Lost/Stolen Devices Best Practices - 2023

VintageMacGuy
Contributor II

I wanted to start a thread on best practices for dealing with lost and stolen devices (Macs / iOS).

Some older threads exist, but with the new Apple Silicon Macs and newer OS security enhancements, I wanted to check back on this topic and see what people are doing.

Past threads have suggested:

  • Create a lost/stolen prestage enrollment - however this may possibly be bypassed by setting a Mac up with no wifi.
  • Install Prey to get screen shots and geolocation sent back to you for recovery efforts - however it may require approval to access the camera and screen.
  • Lock the device and wipe it remotely.
  • Run a script that will lock the screen and play an audible notice to speak that this device is lost or stolen.

Any other ideas/suggestions/updates?

8 REPLIES 8

AJPinto
Honored Contributor III

There is not really any good options. Apple does not really have lost/stolen devices in a workflow for MDM. There is nothing really like iCloud Activation lock which would be best. 

 

We remove our devices from JAMF, and leave them in ABM as assigned to JAMF. We use JAMF Connect and have account creation disabled during activation assistant. If a user does not have LAN credentials they are not getting in to macOS. As far as before a wipe we have pretty aggressive password requirements, filevault enabled, and EFI/Recovery password locked. 

Looks like iCloud Activation Lock for iOS devices can be bypassed by a few tools out there. Not sure if you were aware.

We are looking at doing something similar to leaving them in ABM and then pointing the lost/stolen devices to a custom prestage imaging in JAMF Pro which requires a password of a JAMF Admin to complete the setup and also bypasses account creation. But I have not tested the workaround where not connecting to a wifi or wired network would let you bypass prestage imaging and just boot the normal MacOS. I suspect the option to bypass the wifi connection may have been removed in a recent OS upgrade - meaning yo MUST connect to wifi to attempt to set up the Mac. I'll have to test this out to confirm.

AJPinto
Honored Contributor III

It is exceedingly difficult to bypass activation lock. You basically have to either bypass activation, or have to swap the chip on the logic board that has the phones identity on it (basically apple thinks its a different device).

 

I had never thought of using a prestage just for stolen devices, that is a really good idea. MacOS currently cannot be activated without an internet connection. However, with macOS 14 there are changes coming to that. A device can get all the way in to macOS and when it gets an internet connection it will be forced to enroll in MDM (sparring on details due to NDA).

We have the exact same issue and thoughts! And our experience is the same, meaning that a savvy user can bypass all of the hurdles we raise. I agree that on iOS activation lock and MDM enrollment can be bypassed by available tools. On macOS, the easiest way to bypass MDM enrollment is by simply installing Monterey instead of Ventura and set it up offline. This is true, regardless if the MDM enrollment requires credentials or not.

With that said, we do have a custom prestage enrollment for stolen devices that clearly informs the user that this device is stolen. However, we've chosen to require credentials to enroll (after informing the user that the device is stolen and should be returned - including shipping instructions) and then apply very restrictive restrictions etc. The downside of this is that the device usually never gets re-enrolled, but a user that intends to use the device even though is stolen isn't very interested in enrolling at all anyway. So the only possible upside is that we perhaps could get the device put in lost mode and geolocate it. But in the end, geolocation does very little to help with asset recovery.

Another option we've considered, and ultimately rejected, is to enable activation lock on all devices. However, that would lead to an increased burden on staff and our servicedesk when re-enrolling devices which isn't worth it because less than 1% of devices are in fact stolen during their life cycle. Instead, we've opted to disable USB restricted mode via policy for all devices, in order to help staff and users to get out of a lock-in situation, such as when the device is locked and wifi credentials/certificates don't work. Or that the user has forgotten their passcode - remember that iOS devices don't connect to wifi after reboot until they have been unlocked. With this method, a staff/user can connect the device to USB ethernet to enable the device to receive a Clear Passcode MDM command.

 

In our case, our fleet is pretty big and the asset loss problem is relatively small. If you have a smaller fleet, or have a bigger problem with asset loss, perhaps these options would be weighed differently. But ultimately, this is an Apple problem, meaning that they still leave known loopholes open which creates incentives for theft. I hope this will be fixted permanently with the upcoming changes for macOS 14 though - as indicated during WWDC. The future for iOS devices looks less bright so far though.

 

obi-k
Valued Contributor III

How do you like Prey? Just curious if you guys are happy with it.

We are looking into it, but have not used it yet. I see there is a 14 day free trial for it which we may or may not use to test with in our JAMF Sandbox environment and on test macs to see if it adds more value than work.

It seems interesting in the fact that you can re-use licenses - so we may not need to install on the whole fleet, but rather try to push it specifically out to lost/stolen devices in an effort to recover them.

We are also thinking if we can create an AppleID and push it on to the lost devices and enable "Find My..." to geolocate them.

AJPinto
Honored Contributor III

I dont think you can grant an app location access from CLI or MDM, that must be done through the GUI. If Prey needs location access, that would need to be manually granted in macOS by the user (or tech). This probably wont work for a post-event install. I dont know how Prey works specifically, just speaking generally on how location access works.

 

You can’t auto sign in with AppleID’s either. Apple has a lot way to go in the managed AppleID space.

russell_garriso
New Contributor III

We fortunately haven't had issues with macOS devices apart from one incident where a laptop was accidentally left behind, and the user was immediately aware the next morning. The iPhones running iOS are a more-recent addition to our Jamf, but we have had a few walk off at varying points in their deployment.

 

Our process is a little more simplistic. We have FV and password set and required on all the user devices. Users are trained to report missing devices immediately. When that happens we send a macOS lock or iOS Lost Mode command. The mac becomes a paperweight if it receives the command, but it is possible FV would prevent it from ever getting up to that point. The iOS devices can also be wiped, which is what would be done immediately in the case of a theft. Most of the time the phone is just left behind somewhere or just under a dog bed at home, so lost mode is the starting point. If we can't get a hold of the phone an erase command is sent followed by another lost command.

This thread sparked my interest in how we might do thing differently. Would like to know what anyone thinks of the above? It is pretty old and established practice for us, so I wonder if it needs updating. Instead of breaking NDAs I guess I will just keep a sharp eye out for what is in store around this on macOS 14. Thanks in advance for any ideas on the process.