Jamf Nation Community

Looks like iCloud Activation Lock for iOS devices can be bypassed by a few tools out there. Not sure if you were aware.

We are looking at doing something similar to leaving them in ABM and then pointing the lost/stolen devices to a custom prestage imaging in JAMF Pro which requires a password of a JAMF Admin to complete the setup and also bypasses account creation. But I have not tested the workaround where not connecting to a wifi or wired network would let you bypass prestage imaging and just boot the normal MacOS. I suspect the option to bypass the wifi connection may have been removed in a recent OS upgrade - meaning yo MUST connect to wifi to attempt to set up the Mac. I'll have to test this out to confirm.

It is exceedingly difficult to bypass activation lock. You basically have to either bypass activation, or have to swap the chip on the logic board that has the phones identity on it (basically apple thinks its a different device).

I had never thought of using a prestage just for stolen devices, that is a really good idea. MacOS currently cannot be activated without an internet connection. However, with macOS 14 there are changes coming to that. A device can get all the way in to macOS and when it gets an internet connection it will be forced to enroll in MDM (sparring on details due to NDA).

We have the exact same issue and thoughts! And our experience is the same, meaning that a savvy user can bypass all of the hurdles we raise. I agree that on iOS activation lock and MDM enrollment can be bypassed by available tools. On macOS, the easiest way to bypass MDM enrollment is by simply installing Monterey instead of Ventura and set it up offline. This is true, regardless if the MDM enrollment requires credentials or not.

With that said, we do have a custom prestage enrollment for stolen devices that clearly informs the user that this device is stolen. However, we've chosen to require credentials to enroll (after informing the user that the device is stolen and should be returned - including shipping instructions) and then apply very restrictive restrictions etc. The downside of this is that the device usually never gets re-enrolled, but a user that intends to use the device even though is stolen isn't very interested in enrolling at all anyway. So the only possible upside is that we perhaps could get the device put in lost mode and geolocate it. But in the end, geolocation does very little to help with asset recovery.

Another option we've considered, and ultimately rejected, is to enable activation lock on all devices. However, that would lead to an increased burden on staff and our servicedesk when re-enrolling devices which isn't worth it because less than 1% of devices are in fact stolen during their life cycle. Instead, we've opted to disable USB restricted mode via policy for all devices, in order to help staff and users to get out of a lock-in situation, such as when the device is locked and wifi credentials/certificates don't work. Or that the user has forgotten their passcode - remember that iOS devices don't connect to wifi after reboot until they have been unlocked. With this method, a staff/user can connect the device to USB ethernet to enable the device to receive a Clear Passcode MDM command.

In our case, our fleet is pretty big and the asset loss problem is relatively small. If you have a smaller fleet, or have a bigger problem with asset loss, perhaps these options would be weighed differently. But ultimately, this is an Apple problem, meaning that they still leave known loopholes open which creates incentives for theft. I hope this will be fixted permanently with the upcoming changes for macOS 14 though - as indicated during WWDC. The future for iOS devices looks less bright so far though.

We are looking into it, but have not used it yet. I see there is a 14 day free trial for it which we may or may not use to test with in our JAMF Sandbox environment and on test macs to see if it adds more value than work.

It seems interesting in the fact that you can re-use licenses - so we may not need to install on the whole fleet, but rather try to push it specifically out to lost/stolen devices in an effort to recover them.

We are also thinking if we can create an AppleID and push it on to the lost devices and enable "Find My..." to geolocate them.

I dont think you can grant an app location access from CLI or MDM, that must be done through the GUI. If Prey needs location access, that would need to be manually granted in macOS by the user (or tech). This probably wont work for a post-event install. I dont know how Prey works specifically, just speaking generally on how location access works.

You can’t auto sign in with AppleID’s either. Apple has a lot way to go in the managed AppleID space.