Posted on 07-12-2018 03:16 PM
We had 6 machines stolen out of a remote office. Remote lock commands were issued to all devices successfully. Since it's unlikely these machines will be returned to us I don't want to keep their profiles in Jamf anymore.
Is there any risk that deleting their profiles in Jamf would remove the remote lock? I want to be certain that they continue to be inaccessible.
Thanks!
Posted on 07-12-2018 03:35 PM
If you have not confirmed that the lock commands were received by the Macs (although commands sent successful or queued),
I would maybe designate them stolen in the JSS, by either putting "STOLEN" in front of the name or putting that in the bar code/asset area somewhere... (or create a special extensions attribute and link to a report or something)
Then create a reminder for a few weeks , or whenever you officially give up, (with the computer names in a note) to delete them from the JSS; That way you give them a chance to remote lock.
Just my thought on it, i'm sure there's more ideas floating around.
Posted on 07-13-2018 12:00 AM
Although pretty obvious, but nonetheless:
If you really, really want them to be inaccessible, then make sure that you have activated the efi password and FileVault encryption on your machines.
(Extra important when you don‘t use DEP)
Posted on 07-13-2018 01:40 PM
If a remote lock was successful you wont be able to get other policies to run that would enable firmware or filevault. But regardless, sending a lock command is essentially doing an EFI/firmware lock and you cant wipe it or do anything other than bring it to an Apple store.
Also the device record keeps the MDM command and history of the lock code if were to get them back, unless you were confident that you would remember the code you used or documented it somewhere.
Posted on 07-13-2018 03:05 PM
Thanks for your replies. I've confirmed that the lock code was successfully delivered via History > Management History on a few of the devices. All of them have filevault enabled but no EFI password.
I was planning to remove the machines that have confirmed their lock commands were successfully received from management. There are a few that still say pending (those machines haven't checked in since stolen). I plan to keep those in management until I see confirmed device lock commands.
From what you're all saying, it does sound like the lock will remain in place once it's successfully implemented, even if I later delete the device from MDM management.