovery partition or External/Target disk, I again used our Casper Netboot option.
  • I opened a terminal session and ran /usr/sbin/firmwarepasswd -delete option.
  • Rebooted and performed a pRAM reset.
  • Ran the set-up assistant with simplified information.
  • Re-imaged in the usual way using our SOE image.

agetz
Contributor

We were just able to boot to internet recovery (must be internet recovery, cmd-opt-R) and put in the code when it prompted.

stphnlee
New Contributor II

Thanks for the tip @agetz! I was also able to solve this by booting into Internet Recovery.

Here are the steps I took:
- Restarted and held cmd - opt - R to boot into Internet Recovery (as @agetz stated, regular Recovery wouldn't work; it had to be Internet Recovery)
- This computer had a firmware password enabled, so I entered that
- I was prompted for the unlock code, and I entered that
- The computer restarted and asked for the unlock code again, which I entered
- The computer restarted again and booted normally

I'm really glad this worked because it was a lot easier than trying to get it resolved with Apple Support.

Andy_McCaskill
Contributor

I have 2 macbooks in the same situation and have tried both regular and internet recovery. Both were not successful for returning control of the devices. Internet recovery would run through the steps but after the world loading screen, it would reboot back to the locked screen.

Anyone else have any luck with this? I am going to try to give apple a call to confirm if these devices are bricked. This is a terrible situation since these are returned to our school in this manner which we lose out on recovery. Why even have this feature if apple is just going to brick the device.

clewis
New Contributor

I was able to resolve this, but it took a call to Apple GSX support in order to get it done:

Since we have a firmware/EFI policy, we had to do the following:

  1. contact Apple GSX support to turn off the EFI Policy
  2. you will be requested to press the key sequence Shift Control Command Option S on that lock screen
  3. a key will show up, you will provide that to Apple
  4. they'll send you an email with a bootable file with will remove the EFI Lock.
  5. once that is complete, you can do the PRAM reset, which should take off the iCloud lock.

We couldn't turn off the EFI policy, due to the iCloud lock, none of the normal key combinations were working correctly to get to the recovery screens to turn it off. This is why i had to turn to GSX Support.

jkrainak
New Contributor II

Just throwing this out there in case it helps - I had the same issue where boot was telling me to Please Wait 60 minutes but would not display the 6 digit form that allows me to enter PIN.

I figured I would try rebooting and clearing NVRAM, but we have EFI password set. I instead held the option key down, connected to our wifi, chose a netboot image on our Deploy Studio server and booted off of that. DS netboots give you a Terminal, which I opened and issued "nvram -c" a few times. After a reboot, the pin code form came back.

craig_caruso
New Contributor II

Anyone find a fix for this?

michael_macdona
New Contributor

I did a NVRAM (P R Command + Option) reset 3 times. After the third time it bypassed the lock screen, and booted to the login window.

Jose
New Contributor

I managed to figure out a fix (that worked for me), not sure if this will work for everyone else. When you see the error message 'wrong passcode, try again', activate voice control (Hold command + F5). This will highlight the first passcode field (at this stage I went off to do something else) and when I returned the passcode field was now active, I was then able to enter the passcode I had assigned and WOHLA it worked! Hope this helps everyone else!

martinj
New Contributor

I have had 12 of these bricks sitting on my desk and after a lot of trial and error I was able to get these recovered either one of two ways. Below is the steps I give out to my techs to fix this issue and so far it has worked on any and all version from 10.10 to 10.12 so thought I would share. Also this tells me this is not a hardware lock it is a software lock since wiping the hard drive fixes this issue which means it is not an Apple issue.

1.) Boot the imaging computer into Target mode.

2.) Connect Thunderbolt cable to computer you want to fix and turn it on while pressing the

Option key

3.) Select the Target mode hard drive of the external computer and load. If you see more then one internal hard drive you will need to load Disk Utility to format the internal drives together before you can image.

4.) Open casper imaging and check the following; Target Drive: Macintosh HD ( Should auto select the internal drive.) Check the Erase Target Drive option Name the computer (Should be named already) Configuration: Your Image Check the boot to target drive option

5.) Before clicking Image log into Jamf and delete the device you are wiping

6.) Click image and wait for the image to complete then reboot the computer

7.) Install the quick add package (You only need this if you want to get it talking faster. It will connect correctly if you deleted the item from Jamf.)

8.) Let it update and download everything then you are done.

BACKUP OPTION IF FIRST DOES NOT WORK!!!

With computer off press and Hold the Option key then power on the computer

When screen comes up with a hard drive and WiFi connect to the WiFi and wait for the two internet

options to pop up. (If no items show up after 2 minutes reboot the computer and do option again)

Sometimes the AutoCasperNBI will not load may have to reboot several times.

Select the one labled AutoCasperNBI and let it load

Jamf Imaging will auto load and once it has loaded select the following

Target Drive: Macintosh HD
Check the Erase Target Drive option
Name the computer
Configuration: Your Image
Check the boot to target drive option

Leave everything else

Before you start log into Jamf and delete the current computer record for the one you are working

on.

Click Start and wait for the image to complete then reboot the computer

Install the quick add package (You only need this if you want to get it talking faster. It will connect correctly if you deleted the item from Jamf.)

Let it update and download everything then you are done.

damienbarrett
Valued Contributor

I spent all day on this problem. After trying every option on this thread, I thought it this machine was permanently bricked. Finally, this combination of things worked for me, at the end:

1) Option key at startup. Presented with a firmware lock screen. Type in the firmware lock password. If you don't know this, then you'll have to go the Apple route via GSX and get an unlock hash, etc.

2) Boot the machine to your JAMF imaging environment. Mine happens to be a Thunderbolt SSD. Yours might be a Netbook or Netboot environment.

3) Launch Terminal. Type in /usr/sbin/firmwarepasswd -delete. At the prompt type in the firmware password. Note, it's NOT the local admin password that you'd normally type in when sudo'ing something. This took me a few tries to figure out. This will remove the firmware password from the machine.

4) Log into your JSS web interface. Delete the record for the machine.

5) Launch Casper Imaging. Select your options. Tell Casper Imaging to NOT restart the machine after imaging is done. When it's done, shut down the machine.

6) Power it on and quickly reset the PRAM/NVRAM by holding down COMMAND OPTION P + R. Hold for at least two chimes. I did three, even though two was probably sufficient.

7) Now, the computer should boot up successfully with no firmware password (removed in Step 3 and NVRAM reset in Step 6). And the MDM lock was removed when you deleted the record from the JSS in Step 4.

8) You'll know if it's successful if you see the "after-imaging" screen that JAMF presents -- the one that installs software like Adobe that happens upon initial enrolment into JSS but not during imaging.

I'm still not clear on what causes this cycle. In my mind, sending an MDM lock command from my JSS shouldn't also firmware lock the machine, but it does. And then the machine gets caught in this loop, stuck between the firmware lock and the MDM lock. Seems like a bug, but maybe not. This machine came very close to being a brick.

I hope this helps someone else. What an adventure. The cave trolls almost got me.

rodders
New Contributor III

@damienbarrett Thank you for that. Ive unbricked a machine by following your instructions

For anyone else experiencing this issue - Its also worth noting that you may not be able to boot into a working OS that easily - The mac I had which was 10.12.6 (shipped on 10.12 I believe) wouldnt let me boot into 10.12.6/5 Netboot - I had to use a 10.12.4 netboot.

What an absolute ridiculous waste of time. THANKS APPLE.

mahughe
Contributor

We filed a ticket with enterprise support and they have confirmed it is a bug. If you have an enterprise support contract they can get your machines back online easily. I'll ask support for the ticket she submitted to engineering so others can refer to it as well..

bmcdade
Contributor

Update for those that might read it. I went thru the entire thread trying almost every supplied solution. We have the computers on 10.12 which is connected to LDAP for users as Mobile, Admin and FileVault enabled. I was going crazy as I had the code, would get the EFI password box when trying to boot to USB, or Net Recovery or with options, it wild always go back to the wait page once it tried to reboot. I tried to send down a code again but it seems that since the disk is encrypted that it wouldn't really truly go online, I hoped doing a net recovery the unit would be seen long enough for Jamf to send updates but that never happened.

Solution - just wait it out.

Yes.. I waited out the 60 mins to get the false error message, then just let it sit on the desk, 10 to 15 mins later, the box showed up asking for the passcode again. Typed it in and was back in the computer. Really thought it was bricked by the user after the system was locked. There really needs to be a disclaimer about sending a lock code.

mahughe
Contributor

If you have Apple enterprise they can provide you with a firmware solution. I’ve done about 20 this school year using the process.

rfreeborn
New Contributor III

I had this issue on one where it wouldn't present the lock code entry, and the following worked for me.

Connected to ethernet
Booted with option key and entered our known firmware password.
Picked our CasperNetboot image and let boot.
Opened terminal and entered /usr/sbin/firmwarepasswd -delete entering firmware password when prompted.
Opened Disk Utility and erased Macintosh HD volume and disk.
Shutdown and then did a double PRAM zap.

Was then able to boot to installer and install OS normally.

CoMb0BrEaKeR
New Contributor II

Whats amazing I also had to go though all this today. If the a computer is locked with the JSS AND then the unlock code is entered incorrectly enough times the computer is disabled. At this point follow the instructions above from damienbarrett or the computer needs to have the firmware password removed. That can ONLY be done by Apple Retail, Apple authorized service providers or the customer if they are an Apple GSX self servicing provider. You will need proof of ownership and if institution owned also proof of employment such as photo work ID. As I am an Apple GSX self servicing provider I used the included apple procedure to remove the firmware password then after zapping the p-ram 3 times the system booted normally.

This definitely needs to be documented better. This was almost 2 hours of discovery today!

robby_c137
New Contributor III

This happened on a returned T2 MacBook Pro from a former employee. He was a jamf admin but informed me he neither placed a lock via Jamf nor via his Apple ID. Luckily and for some reason the code was in Management History. Even more strange, the lock was only pushed when we wiped and re-enrolled it 4 weeks after he left the company. By the time I found the code we were at the 60 min lockout period and no passcode boxes were shown. What helped me was bmcdade's comment that the passcode boxes do indeed show up about 10-15 mins after the 60 min lockout period. It lives.

msw
Contributor

@damienbarrett thanks for the detailed post. The process you posted worked perfectly for me.

ujayawardena
New Contributor

Hey Guys, we also came accross the same issue after sending the lock command through Jamf. However, we researched on this and found out few steps which helped us recover all the macs which were in the lockout. The steps are as follows;

• Firstly the laptop should be restarted in recovery mode.

• Then let the 60 minute countdown begin. 60 minutes have to be closely monitored and the laptop screen should not be let greyed-out/ sleep (screen should be active always and closely monitor the last 10 minutes of the countdown).

• Just as the sixty minutes are over, the laptop screen should be kept active/wake for nearly 30 min continuously; closely monitored (Do not let the screen grey-out or sleep).

• Then the six boxes for unlocking the device are meant to re-appear within the span of 10-30 min where the 6-digit unlock password should be entered.

• Thereby the device will be unlocked directing the user to the normal login screen with user accounts.

Hope this steps work for you all !

Sandy
Valued Contributor II

I hate to revive a long dead horse but.... During COVID Evac. 4 new T2 MAcbook Airs were put in a box and stuffed away. They were never issued to users.
The firmware is not locked.

I finally found them today. Meanwhile, I had sent a lock command to them. 3 of 4 booted and were easily unlocked.

The fourth: Never booted to a login screen, but still somehow got the MDM>Lock device command. When I do get the unlock screen it is a padlock, NOT the 6 boxes.
The unlock code works temporarily, in that it allows me to "move on" but I cannot get the device to boot to anything.
Fan rages, takes forever, gets all the way to the end of the progress bar and sits...
Tried Option; nope
Tried Shift: nope
Command R :nope
Command-Option-Shift R (wired or wireless) shows the globe, then never boots all the way to recovery.

It created a new object in Jamf.  Just to confirm I did a lock device within management and sure enough it locked.  However, after I put in the code I get the spinning globe.  I let it sit and it hangs.  No other boot commands seem to work.  I also need to keep the data.  Target disk mode does not work.