Jamf Nation Community

There have been various previous threads here about how to obtain and report the physical location of a Mac via JSS. Unfortunately various changes - mostly down to Apple have broken previous approaches. Before I detail my own working solution I will cover some background of previous approaches and their issues.

A common approach and one that could still be done in various ways is to use GeoIP location tracking, this is basically the same approach that blocks access to some websites based on the presumed location of the Internet address you are connecting via. As examples Hulu and BBC iPlayer use this to restrict access. Unfortunately this approach either can give inaccurate information or can be deliberately spoofed by using either a VPN connection or a proxy server. I therefore do not regard this approach as useful.

I myself originally used a Mac tool called whereami, this was a command line tool which used Apple's Location Services to identify the location of your Mac. This particular tool did not have an installer to also automatically enable it in Security & Privacy but I was originally till Apple changed things able to script this. When Apple changed things I switched to using pinpoint which came with an installer that automatically authorised its tool in Security & Privacy.

Unfortunately with High Sierra Apple once more changed things this time far more significantly. This time they changed things so that it became totally impossible to run an automated process and access Location Services. Only processes 'owned' by an active user login are now able to call Location Services. As a result if you tried using pinpoint via a launchd script or cron it would be blocked but if you manually ran it via Terminal.app it worked. Similarly trying to run it as part of a JSS recon would also fail.

As a result all Location Services derived solutions seem to now be a dead end. :(

I have therefore written my own solution from scratch. It uses a list of visible WiFi access points - but doesn't need to connect to them, and with this list it then uses an Internet service to find a latitude and longitude. From that I generate a Google Maps URL which when viewed will show you the location of the Mac on the map.

There are a number of services on the Internet to take such a list of WiFi access points and give you a matching latitude/longitude but I found that even here in London most failed to give any useful results. It seems only the big guys like Google, SkyHook and Apple have enough data to be useful.

As per this discussion we have already found that Apple's Location Service which also uses WiFi based location tracking is now unusable but Google's does still work and does not use Location Services.

Unfortunately literally this week on July 16th 2018 Google changed their terms and conditions, you now not only need a Google API key but depending on how much use you make of the API you may incur costs. (You get a $200 monthly free credit, if your use is below that value then it is effectively free, this translates to 40,000 API calls per month.)

I have written my solution to act as a replacement for the original pinpoint written by Clayton Burlison. It will in standard configuration literally work exactly like his pinpoint except it does not use Location Services. This means my version can also be used with MunkiReport-PHP like Clayton's own now discontinued version. I have also included two ways it can be used with JSS to populate an Extension Attribute, either by not installing as standard on the Mac clients and instead running the main script purely via JSS, or by using a smaller script in JSS to retrieve the results from pinpoint running on the client Mac.

Clearly there are some potential privacy issues which is presumably what Apple were concerned about. Equally there is also a demand and need for organisations to have a method by which they might have a chance of tracking down lost or stolen Macs.

Note: An unintended side effect of no longer using Location Services is that the icon for Location Services will no longer appear in your menubar. This unintended consequence makes my solution even more stealthy. Remember you should respect the privacy of your family or colleagues. Apart from good manners this may be a legal requirement.

If your interested in this solution please see my page at https://github.com/jelockwood/pinpoint

PS. My solution even works currently in the Mojave beta release.