Posted on 01-02-2024 11:58 AM
Does anyone know of a way to record when a mac is wiped for auditing purposes? Like SOC?
Posted on 01-02-2024 12:54 PM
@danlaw777 If you're asking about the Wipe Computer management command, that should still be in the computer record for the device, but only until the Mac is re-enrolled so I don't think that'll meet your adit data interest. If you're asking about the user initiating an Erase All Contents and Setting on the Mac itself that's no persistent log on that either.
Posted on 01-04-2024 05:35 AM
It may help or give you an idea on how to achieve the result you are after.
For my different wipe policies eg. (Wipe and back to school / circulation, Sold Laptops for release..) I will add a command to update the asset tag field before the process starts.
I'm left with items in Jamf that I can search / export on based on that field.
eg.
jamf recon -assetTag "Sold Laptops $myYear $myDate [$serialNumber]"
Posted on 01-04-2024 12:49 PM
So long as the devices inventory record is not deleted, this event should be logged in the inventory record under History > Audit. It will tell you who did the thing and when. Im not sure if this can be redirected to something like Splunk for SOC or not though.