Posted on 01-09-2012 11:10 AM
We have recently put an external JSS node into production. To our surprise, several MacBooks that were stolen over a year ago were now checking in with our JSS. I have jumped on this to put a process in place using Prey (http://preyproject.com/) to gather some information. As great as this sounds, I have not yet targeted the stolen Macs with Prey and will not be doing so until someone at a higher pay grade than mine tells me to go forward with it. However, I thought it might be handy for someone else to know how I put it together. Comments and suggestions are always welcome.
We have several MacBooks that were stolen a while ago and they are now sending inventory reports and usage data to the JSS (thanks to our new external web node) and they are installing the latest JAMF binary. So, the challenge is to get more information from these Macs. After a little Googling, it looked like Prey might be the quickest option. While being able to install Prey on a Mac, configure it using the GUI and have it be there if, or when, a Mac gets stolen would be a wonderful thing, I had a slightly different situation on my hands. First, I needed to get this software on Macs that were already stolen. Second, putting Prey on all the Macs in our school district would cause some serious privacy concerns (students and employees don't generally like to think about their activities on the district-owned computers as not being private--but that's a whole different discussion).
I did a little playing with the Prey installer on a test Mac and discovered that the "Advanced" option could do exactly what I wanted. It does not install the system preference pane and it sets up the Prey software to report information directly to an email address--no need to involve GUI configuration or the Prey web site. I went to Google and created a gmail account that could be used to receive this data while re-imaging the test Mac. I fired up Composer to capture a snapshot, installed the Prey software with the Advanced setting and configured the advanced fields. First, I included the URL of an address that I know doesn't exist so that when the software gets installed on the stolen Mac, it will immediately start sending information--no need to be able to turn this on or off, the Macs have already been stolen. Next, I entered all the email information for the gmail account I just set up. And finally, I set the run interval to "2" so that it would run every two minutes. This may be overkill, but for my first attempt at catching thieves, I'd rather have too much data than too little. I then finalized the snapshot and created the package.
I manually installed the package on a test Mac and, sure enough, I started receiving emails from the test Mac. However, I discovered the emails were coming in at much longer intervals than I had intended. After looking through the package I had created, I could see that the /private/var/at/tabs/root file had been created with a 5-minute interval--presumably the smallest the Prey installer will let you configure. I rebuilt the package, editing this file to set the interval to 1 minute (mostly to see if I could) and after installing this package on a test Mac, I was receiving emails every 1 minute.
There remained one hurdle to this process: getting the package installed on the stolen Macs. We have set up an external web node, but not an external distribution point. I'm not prepared to have a full external distribution point with all of our packages on it, yet, so I created a share point on an external server, defined an HTTP distribution point in the JSS for this share point and copied the Prey package to the share point manually. In hopes of not inciting any privacy riots, I have also chosen not to have the package exist on any of the internal distribution points. This required uploading the package into Casper Admin so that I could configure the package information and then manually deleting the package from the main distribution point before it could be replicated to the others. In this way, Casper knows about the package and the package exists on the external distribution point (in fact, it is the only package on the external distribution point), but if any Mac on our internal network tried to install it, it would fail.
I created a policy to install the Prey package and scoped it to a test MacBook and set the distribution point for the test Mac to the external distribution point (yet another requirement for this package to be installed and another way to ensure it does not inadvertently get installed on other Macs) and headed home for the weekend with the test MacBook.
Shortly after getting the MacBook connected to my network at home, I started receiving emails in the gmail account with information about the Mac's location (GPS and IP), screenshots and pictures of myself. Woohoo!
Now the really difficult part… trying to get someone to approve using this process to track down the district's stolen equipment. Hopefully it is easier to get permission to install software on computers that are already identified as "stolen" than it would be to install (an inactive Prey) on computers that are being legitimately used by students and teachers. Wish me luck!
Posted on 01-09-2012 12:16 PM
Well, you know what they always say? It is easier to ask for forgiveness over permission? Though I totally understand your conundrum. I, myself, am stuck between what is right and what management wants all the time.
What is stopping you from just monitoring the computer with casper and manually tracking it via IP trackers?
To be honest, your first step should be filing police reports. Then give the data you gather to the police and let them handle it, this is what we do at my work and we have something like a 95% recovery rate on all stolen laptops.
We use Comp-U-Trace though from Absolute since it is tracking software backed by an insurance premium.
Posted on 01-09-2012 01:49 PM
I appreciate how you're letting the higher pay grade make the decisions. You've learned from other folks' mistakes that, right or wrong, you need to tread carefully and worry about privacy. Now, if only we could get users to stop playing lawyer at the end of their email messages...
Your detailed post reminds me of the "Nuke a Mac" thread from the alt.comp.lang.applescript newsgroup early last decade. http://groups.google.com/group/alt.comp.lang.applescript/browse_thread/thread/77b828ca977ca618/ The story as it played out in the thread made Slashdot, Macworld and a few other major sites at the time and was a really fun read.
Posted on 01-09-2012 08:12 PM
In response to your question about monitoring with Casper and manually tracking it with IP trackers, I'm not sure what you mean by "IP tracker". As far as manual tracking and filing police reports, I left the reporting of the data from the JSS to the campus tech at the campus where the computers were stolen (since she knows more about the actual theft and what was reported when it happened) while I pursued the solution to gather even more information. I will admit that, for me, this was more of an exercise in knowing that I have the ability to gather this information than it was in actually gathering the information (knowing that the chances of being allowed to do so are pretty slim). I am content knowing that this works on a test Mac and could be used to find the thieves (although I wish I had more time to take this even deeper--I can envision some creative scripts to gather all kinds of emails, histories, etc. from these machines). The school district will have to decide if they wish to venture into the legalities of actually gathering the information.
Anyway, late this afternoon, the Director of Technology came to chat with me and asked what proof we had that these are our machines (because that was the first thing the police were going to ask him). I explained that I could give him the serial number, asset tag and a myriad of other information about the Macs. He seemed happy that I could provide the serial numbers, since those can be verified to be our equipment and said that he was going to be talking to the police soon. I'm not sure this will result in permission to collect pictures and data, but it's a step in the right direction.
Posted on 01-10-2012 10:04 AM
The JSS should have the last known IP address, that can be used with a whois look up to tell you where the machine is. Beyond that, you would need to get a subpoena to get the actual personal information from the ISP.
Then you would, at that point, want to get the police involved and let them handle it from there. It is what they get paid to do.
Posted on 01-10-2012 03:34 PM
There are lots of things you can collect without even installing other software. Eg. the last logins, wifi networks nearby (I love that one) and even screenshots of the computer's desktop. The trick is to get it back off of the machine if you don't have access to it.
Here are some examples (for 10.6)
#get current wifi network
echo "Current connection: " > /tmp/find/wifi.txt
/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -I >> /tmp/find/wifi.txt
#get nearby wifi networks
echo "WIFI SCAN: " >>/tmp/find/wifi.txt
/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -s -r 3 >> /tmp/find/wifi.txt
echo "****end of scanning****"
#start moving user data
#rsync -av $datarecover $rsynchost
In the end, we filed a police report, collected data about the laptop, and got enough info to send the police the person's name and cell phone number, who then called him up and asked for it back. It was all pretty easy and we knew where it was being used from based on the access points nearby.
Good luck.
Posted on 01-13-2012 08:07 AM
Our Directory of Technology met with the detective in charge of the investigation of these laptops (they were reported stolen a year ago when it happened) and the detective suggested that we set it up to send all of the emails directly to him. This sounded like a great idea, but there was a lot of concern about filling up his email box (and a suggestion of getting the information every 30 minutes--which I didn't like because it looks like these computers are only getting used less than an hour a day) and concern that the police department's filtering system might not let the emails through.
I took another look at the Prey software and I could not find a simple configuration setting to tell Prey NOT to take pictures and include them in the email. I did figure out that I could delete the "webcam" folder from the Prey modules folder and it would no longer take the picture--important because the light next to the camera flashes green for a fraction of second when the picture gets taken, potentially letting the thief know they are being tracked. So I rebuilt the package, removing this folder, tested it and received information and screen captures, but no pictures from a test machine.
Our Director of Technology decided that he was OK with gathering this information ourselves and then providing it to the detective as long as the webcam picture was not included. So, I set it up to go out. As of this morning, Prey has been installed on 2 of the Macs and I am receiving emails, but no useful screenshots, yet. I'm also only getting screenshots on a fraction of the emails (coming in every 2 minutes), so I'm guessing it does not take a screenshot when the screensaver is active, but I haven't tested that theory yet.
I also liked the suggestion for collecting data (above) and thought that the easiest way to get this basic information (network & nearby networks) would be to set up a policy that runs a command and logs the information in the JSS. Here is where I am stumped.
I first tried a policy that simply has "/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -I -s; ifconfig" in the "Run Command" field under the advanced tab. Nothing showed up in the log--as if the policy didn't run. I have since created a new policy, targeted it toward a test Mac and experienced the same result when the command above is in the "Run Command" field (or even simply "ifconfig"), but it works fine when "ls -la /Volumes" is put in this field. I thought it strange that this would cause the policy not to run, so I checked the /var/log/jamf.log on the test Mac and it looks like the policy is actually being run (it is logged in this file), but apparently it must be crashing because the results are never logged (I have experienced this exact behavior before when I tried to have a policy execute a script that has a syntax error in it causing it to fail). I figured that I might be better off attaching a script to the policy, so I created one, tested it, uploaded it and attached it to the policy (removing the contents of the "Run Command" field). While the script works fine when I run it on a test machine, the policy runs (according to the jamf.log), but nothing gets logged to the JSS. I'm, frankly, perplexed. Here is the script I am using:
#!/bin/bash
echo "Network Info:"
/sbin/ifconfig
echo
echo "Nearby Networks:"
/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -I -s
Any ideas why this won't work in a policy?
Posted on 01-13-2012 09:15 AM
Is the stolen machine still managed?
Posted on 01-13-2012 09:23 AM
Yes, the stolen machines are still managed. But more importantly, I can't get this policy/script to work on a test machine sitting on my desk--one I have complete control of.
I have copied the script to the test machine and executed it in a Terminal window and it works fine. I thought maybe it could be a problem executing these commands when no user was logged in, so I logged out of the test machine and initiated an SSH session from another Mac to the test machine and executed the script. That also works fine. It just doesn't seem to want to execute these commands as a "Run Command" or as part of a script attached to a policy.
Posted on 01-13-2012 09:52 AM
check for weird white spaces in your script, make sure it is executable and all of that stuff. If it runs fine in terminal manually, the problem is most likely the script.
Posted on 01-13-2012 10:48 AM
Well, it turns out that trying to use "/sbin/ifconfig" in the policy (either in the "Run Command" field or a script) causes the problem, while using "/sbin/ifconfig en0" and "/sbin/ifconfig en1" works just fine. Go figure. :-/
So, my script now looks like:
#!/bin/bash
echo "Network Info (en0):"
/sbin/ifconfig en0
echo
echo "Network Info (en1):"
/sbin/ifconfig en1
echo
echo "Nearby Networks:"
/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -I -s
It works on my test machine. Now to wait and see what comes in from the stolen Macs...
Posted on 01-13-2012 12:00 PM
You can use the networksetup command to create an array of enabled network services, and then from there grab info:
bash-3.2$ networksetup -listallnetworkservices
An asterisk (*) denotes that a network service is disabled.
Ethernet
FireWire
AirPort
Posted on 08-17-2015 05:21 PM
Great info here. To add to the discussion you could cache the installer pkg on all you macs in your environment and then just activate prey with a script policy once a device goes missing. This way people can't be upset that their device is being reported until time of incident. Also, with the installer package cached you can just run a script to activate and install prey - this also eliminates needing a DP externally.
Let me know if you want me to elaborate on how I set it up - Just tested it and it works great (as long as you have active internet connection of course)
Posted on 08-18-2015 05:56 AM
Fascinating stuff, Justin, thanks for sharing.
Posted on 08-18-2015 11:05 AM
Cool stuff. I think it may be time for you to go Punisher on these thiefs.