Help

Send Lock command for termed employees

Tcisneros
New Contributor II

Posted on ‎03-04-2022 03:39 PM

Hello All, 

 

I am hoping someone can give me an idea on how to get this working. As far as i can find it does not look like i have the ability to accomplish this with the built in options. ( it is entirely possible that I am wrong) 

So my goal is to setup a profile/policy that will automatically send the lock command with a preset code and message to a computer when their AD account has been changed to a termed status. Or even if their ID no longer exists in AD. 

Any suggestions would be greatly appreciated. Currently management wants to setup something that will auto lock the mac if it has not checked in to Jamf for 30 days or more ( i will take tips on this as well). Not a bad idea but I feel if it has not checked in in that amount of time it is not going to so it wont get a lock command. getting something sent within a day or two of the employee leaving would be a bit more efficient. Also it will hopefully help to recover all our equipment. Thoughts?

0 Kudos
1 REPLY 1

sdagley
Esteemed Contributor II

‎03-04-2022 08:06 PM - edited ‎03-04-2022 08:08 PM

@Tcisneros There is no capability built in to Jamf Pro policies that will allow you to automatically lock a computer when it meets the criteria you describe.

It is however possible to script that behavior using the Jamf Pro Classic API. In rough outline you'd need a script that queries your AD system for the ID of termed users, calls the Classic API on the /computers/match/{match} endpoint to find computers that match on that ID, then calls the /computercommands/commands/DeviceLock endpoint to lock those computers.