Mac Hack needed - Stolen MacBook Pro

If you're getting public IP addresses (not internal 192. or 10. give that to the authorities to track that down with the ISPs. That's their job.

Is this Mac running 10.7.x? If so, you may be able to remote lock / wipe it. I've got a post on how to do that:

http://derflounder.wordpress.com/2012/04/06/using-casper-8-51-to-remotely-lock-or-wipe-10-7-macs/

I wouldn't do ANYTHING to indicate to the person who has it that someone else knows.

If you can send the Mac unix commands, you may want to do some periodic screencaptures and save the resulting files in a hidden location for collection later up to an FTP or AFP share.

Check out 'man screencapture' for the options. You can specify where the files land, so point them to nice buried hidden location and the user will never know its happening. Make sure to use the -x option to disable sounds.
If you're lucky, you'll get a snap of the person on their Facebook page or some other identifying site.
If you can deploy something to it over http, I'd even consider rolling it into a launchagent that kicks in every minute or so just to keep capturing as many screen captures as possible and then do a collection up to a site as it progresses.

A long time ago i had played around with a binary that allowed for remote snapshots using the built in iSight camera, but the status light comes on when doing that, if I'm not mistaken, so its not as discrete. There may be other tools that are more clandestine.

How is it ending up in your JSS? Do you have your JSS on the outside? That would be helpful to us, as we just had a MacbookPro stolen.

we have a MacPro that has seemingly come online after having disappeared some months ago.. I have a clustered JSS so we have external JSS connectivity to our clients.. I've got no answers, but am watching this with interest.

We had this exact same scenario a year or so ago back. Our JSS is exposed to the world so clients can talk back where ever they are.

A machine was stolen, the user used an installer DVD and reinstalled the OS, BUT they didn't erase the disk first so all that other stuff stayed behind management account, etc.

I had their public IP address, that was given to the authorities, and they busted them, and found several other computers and stolen devices.

It was a little easier made by the fact that they named the machines First (name) Last's (name) machine, so I even had a full name. I looked them up in our campus directory and I gave them an address, too. =D It was sweet.

Hi Everyone,

I just wanted to chime in here from my personal experience with this sort of thing. As many of you know I used to run a 1 to 1 deployment. So over the years we did have a few laptops stolen. Once we got any information on the laptop, be it user information, public IP address, etc. We went to the police and filed a report of stolen property and let them handle it.

There are a lot of legal issues involved in such things and it is most likely in your best interest to get the local authorities involved. File a report, get a paper trail going, let them handle it from there so there is no liability on your part.

This is just my opinion.

Thanks,
Tom

if you can still deploy packages to it, try this:

http://preyproject.com

the pro version has a silent installer pkg. the free version requires manual entry of data at install time.

likewise, you can hand over the wan ip, any of the thief's identification you might have, and possibly geolocation data for the ip to the police.

Thought I'd chime in on this one too. I was recently successful in running a policy on a stolen computer that ran a script to get some pieces of information about the current state of that computer. It resulted in an arrest and recovery of the laptop (and stolen projector, document camera, microphones, and more).

There were several steps involved to get it working properly but it did work. Like others have posted, there are some potential legal issues involved with some of the tactics that could be used but here's a quick script that should be safe for you to run (and the thief won't know you're running it).

This script will create a text file that includes the name of the user on the computer, the serial number, the IP address, nearby broadcasting wifi networks, and the name of the network that the computer is currently connected to. It then FTPs this info to whatever FTP location you want (edit the script where it says USERNAME PASSWORD and FTPLOCATION). Scope the policy to the stolen computer and set the policy to trigger by any, and execute ongoing.

#!/bin/sh
cd /tmp
DateTime=`date "+%Y-%m-%d-%H-%M"`
touch $DateTime.txt
echo 'Serial Number:' >> $DateTime.txt
system_profiler SPHardwareDataType | awk '/Serial/ {print $4}' >> $DateTime.txt
echo '' >> $DateTime.txt
echo 'Users:' >> $DateTime.txt
users >> $DateTime.txt
echo '' >> $DateTime.txt
echo 'IP Address and Other Network Connections:' >> $DateTime.txt
ifconfig >> $DateTime.txt
echo '' >> $DateTime.txt
echo 'Nearby Broadcasting WiFi Networks:' >> $DateTime.txt
/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -s -I 3 >> $DateTime.txt
/usr/bin/curl -T $DateTime.txt -u USERNAME:PASSWORD ftp://FTPLOCATION/$DateTime.txt
rm -f $DateTime.txt

You can find the ISP that the IP address belongs to through any of the many IP search websites. Give all this information to the police. They can get a search warrant that will require the ISP to give them a physical address. Its pretty easy from there...

There's more that could be added and cleaned up in this script, but this should be enough for the police to get a search warrant and location of the stolen computer.

Good luck!
~Joe

You're assuming the laptop is still in the possession of the person stealing it. It may be in the hands of someone who unknowingly purchased stolen property.

Accessing any information on this computer could be seen as a legal invasion of someone's privacy. What it sends to you is one thing. What you do to access its contents is another.

I suggest following Craig's original advice, which is to let the police handle this. Don't act without involving your organization's legal counsel.

Generally speaking, all good advice to contact law enforcement right away with whatever information you may have.
But, in most states, even purchasing stolen property is a criminal offense, and the purchaser can be convicted and thrown in jail, especially if they had a suspicion of it being illicit goods. The trouble is, there's no way to know either way. At the end of the day though, we're talking about stolen property. Regardless of who has it now, it still stolen and doesn't belong to them, no matter if they 'paid' for it. I guess all I'm saying is, don't get too hung up on an invasion of privacy concern. You're just trying to gather as much useful information as you can for law enforcement to track down your stolen laptop.

Also, get your legal department involved immediately. While things that you do may be done in good faith, you may cross the line with wiretap laws. Be careful.

Yes definitely check with your legal department first, but don't think of it as a "barrier." There are many software programs out there (Prey, LoJack, etc) that do this everyday. You just have to see what the privacy laws are in your state or country, which is what your company/school legal department is for. Let legal know that you have the tools (Casper) and the knowledge (scripting) to do this. Let them know exactly what you'll be doing. Get the "OK" (in writing) from your legal department, and use your knowledge and tools to help the police get back what belongs to your school/company. Legal will tell you what you can or can't do. Write a script to do what you can do. Like mm2270 said, "You're just trying to gather as much useful information as you can for law enforcement to track down your stolen laptop." Just get the "OK" from legal and go with it.

Without Scripting, you can already add exceptions in the Inventory Option --> Inventory Collection Preferences --> Extension Attributes --> Add Extension Attribute From Template --> and allow to display IP-Geo Location, IP Address and Last Wi-fi network accessed.
Then go to Inventory Display Preferences and tick the boxes in Extension attributes.

This will give you enough information to report the location of the stolen machine to the authorities and have a rough idea of where the machine is.

Pre-requisite, obviously, is that your JSS has to be reachable from "the outside" (assign the IP:8443 to a public IP of your domain).

I advice you to set EFI password for firmware at startup as well, so thefts won't be able to rebuild the machine (Target mode and netboot will be disabled), resulting in disability of using the device at all, if unaware of user password.
Leaving the guest user enabled it's actually suggested, since the mdm will report all the useful data to the JSS once logged in and connected to wi-fi/LAN.

Best way is to do batch install of Prey software, only if you're still able to use Casper to send the package with script. This will take pictures, tell you location, IP address, running applications etc.

http://support.preyproject.com/kb/installation/how-to-deploy-prey-in-batch-mode-mac-os