Lost mode - ensuring it's actually enabled?

foobarfoo
Contributor

Scenario: Some iOS devices that have been set to lost mode, including always enforce lost mode, aren't actually in lost mode.

 

The reason why that has happened seems to be due to the following:

 

1. An administrator enabled lost mode in JAMF. The device was offline at the time.

2. Sometime later, all pending and failed commands are cleared (regular maintenance of JAMF, good to do when you have a large environment with 60k iOS devices, where some are more active than others)

3. Sometime later, the device comes online and never receives enable lost mode because the pending command was deleted. Now, JAMF still believes that this device is in lost mode, but it isn't.

I understand this is probably due to limitations in the implemented logic in JAMF. For instance, if a configuration profile was never installed because it was cleared when it was still pending, JAMF detects that and reissues the install command for the missing configuration profile on the next inventory update. However, it doesn't work that way with lost mode.

Now, is there at all any logic natively in JAMF to reissue lost mode if it's not actually set when the device does the next inventory update? If not (my assumption), can these cases be detected somehow, for instance by finding devices by a query of some sort instead of just looking at devices and manually try to assess if this is enabled? Normally this is done by the lack of UpdateLocation commands while other commands keep flowing as normal. The idea would then to have some in-house developed code that queries this, and disables/enables lost mode again via API on a regular basis.

 

But again, the best way to solve this would be if JAMF could detect and remedy this condition natively, especially if the intent to always enforce lost mode is set to on.

 

Any ideas? Feature request? Clever query? Or would this be considered a bug rather than a feature request so a support ticket would be the next step?

1 ACCEPTED SOLUTION

mdp
Contributor

We have that problem as well, which is why I wrote this a while back:

https://github.com/MatthewPrins/Jamf/blob/main/Devices_Pending_Command_Add_to_Group.sh

If you make pendingcommand="EnableLostMode" in the script, you can add all devices that have been sent a Lost Mode command but haven't received it to a static group. Once they're there you can use the API to reissue the command, rename them all "[Device Name] LOST MODE PENDING", etc., as well as backup knowledge if the command ever gets accidentally cleared out. 

Not sure this is the absolute perfect solution, but it works for us.

---
Matthew Prins -- Jamf Scripts @ Github

View solution in original post

1 REPLY 1

mdp
Contributor

We have that problem as well, which is why I wrote this a while back:

https://github.com/MatthewPrins/Jamf/blob/main/Devices_Pending_Command_Add_to_Group.sh

If you make pendingcommand="EnableLostMode" in the script, you can add all devices that have been sent a Lost Mode command but haven't received it to a static group. Once they're there you can use the API to reissue the command, rename them all "[Device Name] LOST MODE PENDING", etc., as well as backup knowledge if the command ever gets accidentally cleared out. 

Not sure this is the absolute perfect solution, but it works for us.

---
Matthew Prins -- Jamf Scripts @ Github