Hello everyone, my school relatively new to Jamf and Apple MDM. Just the other day we had a Mac Mini stolen out of our IT office, we are unsure by whom. I haven't seen any activity on it, but if it turns on, what kind of data can we get to be able to track it down? I assume the GPS location won't be available, but is there any other information such as the person's local username if they make a new account/reset the device? I just need to collect as much data as I can to give to law enforcement. Thank you!
You can wipe out the Jamf lock with a DFU mode restore but if it comes right back to ADE anyway, they lose.
You only get info if your device connects to the internet. Lock it down in your MDM, notify Apple, file a police report, and submit an insurance claim once it’s determined the device is gone.
If you are using Prestage Enrollment then even wiping and restoring the OS is not going to bypass enrollment. Then also do you have the MDM policy set to user allowed to delete? Apple requires the device to be online to restore OS so it will check in to the JAMF instance and you can get SOME info from it.
As long as this device is enrolled and online then you can get updates from it which include IP address and Local Accounts.
Create an extension attribute to collect the logged in AppleID. I was able to get the email used on a stolen macbook a while back, although IT Security didnt really do anything so we remotely wiped the machine and bricked it.
GPS? No GPS on a mini
Sounds like you're being more extra than needed. I'd report the S/N and call it a day. Equipment should be stored in a locked room (preferably badged accessed) with a camera monitoring it. Take it as a cheap learning lesson
If they bypass MDM then I’d assume you can’t do anything
"Bypass MDM"?
If that Mac Mini is managed/enrolled in Jamf, the second it hits the internet again it'll phone home for MDM instructions.
Send the lock command via Jamf ASAP and it's a brick until they return it.
If it's auto-enrolled, even better—they can wipe it all they want, it'll just re-enroll again.
More specifically, if it's in their ABM/ASM account and set up for auto enrollment in Jamf, then it will auto-enroll every time the Mac is wiped and reset.
Which is why you prevent the mac from enrolling itself before you connect to the internet so it doesn’t do so when you connect it
If it’s an M series Mac (as far as I know, I don’t have an Intel Mac to test with) is in ABM/ASM and has been enrolled at least once, the setup assistant won’t even let you continue with setting up unless you connect to a network. Something gets stored in hardware (not sure if just nvram or something like the Secure Enclave though) that tells setup assistant that the device belongs to an organization and needs to check in with Apple’s ADE servers to get enrolled in MDM even after being wiped.
Edit: I saw your other comment and will have to test from a DFU wipe and restore but if feel like I’ve experienced it on an M1 Pro MBP as well. I’ve been wiping one a lot testing enrollment stuff as we’re getting ready to move from Jamf to Kandji and I was trying to test out what the enrollment experience is like if the Mac didn’t get enrolled during Setup Assistant but it wouldn’t let me continue unless I connected to the network.
Sorry to hijack- can I please ask why you’re moving from Jamf to Kandji?
More features less money.
Kandji has features included in the base subscription that are super important to us. Basically Passport and the overall much better experience around OS and 3rd party app updates is what sold it for us.
For us to add-on Jamf Connect it would've cost us ~$40k/yr on top of what we were already paying for Jamf Pro.
I’m a fluent user of both. Please let me know if you have additional questions about the difference but this is a good summary.
Kandji has only recently gotten something like Smart Groups, if you are heavily reliant on those then Kandji may not be the place to be.
Correct But you can still get to terminal and make a new user which completely bypasses setup assistant Then block macOS phoning home for MDM to keep it from ever getting set up
So, in my experience, unless you initially enrolled the computer in a prestage that enables activation lock, you can still wipe the computer via internet recovery no problem. Then you can also set the computer up off line without connecting to the internet first, at which point they'll make the user account. Of course saying they are smart enough to know this workflow in the first place. Jamf does not autoenroll anything after a computer has been set up to this point already.
iPads are the ones that require a connection to the internet or to a computer that has internet in order to be set up at all.
Are they even able to do that? It was my understanding that that was impossible because I bought it under our education account.
You can’t remove it but you can bypass it on M1 no matter what and I’d assume it disables tracking I’ve tested it on education
Do you have more info on that? Links?
It’s the same method that is behind the checkm8 paywall. https://checkm8.info/bypass-mac-mdm-lock
I think they patched that one though
Testing, it works as of last week even on macOS sequilla on an M1 air I think the links got taken down
Well, let me know if you end up finding something substantial on that.
So it originated in vietnam but the original website, video, and GitHub have all disappeared But it doesn’t seem to be a takedown but apple also hasn’t don’t anything
I’ll see if I can get a bug bounty on it then post the exact script I saved
Can you provide us with said information? If true this is a big security risk and it would be helpful for the community to know
I’ll find it You basically wipe the Mac with DFU Stop MDM from starting Make a new user account (which is kinda broken) Then use that account to make a new normal iCloud or offline account
You can also install Linux or really do whatever
And if apple fixes it with an update you can just downgrade macOS before doing anything
That was possible on Intel Macs by pulling the Internet but anything Intel with T2 or Apple silicon requires a network connection to start it up.
Just tested it on M1 and it still works It requires internet for setup but not to make a new user or block MDM from installing
How do you bypass Macbuddy?
Hopefully you have the serial number in ABM or ASM. Set up a smart group with the serial number and if it enrolls, have Jamf send you an email alert so you can gather info on it. You'll end up with their WAN IP address which may be helpful or maybe not. I'd definitely send a lock command so it's not usable on their end.