Hello everyone, my school relatively new to Jamf and Apple MDM. Just the other day we had a Mac Mini stolen out of our IT office, we are unsure by whom. I haven't seen any activity on it, but if it turns on, what kind of data can we get to be able to track it down? I assume the GPS location won't be available, but is there any other information such as the person's local username if they make a new account/reset the device? I just need to collect as much data as I can to give to law enforcement. Thank you!
I’ll find it You basically wipe the Mac with DFU Stop MDM from starting Make a new user account (which is kinda broken) Then use that account to make a new normal iCloud or offline account
You can also install Linux or really do whatever
And if apple fixes it with an update you can just downgrade macOS before doing anything
That was possible on Intel Macs by pulling the Internet but anything Intel with T2 or Apple silicon requires a network connection to start it up.
Just tested it on M1 and it still works It requires internet for setup but not to make a new user or block MDM from installing
How do you bypass Macbuddy?
Is that setup assistant? I just made a new user with dscl Then blocked the apple mdm server in the hosts file
Yeah sorry, internal Apple name for Setup Assistant. I'm going to try it.
The dscl user is kinda weird but you can just use that to make a new normal admin which works fine
The thing is the only way apple could fix this is by disabling or maybe locking DFU mode Because no matter what you can downgrade macOS with an IPSW image and do the exact same thing anyways
So it's interesting... it sorta works with SIP disabled using tricks from some Reddit posts but with the IP addresses blocked, no software updates working from Apple after that. Unblocking the 17.x IP space immediately prompted me for enrollment.
Guessing it checks for ABM by serial number at the point of software updates? Spoofing the serial number would be an interesting exercise in that case, but that's burnt onto the logic board (though that would likely work in a VM).
So yeah for a 14.5 Sonoma Mac it worked, but for a 15.0b2 Sequoia Mac, no luck. I assume they rewrote that.
I was able to get an update on Sonoma and later update to the 18 beta
I blocked mdm.apple.com Device enrollment and one other one
Interesting. Such is the joy of open ancient mechanics under the hood. Recently had to add SSO to our ADE enrollment after a security researcher spoofed serial numbers in a VM and was able to enroll his Mac into our MDM.
Damn That’s actually pretty smart though
Yeah I was surprised but not shocked. Very clever.
I wonder if that works with Apple Store laptops Like if I can grab a serial number and test it in a VM