macOS lost/stolen prestage

nsbickhart
Contributor

I made a prestage enrollment for lost/stolen Macs and set a smart group up that will notify me by email, if a macOS devices enrolls into the lost/stolen prestage.

Has anyone out there come up with a way to locate a stolen device using this method.

3 REPLIES 3

ricardtolosa
New Contributor III

Hi @nsbickhart ,

Now that you have a prestage and a smart group you could do different things:
- connect that email to your alerting system and enable lost mode which will give you location info in Jamf if the command gies through.
- add a policy that install a tool like Prey that can provide you more data once marked as stolen.
- create config profiles and add an efi password that will make the device unusable and a pain to wipe / fix.
- a combination of the above

The good thing is that you can just leave stolen machines assigned to that prestage and let the magic happen. We have managed to recover / brick devices stolen 2 years ago with this approach which is nice :)

daniel_ross
Contributor III

Pretty much what @ricardtolosa said is the same for us. Prey is an amazing tool that I learned about at Jnuc a few years ago. You might want to check with your legal team about using it as its HIGHLY intrusive software.

monogrant
Contributor

We took a little different approach.

We wanted to be as lite as we could. We created a new pre-stage and hide our admin account. We also set the local user to standard users.

Then I wrote a script to run at every check-in (we were able to turn it up to 15min, but could exe w/ cron as well that would trigger an ongoing policy).

My script did the following:
- Take screenshot silently and put in /tmp
- For all users copy Chrome profiles
- Copy system logs
- Zip contents and upload to a write-only FTP connection

I'm having to resurrect this as we have another system out there.

Our goal was to stay lite, don't scare the thief or new owner into trashing the machine and walking away. We wanted them to stay online.

It worked.

I was able to lead the police to the new owner, with a photo from his linkedin profile. I lead them to his classroom at UMN. They literally knocked on his classroom door with campus police in tow, walked into the lecture, pulled him from class, verified the property, took the laptop and left. He had all kinds of shady activity on it and some pirated software, but I couldn't prove any crimes. I was able to recover our computer from the station. It took about a week.

If I dig up the script I'll post here.

UPDATE: Found it! It's from May 2018, so it'd be worth checking. I'm going to dig in a bit. Forgot about looking for iCloud user details and bluetooth devices

#!/bin/sh

# Log date and time
DateTime=`date "+%Y-%m-%d-%H-%M"`
path="/tmp/${DateTime}"
mkdir $path
cd $path
touch $DateTime.txt

# Silent screen capture into the /tmp new dir
screencapture -x -T 1 $path/$DateTime.png


echo 'Serial Number:' >> $DateTime.txt
system_profiler SPHardwareDataType | awk '/Serial/ {print $4}' >> $DateTime.txt
echo '' >> $DateTime.txt
echo 'Users:' >> $DateTime.txt
users >> $DateTime.txt
echo '' >> $DateTime.txt
echo 'iTunes Account Details:' >> $DateTime.txt
for u in /Users/*; do
    echo $u >> $DateTime.txt
    if [ ! -f ${u}Library/Preferences/com.apple.iTunes.plist ]; then
        echo 'Store Apple ID:' >> $DateTime.txt
        defaults read ${u}/Library/Preferences/com.apple.iTunes.plist  "StoreUserInfo" >> $DateTime.txt
        echo 'StoreUserInfo:' >> $DateTime.txt
        defaults read ${u}/Library/Preferences/com.apple.iTunes.plist  "StoreUserInfo" >> $DateTime.txt
    else
        echo 'Not signed in' >> $DateTime.txt
    fi
done
myip="$(dig +short myip.opendns.com @resolver1.opendns.com)"
echo "My WAN/Public IP address: ${myip}" >> $DateTime.txt
echo '' >> $DateTime.txt
echo 'IP Address and Other Network Connections:' >> $DateTime.txt
ifconfig >> $DateTime.txt
echo '' >> $DateTime.txt
echo 'Nearby Broadcasting WiFi Networks:' >> $DateTime.txt


/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -s -I 3 >> $DateTime.txt
echo '' >> $DateTime.txt

# Copy Chrome profiles, exclude large, unneeded data
for u in /Users/*; do
    rsync -a --exclude "Sync Data/" --exclude "Application*/" --exclude "IndexedDB/" --exclude "Local*/" --exclude "Service*/" --exclude "File*/" --exclude "Extensions/" ${u}/Library/Application Support/Google/Chrome/Default ${path}/
    for p in ${u}/Library/Application Support/Google/Chrome/Profile* ; do
        if [[ $p != *"*" ]]; then
        rsync -a --exclude "Sync Data/" --exclude "Application*/" --exclude "IndexedDB/" --exclude "Local*/" --exclude "Service*/" --exclude "File*/" --exclude "Extensions/" "${p}" ${path}/
        fi
    done
done

# Optional: grab data from your JSS to include into log bundle
# Specify ID number, make sure to update the JSS URL

id='518'
/usr/bin/curl -s -X GET 
  https://jss.YOURJSS.com:8443/JSSResource/computers/id/$id 
  -H 'accept: application/json' 
  -H 'authorization: Basic (AUTH DATA HERE - Postman can help) ' >> $path/full_inventory.json

# Zip up data
zip -qr $path/wifi_log.zip /var/log/wifi.log

# Check for Bluetooth devices
system_profiler SPBluetoothDataType >> $path/bluetooth-devices.txt

cd /tmp
tar zcf /tmp/$DateTime.tgz $DateTime/

# This is an FTP user with write only to an FTP server
/usr/bin/curl -s -T /tmp/$DateTime.tgz -u stolenlaptops:PASSWORDHERE ftp://your.ftp-server-here.com/$DateTime.tgz
rm -fr $path