09-28-2022 08:27 PM - edited 09-28-2022 08:28 PM
We have bunch of intel, m1 and m2 Macs.
I am trying to lock them with activation lock so that no one can erase the mac the device.
Currently, the Macs can be forced into recovery mode and use "erase MAC" to fresh install the OS.
Can someone guide me to lock with company ABM please?
Any help is appreciated!
Posted on 09-29-2022 05:34 AM
Set a Firmware password for Intel Macs and a recovery password for Apple Silicon Macs. You cannot manage Recovery, but you can password protect it. You can run a script to set a Firmware Password for Intel Macs. Firmware Passwords don't exist for Apple Silicon, and this function is handled by the Recovery Password. The Recovery Password for Apple Silicon is set when the device is enrolled if configured in prestage.
There is not a MDM command that I am aware of to set the recovery lock password. So, reprovisinioning a device once that setting has been configured in prestage will enable the lock. Else you can look in to JAMF API, Recovery Lock Enablement in macOS Using the Jamf Pro API - Technical Articles | Jamf.
Posted on 09-29-2022 12:55 PM
Agreeing with AJPinto - there isn't away to prevent Erasing a Mac but there is a way to lock down the path to get to this point:
You can set a Firmware password (Intel) after the Mac has been enrolled via Policy, but Recovery Lock can only be configured on Apple Silicon during enrolment so the only way to do that is a wipe/erase and enrolment.