Wiping a lost system and rendering it unusable?

dominicanuofca
New Contributor II

I'm aware that JAMF has the "Wipe Computer" MDM command, but for security reasons, this doesn't go far enough. After the MDM wipe is complete, the device is still usable since it just deletes all the data and does a reinstall of the OS. I'd like to know if there's a method to remotely wipe the entire drive of a machine like what you can do in Disk Utility. That way if a device is stolen I can render it completely nonfunctional. 

4 REPLIES 4

jamf-42
Valued Contributor II

as long as the Mac has been encrypted with FileVault, that data was encrypted in the data container.

When you remote wipe you effectively remove the encrypted data APFS container and key. 

The OS in on another read only APFS container. Hence why the the OS is still there. 

This is based on the device being T2 or ARM. 

Check a device record and see it not just a simple flat drive structure. 

..its a bit more complex.. but remote wipe kills the data..

As for stolen, as long as it is has FileVault setup, no one is getting your data*

*at the time of writing.. 

 

 

AJPinto
Honored Contributor III

This would be an Apple thing. Apple does really need a lost/stolen option in ABM/ASM.

 

If you have FileVault enabled, if you send the remote wipe command this is a cryptographic erasure. Data is sanitized, though you will not get a certificate of sanitization. 

 

As far as usability. If you leave the device in ABM/ASM like is best, the device will keep being redirected to the MDM for activation. You could create a prestage that requires user/pass for enrollment. That would leave the device stuck at OS Activation.

jamf-42
Valued Contributor II

this maybe an option for tracking devices... https://preyproject.com/

foobarfoo
Contributor

The best way you can achieve this (not meaning it's actually great) is to use the two methods made available by Apple:

a) Ensure the device is enrolled in ADE/DEP

b) Enable activation lock

Unfortunaly, to my knowledge, JAMF doesn't allow enabling activation lock easily on macOS devices, only iOS devices, at least after enrollment.

Keep in mind, a device can always reinstall the OS in recovery mode so whatever you write/remove on the HDD is of no consequence for future device use. And if you're only worried about gaining access to data, enabling FileVault  on all devices in advance is your best option.