Posted on 09-16-2022 09:05 AM
We have found the lock command for computers in Jamf is letting our students around the lock by restarting their computers. With an Intel Big Sur machine the lock command will restart it to the EFI password screen, we can enter the EFI password and continue to the white passcode screen or we can restart and get returned to the EFI password screen again. Intel Monterey machines shut down and restart to the EFI password screen; if we put in the EFI password it goes to the gray passcode screen showing the message we set with the code, if we hold the power button and restart it the Mac will boot normally and the student can continue using it despite us having locked it.
Posted on 09-19-2022 08:37 AM
In my experiences the device reboots to a screen with a password lock. Not the EFI/Recovery screen. If the user enters the unlock pin macOS will load like normal. With it being just a 6 number password, students may simply be guessing the unlock pin. So long as you are issuing the command correctly (i.e. device inventory record Lock Computer, or mass action Lock Device) it should work fine.
JAMF is sending out the DeviceLock MDMD command, and from what you are saying the device is getting the command and enabling the lock. JAMF is done, I would not blaming JAMF here. Since the device is rebooting and you are seeing the lock that means the MDM functionality is working. Where you sound to be seeing issues is on how the OS is behaving to the MDM command. I recommend checking with Apple.
Lock a Device | Apple Developer Documentation
Remote Commands for Computers - Jamf Pro Administrator's Guide | Jamf
Posted on 09-19-2022 09:49 PM
Are you seeing issues on a particular version of the client OS version? I vaguely recall one of the Jamf Server releases mentioning something about a Lock bug for particular macOS versions.
Posted on 11-04-2022 07:57 AM
Hi mstydel
Have you found any resolution for this. I have begun to see the same issue on our side. We send the lock command as we always have, only now it reboots the device to the EFI lock field which can be bypassed exactly how you said.
Anything yet?