Help

Mac OS Lockdown Mode flawed

brobbins
New Contributor II

Posted on ‎05-23-2024 11:00 AM

So we have found for a managed and a non managed Sonoma machine, there is a bug in Apple's Lockdown mode.

In order to enable Lockdown mode, one must be an admin on the machine.

Once Lockdown mode is enabled, one can no longer use Apple's ARD program or ssh into that device. This is to be expected based on Apple's documentation.

We also have an additoinal admin type account on our machines so the Tech department can work on machine without the end user's login information.  We could log in with that account, go to systems prefs and disable.

HOWEVER disabling lockdown mode with the other account DOES NOT restore the ability to use ARD or ssh into the machine.

I have reached out to Apple and our Apple SE but have received no followup communication.

0 Kudos
2 REPLIES 2

brandon698sherr
New Contributor

Posted on ‎05-25-2024 02:41 AM

Hello @brobbins ,

Enabling Lockdown Mode on a Mac (managed or unmanaged) prevents Apple Remote Desktop (ARD) and Secure Shell (SSH) access, which is expected behavior. Disabling Lockdown Mode with a different administrator account doesn't restore ARD/SSH functionality.

IT departments might rely on ARD/SSH for remote management and support. Losing access after enabling Lockdown Mode could disrupt IT workflows.

0 Kudos

brobbins
New Contributor II

Posted on ‎05-28-2024 05:11 AM

Agreed, that was my point.

Why would Apple allow a user preference to affect an entire machine?

The only way to "fix" it is to wipe the machine.  Seems very counter productive.

Apple doesn't allow MDM's to manage this settings.

Also there is no way to record the setting and report it to JAMF.

Not a bad idea but definitley flawed implimentation so far.

0 Kudos