Jamf Nation Community

I appreciate how you're letting the higher pay grade make the decisions. You've learned from other folks' mistakes that, right or wrong, you need to tread carefully and worry about privacy. Now, if only we could get users to stop playing lawyer at the end of their email messages...

Your detailed post reminds me of the "Nuke a Mac" thread from the alt.comp.lang.applescript newsgroup early last decade. http://groups.google.com/group/alt.comp.lang.applescript/browse_thread/thread/77b828ca977ca618/ The story as it played out in the thread made Slashdot, Macworld and a few other major sites at the time and was a really fun read.

In response to your question about monitoring with Casper and manually tracking it with IP trackers, I'm not sure what you mean by "IP tracker". As far as manual tracking and filing police reports, I left the reporting of the data from the JSS to the campus tech at the campus where the computers were stolen (since she knows more about the actual theft and what was reported when it happened) while I pursued the solution to gather even more information. I will admit that, for me, this was more of an exercise in knowing that I have the ability to gather this information than it was in actually gathering the information (knowing that the chances of being allowed to do so are pretty slim). I am content knowing that this works on a test Mac and could be used to find the thieves (although I wish I had more time to take this even deeper--I can envision some creative scripts to gather all kinds of emails, histories, etc. from these machines). The school district will have to decide if they wish to venture into the legalities of actually gathering the information.

Anyway, late this afternoon, the Director of Technology came to chat with me and asked what proof we had that these are our machines (because that was the first thing the police were going to ask him). I explained that I could give him the serial number, asset tag and a myriad of other information about the Macs. He seemed happy that I could provide the serial numbers, since those can be verified to be our equipment and said that he was going to be talking to the police soon. I'm not sure this will result in permission to collect pictures and data, but it's a step in the right direction.

The JSS should have the last known IP address, that can be used with a whois look up to tell you where the machine is. Beyond that, you would need to get a subpoena to get the actual personal information from the ISP.

Then you would, at that point, want to get the police involved and let them handle it from there. It is what they get paid to do.

There are lots of things you can collect without even installing other software. Eg. the last logins, wifi networks nearby (I love that one) and even screenshots of the computer's desktop. The trick is to get it back off of the machine if you don't have access to it.

Here are some examples (for 10.6)

#get current wifi network
echo "Current connection: " > /tmp/find/wifi.txt
/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -I >> /tmp/find/wifi.txt

#get nearby wifi networks
echo "WIFI SCAN: " >>/tmp/find/wifi.txt
/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -s -r 3 >> /tmp/find/wifi.txt
echo "****end of scanning****"

#start moving user data
#rsync -av $datarecover $rsynchost

In the end, we filed a police report, collected data about the laptop, and got enough info to send the police the person's name and cell phone number, who then called him up and asked for it back. It was all pretty easy and we knew where it was being used from based on the access points nearby.

Good luck.

Our Directory of Technology met with the detective in charge of the investigation of these laptops (they were reported stolen a year ago when it happened) and the detective suggested that we set it up to send all of the emails directly to him. This sounded like a great idea, but there was a lot of concern about filling up his email box (and a suggestion of getting the information every 30 minutes--which I didn't like because it looks like these computers are only getting used less than an hour a day) and concern that the police department's filtering system might not let the emails through.

I took another look at the Prey software and I could not find a simple configuration setting to tell Prey NOT to take pictures and include them in the email. I did figure out that I could delete the "webcam" folder from the Prey modules folder and it would no longer take the picture--important because the light next to the camera flashes green for a fraction of second when the picture gets taken, potentially letting the thief know they are being tracked. So I rebuilt the package, removing this folder, tested it and received information and screen captures, but no pictures from a test machine.

Our Director of Technology decided that he was OK with gathering this information ourselves and then providing it to the detective as long as the webcam picture was not included. So, I set it up to go out. As of this morning, Prey has been installed on 2 of the Macs and I am receiving emails, but no useful screenshots, yet. I'm also only getting screenshots on a fraction of the emails (coming in every 2 minutes), so I'm guessing it does not take a screenshot when the screensaver is active, but I haven't tested that theory yet.

I also liked the suggestion for collecting data (above) and thought that the easiest way to get this basic information (network & nearby networks) would be to set up a policy that runs a command and logs the information in the JSS. Here is where I am stumped.

I first tried a policy that simply has "/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -I -s; ifconfig" in the "Run Command" field under the advanced tab. Nothing showed up in the log--as if the policy didn't run. I have since created a new policy, targeted it toward a test Mac and experienced the same result when the command above is in the "Run Command" field (or even simply "ifconfig"), but it works fine when "ls -la /Volumes" is put in this field. I thought it strange that this would cause the policy not to run, so I checked the /var/log/jamf.log on the test Mac and it looks like the policy is actually being run (it is logged in this file), but apparently it must be crashing because the results are never logged (I have experienced this exact behavior before when I tried to have a policy execute a script that has a syntax error in it causing it to fail). I figured that I might be better off attaching a script to the policy, so I created one, tested it, uploaded it and attached it to the policy (removing the contents of the "Run Command" field). While the script works fine when I run it on a test machine, the policy runs (according to the jamf.log), but nothing gets logged to the JSS. I'm, frankly, perplexed. Here is the script I am using:

#!/bin/bash
echo "Network Info:"
/sbin/ifconfig
echo
echo "Nearby Networks:"
/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -I -s

Any ideas why this won't work in a policy?

Is the stolen machine still managed?

Yes, the stolen machines are still managed. But more importantly, I can't get this policy/script to work on a test machine sitting on my desk--one I have complete control of.

I have copied the script to the test machine and executed it in a Terminal window and it works fine. I thought maybe it could be a problem executing these commands when no user was logged in, so I logged out of the test machine and initiated an SSH session from another Mac to the test machine and executed the script. That also works fine. It just doesn't seem to want to execute these commands as a "Run Command" or as part of a script attached to a policy.

check for weird white spaces in your script, make sure it is executable and all of that stuff. If it runs fine in terminal manually, the problem is most likely the script.

Well, it turns out that trying to use "/sbin/ifconfig" in the policy (either in the "Run Command" field or a script) causes the problem, while using "/sbin/ifconfig en0" and "/sbin/ifconfig en1" works just fine. Go figure. :-/

So, my script now looks like:

#!/bin/bash
echo "Network Info (en0):"
/sbin/ifconfig en0
echo
echo "Network Info (en1):"
/sbin/ifconfig en1
echo
echo "Nearby Networks:"
/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -I -s

It works on my test machine. Now to wait and see what comes in from the stolen Macs...

You can use the networksetup command to create an array of enabled network services, and then from there grab info:

bash-3.2$ networksetup -listallnetworkservices
An asterisk (*) denotes that a network service is disabled.
Ethernet
FireWire
AirPort

Great info here. To add to the discussion you could cache the installer pkg on all you macs in your environment and then just activate prey with a script policy once a device goes missing. This way people can't be upset that their device is being reported until time of incident. Also, with the installer package cached you can just run a script to activate and install prey - this also eliminates needing a DP externally.

Let me know if you want me to elaborate on how I set it up - Just tested it and it works great (as long as you have active internet connection of course)

Fascinating stuff, Justin, thanks for sharing.

Cool stuff. I think it may be time for you to go Punisher on these thiefs.