- Jamf Nation Community
- Products
- Jamf Pro
- Re: REmote Lock/Wipe
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
REmote Lock/Wipe
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-26-2013 08:17 AM
Theoretically (or if anybody has done this), if I issue a remote lock/wipe command to a missplaced Mac. Will it work if our JSS is internal access only? It travels over APNS, which then wouldn't rely on the JSS but I wasn't sure if there was something that required the JSS to be external facing.
14 REPLIES 14
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-26-2013 08:39 AM
It won't work unless the Mac can communicate in with your JSS. APNs only acts as a relay. It uses the persistent connection to the Mac to tell it to "check in" with its JSS, because it has something for it to execute.. If the Mac can't actually connect to your JSS, it will never receive the Remote Lock/Wipe command. The command doesn't come from Apple's servers, it comes from your JSS.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-26-2013 08:41 AM
I was afraid you would tell me that.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-29-2013 10:19 AM
I tested this a couple days ago and it doesn't work. Hopefully I can put a Mac mini in the DMZ and have it point to the internal JSS db. I tried a remote lock, remote wipe and added a few settings to an Apple Profile and the Mac did not recieve any of these while off the internal network.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-30-2013 01:59 PM
I just tried a remote lock and well it said it was sent successfully, but i can still use the computer. Any idea how long the command takes to get to the Mac?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-30-2013 02:03 PM
Tested this post renewing APNS cert, locked within 2 minutes.
BUT Mac was on our WAN at the time.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-30-2013 02:12 PM
There are a lot of possible reasons why the remote lock/wipe functions don't work, or take some time to actually work. I can say that we had a few issues at first getting it to work and had to get with our network folks to make sure the proper ports and traffic wasn't being blocked. But now that its set up, it works quite well and pretty fast actually. Usually in less than 1 minute from sending a command to a Mac that is connected to the internet they receive the push and do the action.
I don't know that we've actually tested the more destructive wipe command, but we've done remote lock in a lot of tests and it works nicely.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-30-2013 02:17 PM
well looking at history all my commands have completed, this one has yet to complete, 21 minutes now. So i guess i will just let it sit and see what happens.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-30-2013 02:24 PM
On the mac you sent the command to run:
netstat | grep tcp4Do you see an entry for something along the lines of Apple courier port 5223?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-30-2013 02:48 PM
nope
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-30-2013 02:50 PM
Does the mac get any other profiles?
(Other than the MDM one).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-30-2013 02:54 PM
no it does not, but i rebooted just for fun and now its locked.
enough playing for the week, everybody have a good holiday weekend in the US. ttl and thanks for the help.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-30-2013 03:01 PM
It hunk you need port 5223 & 443 open to 17.0.0.0/8 (or whatever apples range is).
Saw it on a tech doc like https://developer.apple.com/library/ios/documentation/NetworkingInternet/Conceptual/RemoteNotificati...
Port 5223 is the persistent connection between the client & apple that the push notifications are delivered. (Again i think).
JAMF rep should be able to assist.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-30-2013 03:02 PM
It hunk you need port 5223 & 443 open to 17.0.0.0/8 (or whatever apples range is).
Saw it on a tech doc like https://developer.apple.com/library/ios/documentation/NetworkingInternet/Conceptual/RemoteNotificati...
Port 5223 is the persistent connection between the client & apple that the push notifications are delivered. (Again i think).
JAMF rep should be able to assist.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-30-2013 03:04 PM
This might help too http://support.apple.com/kb/TS4264
Also try: https://jamfnation.jamfsoftware.com/discussion.html?id=8195#respond
