Tracking Computers

Not applicable

We have a student who checked out of school but failed to check in their
MacBook. I was wondering if anyone knew if there is a way to track this
computer using the Casper Suite now that it is off campus.

Thanks,
--

Glenn Burns
Computer Technician
Snyder ISD
gburns at snyder.esc14.net
325-574-8795
• Certified Mac Technician

19 REPLIES 19

Not applicable

I'm thinking this is only possible if you have an external facing JSS. That is not behind firewalls in your internal network.

#Would love to hear more on this.

Nick Caro Senior Desktop Support Administrator

Not applicable

Depends. If the student hasn't disabled the jamf binary (reinstall?) and the computer has an internet connection, it should eventually report it's IP during the recon. I see that on computers here at the uni, you can tell when the IP is not within the uni-net.
If it still contacts the JSS (no firewalls to the JSS) you should be able to construct a more elaborate scripts to gain more information on the computers whereabouts.

//P

23 feb 2011 kl. 16.18 skrev Glenn Burns:

Not applicable

Exactly, I do have a JSS on the outside and this way as soon as the machine is connected to internet you would get an update on the IP
Hope you find the machine
cheers
Carmelo

bentoms
Release Candidate Programs Tester

There is an extension attribute that is meant to give the GEO IP Location from dyndns.. but it seems to have stopped working.. anyone got a newer one?

Regards,
Ben Toms
IT Support Analyst GREY Group
The Johnson Building, 77 Hatton Garden, London, EC1N 8JS
T: +44 (0) 20-3037-3819 |
Main: +44 (0) 20 3037 3000 | IT Helpdesk: +44 (0) 20 3037 3883

ernstcs
Contributor III

We just recovered two stolen Mac systems because they didn't wipe the box, so we had the IP addresses. The best part was they put in an install disk to get around administrator and left all the management in tact. They named the box their own name (So and So's iMac)…so then I had an address since it was a student here. =) They had a windows box, too…

But, if they wipe the box and you don't have an externally accessible JSS…you're out of luck in most cases.

Craig E

Not applicable

That's why you need to act fast. Best to have a policy already in place to figure out as much information as possible (and then possibly disable use of the computer) so it can simply be scoped and activated as needed. It's also a good idea to set up your JSS URL to potentially be a public-facing URL, even if it's not currently public-facing. That way, in an emergency, a temporary tunnel can be made to allow the missing device to check in (don't forget the HTTP/HTTPS tunnel for the distribution point, if your emergency policy includes any scripts or packages).

Also, I understand Apple has a database of serial numbers that are flagged as stolen; this can be checked if it ever goes in for repair. I don't know the procedure for getting a SN into that database, but I suspect someone here does, or can find out.

Craig,

I presume those students have been expelled, at the very least?

tlarkin
Honored Contributor

We use CompUTrace from Absolute and it is backed by an insurance
premium. If a computer is stolen we file a police report, and then send
the report to the company and they work with local law enforcement to
recover it. I just wish you could put their app in firmware so a wiped
HD doesn't disable the tracking software.

It does geo-location tracking and tells you what ISP it is on.

Bukira
Contributor

aye need an EFI PreBoot App, I am sure someone could write one, thats
the advantage of EFI

Criss Myers
Senior IT Analyst (Mac Services)
iPhone / iPad Developer
Apple Certified Technical Coordinator v10.5
LIS Development
Software Management Team
Adelphi Building AB28
University of Central Lancashire
Preston PR1 2HE
Ex 5050
01772 895050

Not applicable

I don't know how much space EFI has for such code, but I doubt it's anywhere near enough for something like that...

That being said, locking down the machine with an EFI password will at least ensure the drive can't easily be wiped without an admin login. It's still possible to overcome this, if the thief knows how. I would suspect that most don't know how, though. At least not before they connect it to the Internet at least once.

This reiterates the importance of acting as quickly as possible when a theft occurs. The sooner the policy is enabled, the more likely the computer is to receive it the first time it checks in. I wonder what it might take to create a policy that silently takes pictures using the built-in camera, and captures screenshots (and maybe records audio?), and uploads them to a server...

On Feb 24, 2011, at 9:28 AM, Criss Myers wrote:

aye need an EFI PreBoot App, I am sure someone could write one, thats the advantage of EFI

Criss Myers
Senior IT Analyst (Mac Services)
iPhone / iPad Developer
Apple Certified Technical Coordinator v10.5
LIS Development
Software Management Team
Adelphi Building AB28
University of Central Lancashire
Preston PR1 2HE
Ex 5050
01772 895050

Bukira
Contributor

Well the idea for EFI is to build preboot applications such as
webbrowser, dvd player and music player, so im sure a simple casper app
wouldn't take much space

apple has 209MB for EFI

Criss Myers
Senior IT Analyst (Mac Services)
iPhone / iPad Developer
Apple Certified Technical Coordinator v10.5
LIS Development
Software Management Team
Adelphi Building AB28
University of Central Lancashire
Preston PR1 2HE
Ex 5050
01772 895050

Not applicable

Ah, then I stand corrected.

On Feb 24, 2011, at 10:35 AM, Criss Myers wrote:

Well the idea for EFI is to build preboot applications such as webbrowser, dvd player and music player, so im sure a simple casper app wouldn't take much space

apple has 209MB for EFI

Criss Myers
Senior IT Analyst (Mac Services)
iPhone / iPad Developer
Apple Certified Technical Coordinator v10.5
LIS Development
Software Management Team
Adelphi Building AB28
University of Central Lancashire
Preston PR1 2HE
Ex 5050
01772 895050

tlarkin
Honored Contributor

A bit off topic here, but Comp-U-Trace has the ability to load their
app into the firmware/BIOS of a PC. Meaning unless you flash the
firmware/BIOS and overwrite it, you are not getting rid of that app (or
replace the hardware). EFI is suppose to replace the legacy old BIOS
apps and allow for robust 64bit apps to run from flash memory on the
firmware level.

Last I heard Absolute was trying to work with Apple to develop this
product for their Macs, just like their product with the PC side,
however, it has not been developed yet for whatever reasons. On a side
note, maybe less security is better when dealing with theft.

-Tom

fsjjeff
Contributor II

D'oh, accidently sent this just to Patrik, resending to the group.

-----------

Funny this topic should come up, as I just finished a package with several scripts and launchd items to track stolen computers (we had 2 dozen stolen recently)...

After a bunch of research, I was able to do the following:

• Grab a list of all wifi networks around the computer, and use the BSSIDs to with the Google location API to get a pretty decent GPS location - upload the coordinates to a Google fusion table, which can then map it out. Can also create a network kml file so you can subscribe in Google Earth.

• On wakeup and login, discretely snaps a shot with the iSight camera and loads it to a website running the Gallery 2 software.

• Every 1/2 hour, grab a screenshot and also load it to the gallery 2 server.

I'd offer the scripts up to the community, but I don't think my boss would be ok with that right now. Just wanted to chip in that it's definitely doable, without having to pay a big fee (we had absolute track one year, but it was only a bit cheaper than Casper for education and we never used it so didn't renew and put the money into Casper instead).

Also, one would want to be very careful with this kind of stuff - I think a school district in US just got in big trouble over photos of students in their homes. We're working with the police on this for what it's worth.

Jeff

tlarkin
Honored Contributor

I would love to see this, when your boss gives the OK. I haven't even
looked at the Google Map APIs

jarednichols
Honored Contributor

You may want Legal to give a cursory "ok" to the camera snapshot thing. Even though it's potentially a stolen piece of equipment, it may still violate laws somewhere…

j
--
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

stevewood
Honored Contributor II
Honored Contributor II

+1

dkucmierz
Contributor

We use Orbicule's Undercover for workstation tracking. Has been very successful in recovery of stolen machines.

--

David Kucmierz
Mesquite ISD Technical Services
972.882.5506

jafuller
Contributor

Interesting article: http://lifehacker.com/#!5643460/how-to-track-and-potentially-recover-your-stolen-laptop-or-android-with-prey

James Fuller | Technology Application Services | application developer II | V: 206.318.7153

andyinindy
Contributor II

We recently had an iMac stolen, and I used the following script to snap a pic every 15 minutes using the iSight:

cd /tmp
/usr/bin/curl -O http://dl.dropbox.com/u/169986/isightcapture
chmod +x isightcapture
myDate=`date "+%Y-%m-%d-%H-%M"`
./isightcapture $myDate.jpg
/usr/bin/curl -T $myDate.jpg -u username:password ftp://thomas.butler.edu/$myDate.jpg
rm -f isightcapture
rm -f $myDate.jpg

Unfortunately, it seems like the perp got wise to our plan, as the computer was abruptly turned off and hasn't checked in for a week or so. Still, we managed to get some nice pics of him for the cops :)