Lock Computer (Management Command)

user-IUsJxvLxeb
New Contributor III

Is there a document process for Jamf admins to recover Mac OS devices that have been locked with the Lock Computer command?  I understand from prior threads there is the risk of brute force activity by the end user that could render the device useless.  Is there any recommended best practice from Jamf to prevent this from happening?  

7 REPLIES 7

jtrant
Valued Contributor

Jamf's documentation on Remote Locks is sparse, but Apple have a recovery procedure where you enter a key sequence which reveals a unique hash code that you then send to them. In return they will provide you with a file that you copy to a USB key which will allow you the Mac to boot.

All of this happens providing you either 1) provide proof of purchase, or 2) the Mac is in your DEP/ABM account.

Whether this will work if a bad firmware password is entered too many times, I'm not sure as I haven't run into this scenario. I would assume so however.

user-IUsJxvLxeb
New Contributor III

Thank you.. I was hoping for something directly in jamf. I haven't used the feature yet.  If its going to be a hassle to recover the machine I will just go another route. 

talkingmoose
Honored Contributor II
Honored Contributor II

Once a device is locked, it's off network and won't communicate with Jamf Pro until it's unlocked. Only the Jamf Pro admin can provide the unlock code (or as mentioned above, Apple can help). But that all relies on what the person holding the computer decides to do. You have no control there.

It's near impossible to legally force someone (e.g., a former employee or student) to return property. If you think it's gone for good, you can lock the computer only to make it useless to the person in possession of it.

If you have a property sticker with your contact information affixed to the computer, that's going to be the only way a stranger, such as a pawn shop owner, will be able to connect with you to return it.

dmlasd
New Contributor II

I sent the lock command for a computer that was not returned by a former employee.  You said that a mac stays "off network" until it's unlocked?  Jamf shows that the locked mac is still checking in.  That doesn't make sense to me.  (I thought maybe I was confused about having locked it, but I can see the "Lock Device" command in Management History completed commands.)

dmlasd
New Contributor II

I have tested locking two other (on prem) computers and in both cases the computer stopped checking in with Jamf while locked.

What is weird is that there is one (off prem) computer that I've locked (twice now) but it continued to check in.  (The user is a former employee who would not have had the code to unlock it.).  I then sent a Wipe command, which is shown in Management History as "completed" even though (again) the user would not have had the wipe confirmation code.   The computer is now unmanaged and therefore is no longer checking in.  Does this outcome make sense to anyone?   I guess I have no confidence that this computer is not still in use since the Lock command didn't seem to be working.

I'm having the same issue!  I've locked numerous laptops and the process should render the device pretty useless, with no network and definitely not checking in with JAMF.  Now I have a computer that I've sent 2 lock commands to (and both show in history as completed) and yet it's still checking in!

user-IUsJxvLxeb
New Contributor III

Thanks all.. It should like its best for me to avoid using this feature unless, I will still with removing local accounts and forcing a reboot.  This should be sufficient to avoid user access until the device is returned. If the Device is not returned then I can resort to this process. thx all