Tracking down a lost laptop

JayDuff
Contributor II

We had a MacBook Air grow legs last week, and are trying to track it down.

We enabled DEP and jamf was already installed.

The new "owner" has updated from El Cap to Sierra and added a user account. The device is still checking in with our JSS.

I am looking for a way to get the device to report it's GPS location. I found a number of github (whereami) and sourceforge (LocateMe) projects that do this from the CLI, but none of them seem to work under Sierra.

I saw a post on discussions.apple.com from @jelockwood that he got Location Services working by modifying the plist, and I think I have that part working too. But the binaries I was able to get simply hang, or can't be built because they are using SHA1 signing, which is no longer allowed.

Anyone have any ideas?

Thanks!

1 ACCEPTED SOLUTION

bollman
Contributor II

I could recommend my own little script, if you have the JSS open to the world:
https://www.jamf.com/jamf-nation/discussions/12300/nice-little-scripts-to-scope-to-stolen-computers

The positioning relies on wifi and google and is very accurate.

View solution in original post

16 REPLIES 16

jelockwood
Contributor

@JayDuff As far as I can see my previous approach still works for Sierra. There are three parts involved.

Part one is to install the free command line whereami tool. See https://github.com/victor/whereami

Part two is to get whereami authorised. In my case I am doing this as part of the post-imaging steps when building Macs. I start off by copying an already partly configured clients.plist from a previous Mac. This is because I did not find an obvious 'defaults write' approach that would work to add a specific application to the authorised list that Security & Privacy system preference uses. The plist needs to be copied to /var/db/locationd/clients.plist I found that if I copied directly to there during imaging it seems to get over-written, I therefore copy to /usr/local and later in the final post-imaging first-boot script mv it to the correct location.

Part three the final step is to turn on Location services via a script.

For El Capitan and earlier -

uuid=/usr/sbin/system_profiler SPHardwareDataType | /usr/bin/grep "Hardware UUID" | /usr/bin/cut -c22-57 /usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd.$uuid LocationServicesEnabled -int 1

For Sierra -

/usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd LocationServicesEnabled -int 1

You would then get JAMF Casper Suite to run a report on the client(s) by getting the client to run the /usr/local/whereami/whereami executable and taking the result it generates to populate your report.

Note: If WiFi is turned off this may not work but with a MacBook Air or any MacBook this is extremely unlikely.

JayDuff
Contributor II

Yeah - that whereami part is what I'm having trouble with. Apparently, the developer is using SHA1 to sign the installer. That is not allowed any more. Maybe, if you have a compiled binary you can share, that will get me to where I need to be!

My plan is to have whereami (or CoreLocationCLI or LocateMe) populate an Extension Attribute. I just have to get one of them to work as a binary!

Thanks!

stevewood
Honored Contributor II
Honored Contributor II

@JayDuff you might want to look at using Prey instead. I was able to recover a stolen laptop last year using DEP and Prey. Here's a couple of posts that might help:

Prey Project Mass Deploy

Stolen Macbook Reporting Back to JSS

I created a policy to install Prey and scoped it to the stolen laptop. Once Prey was installed and reporting to the Prey console, Prey captured screen shots of the desktop and pics from the camera, along with location data. I was able to catch a Google Maps route that had the starting address as the location where the laptop was. I handed the Prey info over to the police and a few days later I had my laptop back.

jelockwood
Contributor

@JayDuff

Ok the link I previously gave you for WhereAmI is not the one I actually used but another version. The one I used is here https://github.com/robmathers/WhereAmI/ and he has a compiled signed binary of it in the releases tab.

gmarnin
New Contributor III

Pinpoint can help here too

JayDuff
Contributor II

I got it all working! Now it's just a matter of the thief bringing the device online, so the policy installs everything. Here is the full solution, in case someone else runs into this situation:

I grabbed the binary of whereami from @jelockwood's link. It's not terribly stable, but it gets the job done. I put it into /usr/local/bin/.

Next, I ran whereami, and allowed it to use Location Services. This gave me a good clients.plist file to work with.

I created a PKG file, in Composer, with whereis and a script (I'll edit and paste it when it's working perfectly) that turns on Location Services. Then I also put that clients.plist file in there.

Next, I created Extension Attributes for Lat, Lon, Time, and Accuracy. (I'll put those in here too).

Last, I created a profile that installs the PKG on the target computers, then runs a Recon.

---Room for improvement:

1 ) Use defaults write (or plistbuddy) to modify the plist instead of installing over it.

2) Use a more stable binary, like CoreLocationCLI or LocateMe, so output is more predictable.

jelockwood
Contributor

@JayDuff I have not tried this myself but I found this [https://www.jamf.com/jamf-nation/discussions/10038/hacking-corelocation-on-os-x-for-fun-and-profit](link URL)

As per that article in order to programmatically add a program to clients.plist you need to deal with arrays which is extremely difficult to do using the defaults write command. There is also the possibility of using PlistBuddy but even that is not much more help. I recall resorting to using a Unix sed string in another case which was to do with automating the installation of custom Apple Mail stationary.

PS. When I originally got whereami working with Casper I formatted the result in to a URL that could be clicked on and then display a marker on a map via Google Maps. Unfortunately I believe Google stopped making this possible unless you officially registered to use their API. Originally you could construct a simple URL to display a single marker on a map. Actually just looked at this it might still be possible see - [http://stackoverflow.com/questions/6582834/use-a-url-to-link-to-a-google-map-with-a-marker-on-it](link URL) ah I think the issue was putting a label on the marker - I used to be able to label it with the Mac serial number via a URL, this might now need using the API.

bollman
Contributor II

I could recommend my own little script, if you have the JSS open to the world:
https://www.jamf.com/jamf-nation/discussions/12300/nice-little-scripts-to-scope-to-stolen-computers

The positioning relies on wifi and google and is very accurate.

JayDuff
Contributor II

@jelockwood - It's amazing what a difference a little knowledge can make. Now that I know how GitHub works, and actually notice the Release tabs (facepalm) - I grabbed LocateMe. Calling it with the -g switch (LocateMe -g) has it output a Google Maps URL! I will put that into an Extension Attribute, and now my administrators have a link they can click in Casper to get the location on a map!

@bollman - That's wicked clever! We have Chrome and Firefox on our devices. I'm guessing, from the look of the script, that the user would have to open Safari, in order for that to work?

bollman
Contributor II

Nono, it all runs in the background with nothing shown to the user. It scans for wifi networks and uses curl to request a position from google.
The script also notices if the user has wifi off and turns it on for a scan then off again, sneaky ;)
The policy log shows just an adress and lat/long from the google response.

bollman
Contributor II

Hm, I posted a new script to print the Safari log, but that post got moderated?

roiegat
Contributor III

Always interested to read these types of threads. Hopefully you can locate the machine and get it back. I would get the police involved once you have a location though. Most likely the thief sold it to a pawn shop and they sold it to someone else. So someone might have bought a computer legally, not knowing it was stolen. So get police involved. Good luck.

JayDuff
Contributor II

@bollman I implemented your script as an EA, and ran into an issue. The EA is not populating, so I saved it as a script. When I run it, I get an error at the if statement at the end, that determines if the script is running as an EA or not. Since I KNOW this is an EA, I just commented it out, and left the <format> statement. edit: the bug is that $EA should be in double quotes "" and it should be != 0, not -ne, unless you put 0 in quotes too - so line 40 should read: if [ "$EA" != 0 ] ; then

The result was within the margin of error (127m) of the binary solution, but this requires no binary, and doesn't nag about location services.

It's so friggin elegant - nice work!

One request: We sometimes don't WANT WiFi on. The script should return the WiFi state to Off, if $STATUS = "Off" at the start. edit: Never mind - I see where you do exactly that. Nice!

Would love to see that Safari log too!

Thanks for the really cool script!

Works in Sierra!

JayDuff
Contributor II

@roiegat The police were called as soon as we saw the external IP address. We don't allow students to take the devices home yet.

They have the external IP, and I imagine they'll subpoena AT&T to get the address. But this is Cook County, Illinois. It could be a week or two before a detective picks up our case. If I get an address, it may speed things along.

dmcintos
New Contributor

@bollman Your script helped us track down a runaway. Thanks for that. Excellent work.

KatMaerz517
New Contributor II

This s an old thread. Anyone have a solution for Big Sur?