Tuesday
I've been doing some testing of the "Lock Computer" function (from the Inventory/Management screen) and it does not work as I would hope. I want to know if it's working "as expected" or if I'm doing something wrong or if there might be a bug which I should report somehow.
While my test machine (M1/Sonoma 14.7.2) is offline, I send the "Lock Computer" command. Of course I don't expect it to be effective until the machine is awake/networked; Jamf shows it as Pending.
Pretending I'm a computer thief & don't have the password, I wipe the machine, keeping it offline. But in order to install MacOS, I need to connect to the network and get past that pesky activation screen. Surprisingly, no problem: your Mac is activated! And installation of OS proceeds.
As installation proceeds, I check Jamf: the Lock command is still Pending. After OS installation completes, but before creating an account, the Lock command disappears from Pending, but it doesn't show under Management History at all (Completed, Pending or Failed); it simply vanishes. The computer is not locked.
If I send another "Lock Computer" command after the machine is up and running again (and online), the machine locks right away, as I would expect. But I'd also expect that if the machine is offline when I send the command, the machine would lock shortly after getting online, and would be unable to activate--but that's not what I'm seeing.
Tuesday
I pretty sure that would be expected behavior. There is a setting in System Settings -> Re-Enrollment for Clearing Management history re-enrollment. Try changing that setting to clear only Failed commands instead of the default. I am not sure if the lock command would survive the re-enrollment, but test.
That being said, why do you not have your your enrollment locked behind user authentication during enrollment? I would highly recommend you add authentication to your enrollment process so that a thief gets to the remote management screen and is stuck in your scenario.
Tuesday
For this to work, the Mac must be able to receive the MDM command that was initiated from Jamf Pro. Once it's connected to the internet, it should receive the command and lock. If someone steals it, never gets it online, and then erases and reinstalls it, it won't receive the command since it is no longer enrolled in Jamf Pro. There's no MDM profile connecting it to your server. If your Macs are in Apple Business Manager and assigned to your Jamf Pro server, a Mac that is stolen and then erased and reinstalled would automatically enroll in your Jamf Pro server during setup after connecting to the internet. If you enforce FileVault on your Macs, the thief would have to know the password of an authorized user to be able to perform an erase using macOS recovery. Otherwise, they would need to know how to use Configurator to do a full restore. Even then, after erasing and reinstalling the Mac would still auto-enroll, which would make it trackable, and lockable.
Tuesday
This is expected behavior. These MDM commands are really only useful for keeping users in line, and not for securing lost or stolen devices. The commands are also only broadcasted so long as the device is in Jamf, if you remove a device it kills all commands.
When Jamf starts to broadcast the command to APNS, it will show you pending. It will continue pending until the command completes or you cancel it. If you cancel the command it more or less goes away. If it completes it will be in the inventory record under completed MDM commands. If the device never responds, the command will sit there forever until you cancel it or remove the device. Apple does not have a built in failure condition for the device not responding, I have also never seen it fail once a device receives the command but that is not saying its not possible.
If you want to see a bit of the behind the scenes you can read the apple developer documentation for this function.
https://developer.apple.com/documentation/devicemanagement/device-lock-command