Lock macBook after not checking into MDM for set period of time

R_C
Contributor

IT Security has posed a request to me and it is one I see a lot of merit in yet have been unable to locate any information for in the Jamf Nation Forums.

 

Essentially, I would like to have a macBook lock itself after not checking into the MDM after a set period of time. Let's say 30-60 days. The use case for this would be for a machine has been out of use or stolen, and taken offline. Once it has been disconnected from any network connection, it is orphaned from all of our controls and the person with the machine has free rein to do with it and the data on it as they please.

I would like to setup something so that if the machine fails to reach JAMF after 30 days or so, it will lock the machine and prompt the user to contact IT for remediation.

Does anyone have any suggestions on whether there is currently anything out there that could do this?

7 REPLIES 7

AntMac
Contributor II

I've seen this question come up in the forums a few times with differing responses. 

You could set up a smart group with the last check in X days criteria. This gives you your target pool.

Der Flounder has a script which will likely work for you to deploy bulk locks Using the Jamf Pro API to send device lock commands via MDM to multiple Macs | Der Flounder (wordpre...
Personally I would use an automated lock process with EXTREME caution as there have been reported instances in distant past where lock has not been able to be lifted by rightful owners later. 

Lock commands are reliant on a few things: 

Mac OS 10.15 
Apple School Manager or Apple Business Manager
JAMF Pro 10.20 or higher

Additional technical information here:

Leveraging Apple’s Activation Lock Feature with Jamf Pro - Technical Articles | Jamf

Activation Lock for iPhone, iPad, and iPod touch - Apple Support

The problem with this method is that it would still require the machine to be reachable over the internet.

In this case I am trying to lock a machine that has no internet connectivity for 30+ days which would require a config baked into the machine independent of JAMF, ABM, etc.

AntMac
Contributor II

The device lock built into JAMF does leverage Apples device lock process/APNs. This means:

If a device is lost/stolen and remote lock is sent as soon as any form of Internet is reached it will lock out - it does not need to be able to connect to your JAMF server. 

Even if the person succeeds in wiping the device it will fail activation as it will show as owned by a company  -  a screen will be displayed saying the device is managed by companyname

All of this would result in a very pretty looking brick for someone until brought back into IT which is what I thought you were looking for?

Not aware of any other supported/tried and true method but someone else may have a suggestion.  

Fluffy
Contributor III

You can easily bypass the management screen after wiping the device by choosing no internet, can you not? Or is that part of the remote lock?

But with Apple adding support for Recovery passwords on the M1's and the Intel machines having firmware passwords is also a key feature for these kinds of things.

jcaleshire
New Contributor III

macOS will show an "Urgent software update required, please connect to the internet to continue" warning message when you try and bypass the activation phase that way. Back in Catalina, it looked like this:

jcaleshire_0-1629734034543.jpeg

During activation, the Mac is checking for both Activation Lock status and for automated device enrollment information. If it isn't able to reach Apple's activation servers, it will thrown an error and require you to attach a working network connection. Then again, this may only be the case with models with the T2 or M1 chips, I haven't actually gone back to test this on older models.

We have a couple dozen 2015 11" MacBooks running 11.4 that I bypassed Jamf by setting up without internet. The only thing I have seen since is a notification 'This device can be managed by Jamf' but does not enforce it. It's been 2 or 3 weeks and they have been used for taking tests.

I'll have to test on our M1's as that will be a big help since the Recovery Password isn't rolled out in Jamf yet. Thanks for the info.

tlarkin
Honored Contributor

So we do something like this for off-boarding, but you are going to need reliable data to do this with an external tool/function.  I suggest shipping inventory complete webhooks and track when devices stop submitting inventory.  Our off-boarding does sent remote commands.

 

However, we in IT, have a remediation dashboard that tracks this and we open service now tickets for the offending device.  Then that ticket goes through the ticket/escalation flow.  I would recommend only doing remote locks when it is necessary, and for reporting and remediation you use data and tickets. This gives you an audit trail and better data.