Help

Stolen MacBook - How did THIS happen?

Kevin
Contributor II

Posted on ‎12-01-2014 05:42 AM

Last night, I discovered that over the holiday weekend, we had an employee that had his home burglarized. The thief stole his corporate MacBook. I jumped on the JSS and found out that sure enough, the MacBook has been checking in regularly since it was stolen on Thursday. It has been used almost continuously since noon on Thursday. The dumb thief has created an account on the MacBook using his real name. We have the IP address and Geo-loaction of the unit in a part of town that matches his identity. This has all been turned over to the police.
My question: How did he create an account on this MacBook?
The accounts that are on the unit are password protected, mobile AD bound accounts. We have a configuration profile on the unit that requires a password to login in and after 15 minutes of inactivity. The unit was powered off when stolen. The original accounts that were there (except for our hidden management account) are gone. All of our software is still there, including the JAMF software. How did he hijack this unit without wiping the drive?
Could he have just booted in Recovery mode and re-installed the OS? Would that give him the ability to create a new admin account? Wouldn't that have killed the JAMF software?

0 Kudos
5 REPLIES 5

NoahRJ
Contributor II

Posted on ‎12-01-2014 05:48 AM

Did you have FileVault 2/other similar firmware level encryption enabled for the machine? If not, anybody with physical access could boot up in single-user mode and add an administrative account/reset a password to an existing local admin account, and gain full control of the machine from there.

0 Kudos

mm2270
Legendary Contributor III

Posted on ‎12-01-2014 06:00 AM

Yep, unless either encryption is in place, or you have a Firmware Password set on the Mac, its trivial to boot to single user mode, or something like Recovery HD and reset the admin password, and then create your own. Of course, one needs to know the process of how to do that, so it seems your thief is a bit Mac savvy.

We double ensure ours (which annoys our user base but that's a different discussion) We have both a Firmware Password and FV2 encryption. The former is still only necessary because all our users are admins on their Macs and can disable FileVault if they wanted to, so its not a certainty that encryption will be on if something is stolen. But we're putting some plans in place to stop even that from happening. Afterwards, the Firmware password won't be as necessary.

0 Kudos

Kevin
Contributor II

Posted on ‎12-01-2014 06:04 AM

Thanks guys.

We have FileVault configured and ready to roll out. Looks like that will happen today…

0 Kudos

CasperSally
Valued Contributor II

Posted on ‎12-01-2014 06:12 AM

FV is a good idea, but can take some time enabling users and the actual encryption time (helps if you have SSDs). In the meantime, look into setting firmware password. You can do it in seconds via script in JSS. It can be harder if one is previously set, but doesn't seem like that's an issue for you.

0 Kudos

alexjdale
Valued Contributor III

Posted on ‎12-01-2014 07:33 AM

Yep, FileVault/WDE or a firmware password are the only ways to close some of the serious security holes Apple leaves in place.

0 Kudos