Stolen Macbook reporting back to JSS

CFountain
New Contributor

Three weeks ago we had a Macbook stolen. Recently it has begun reporting back to JSS. It only does so at login and logoff. So I created and deployed a Prey package to the machine but it fails to start due to a proxy/firewall. This proxy/firewall has also prevented all my ssh and other remote control attempts. Does anyone have some ideas that I can try to help recover our Macbook?

15 REPLIES 15

BrysonTyrrell
Contributor II

Do the other "remote control attempts" include trying a lock command? (if it is a 10.7/8 Mac)

CFountain
New Contributor

I believe it would work but I'm reserving that as my last option. I'm afraid if I lock it the guy would just trash it and it will be lost forever. I've sent terminal commands and ran scripts on it. But nothing I could think of has helped me come closer to finding it. My JSS log says he's spent some time in Photobooth, is there a way for me to upload those pictures?

williape
New Contributor

You could deploy a script to the computer that copies the files to a server using scp or something. . .

mm2270
Legendary Contributor III

If its reporting in, I assume you're getting an IP address for it? I assume since you know it was stolen you (or someone in your org) filed a police report. If so, you may want to give the police any information you can gather, such as the IP address its reporting back. It may be possible to get a general location based on that. Even if it doesn't, good to have that info in the report in case its needed down the line.

As for the proxy/firewall, do you suspect that the thief enabled this, or is the firewall something you had enabled on your laptops? Just wondering if you may be able to turn some settings off remotely since you can run a script on it.

Lastly, as williape suggests, you could put a script together to run at login that would copy any images located in the PhotoBooth library up to a remote location. but its possible the proxy/firewall might foil that as well.

jarednichols
Honored Contributor

Get in touch with the police and your legal department immediately.

While doing things like taking photos of the perp sounds like a good idea, depending on your location it may actually violate privacy or wiretap laws. (No, the irony of doing this to someone who stole the machine isn't lost on me.)

Follow their guidance as to what you can and cannot do.

franton
Valued Contributor III

Get a subpoena for the historical record of that IP at the specific time it reconnected. That should be got through your legal department and forwarded to your local police immediately.

DanSam
New Contributor III

I agree with jarednichols, contact your local law enforcement. You can get the IP address from the inventory, you can provide this to the police and they should be able to track it from there.

We had this happen at the end of the last school year and we were able to recover the laptop.

CFountain
New Contributor

Thanks for all the feedback. I'm going to give the authorities the ip address for the police report as suggested. Then let them do what they can. Thanks again guys.

nsdjoe
Contributor II

Use Extension Attributes in the JSS. In Casper 8.62, go to Settings -> Inventory Options -> Inventory Collection Preferences -> Extension Attributes -> Add Extension Attribute From Template. Under Networking, add Current AirPort Network. Under System Information, add IP Geo-Location. Under User Information, add Last User.

Then go to Settings -> Inventory Options -> Inventory Display Preferences and check the boxes in Extension Attributes.

The next time the MacBook checks in, you'll have their IP address, WiFi name, and rough geo-location and maybe even a username (if they were able to create a new account on the computer). Give this info to the police. They will get a warrant and contact the ISP of the IP address. The ISP will give the police the physical street address of that IP. Then the police will go and recover your stolen MacBook and arrest the guy for possession of stolen property.

Hope this helps. Go get em!!!
~Joe

jaferguson
New Contributor II

I created a package to install vuwer (Vanderbilt University Web Enabled Recovery). It installs on any computer that I departmentalize as "STOLEN" and on those departmentalized as "Student Use Computers" when they check in with the JSS from off our network. I had to do some minor customization to one of the vuwer files so that it will report the computer's name rather than the name of the computer I made the package on. I also force a Desktop picture to the computers with Managed Preferences (no good for Lion or Mt. Lion) that indicates that the computer is stolen from our district. I have a script that cranks the sound output to 100% then tells the user that the computer is stolen from us. The JSS policy that puts this in places also sets a firmware password so at least it takes a little more effort to get rid of all this.

This has proved pretty handy in getting computers back from people who don't want any trouble. If it ends up too far away our local police won't commit any resources to recovering it but they are interested in recovering any that are local. Of the ones I've gotten back are several were far enough away that the police wouldn't mess with them. When I catch a Facebook page from a screen shot and start to email the person who has the computer and then start to email their Facebook friends (like their mom), I tend to get results. I haven't recovered all the computers that have gone missing but it's kind of like fishing... I get some.

david_yenzer
Contributor II

We had a similar issue where we noticed a rogue 21.5" iMac off-network and suspected it was stolen. Before we were able to contact authorities, however, we were notified that a pawn shop had acquired the machine and turned it over to the police, where we retrieved it (yes, a 21.5" iMac walked out of one of our buildings and noone noticed or said anything). The key to getting this item back was an MCX item that we incorporated on Day 1 of installing JAMF in our district which places some text on the login screen of every machine that says "This machine is the property of Bellevue Public Schools". <--- I WOULD HIGHLY RECOMMEND THIS AS A PREVENTATIVE MEASURE! When the pawn shop fired up the machine and saw that, the couple couldn't get out of there soon enough. We then were able to login to our administrative account and captured all of their iPhoto images, wireless network/password, all their garageband recordings, Address Book home address, email address, phone number, countless emails just by using "spotlight search" on their email address. Turned it all over to the police for their records - don't know if they did anything with it, but at least we got the machine back thanks to that piece of JAMF. Ideally I'd like to incorporate a custom background image on the login screen, but have had mixed results so far and will need to spend more time on that. That might even prompt more intrusive theft precautions to "fix" the machine before trying to pawn it, so maybe we'll leave it as is.

Anyway, prior to that we attempted the lock command and remoting into the machine, with no success - we are still in the process of attempting to put a distribution point in the DMZ with the hopes that in addition to allowing package deployment off-network that it might enable us to interact off-network with our machines, if necessary, in cases just like these when they are believed to be stolen.

david_yenzer
Contributor II

For the Login Window text I described, here's the path:

Management > Managed Prefs > Create Managed Pref > Create from Template > search for "Login Window Text"

swapple
Contributor III

Now with DEP, I have wanted to setup a separate DEP MDM server and point our stolen/missing devices in DEP to the new server so if someone tried to reformat/reset the device, DEP would aid in the rescue. Have it push down things to alert the holder that the mac/ipad is stolen and to return it to us. Then device wipes and/or super long passcode to secure the device. Still in planning stage.

stevewood
Honored Contributor II
Honored Contributor II

@swhps there's really no need to stand up a separate DEP server. I recently recovered a stolen laptop using DEP and Prey Project. I posted the script I used to deploy the Prey agent via an FTP site on this JAMF Nation post:

Prey Project Mass Deploy through

I had an MBA that was stolen last March and did not start reporting into the JSS until this past February. The person who had the device wiped it several times, putting first Yosemite on it and then El Capitan. Each time the Casper agent was loaded on the machine and it started checking in. Then Prey deployed and I was able to capture data on the device, including screen caps and camera pics. I contacted the Dallas PD and forwarded them the information. The next day I got a call from the detective and he delivered me the recovered laptop.

That laptop had FileVault on it, so I wasn't concerned with data breach, just the lost device. I also utilized the free version of Prey.

emily
Valued Contributor III
Valued Contributor III

^^^

Prey Prey Prey Prey Prey, deploy Prey!