You Had One Job! Apple Silicon Macs Can't Be Locked Using MDM Lock Command

Published December 16, 2020 / 800 words / ~4 minutes to read

DeviceLockCommand

As Apple silicon documentation slowly trickles in, the Apple admin community learns more about changes impacting MDM and other functions intended for enterprise. One of the most obvious is the change to the MDM DeviceLockCommand command. Read the developer docs for a quick summary of what the lock command has been able to accomplish since OS X Lion.

https://developer.apple.com/documentation/devicemanagement/lock_a_device https://developer.apple.com/documentation/devicemanagement/devicelockcommand/command

You can display a message and phone number on the Lock screen if the user has set a passcode for the device, it isn’t a shared iPad device, and it isn’t in Lost Mode. In macOS, this command uses the Find My framework to lock a device, and fails if there’s no recovery partition on the device.

And this has worked well for years. When a Mac is stolen, goes missing, or an employee leaves, IT can use MDM to lock the Mac with a PIN and message. The MDM command is sent, Mac restarts, and on next boot shows a lock screen. The only way to unlock it is with that PIN or magic bootable USB drive with a signed file provided by Apple support.

Mac EFI lock screen

New Lock Doesn’t… Lock?

For Apple silicon Macs the message, PIN, and lock screen options are gone. Apple included this somewhat buried note in their latest Deployment Reference for Mac revision from December 14, 2020 under “Remote wipe and remote lock.”

https://support.apple.com/guide/deployment-reference-macos/remote-wipe-and-remote-lock-apd713df1b14/1/web/1.0

On a Mac with Apple silicon, the device reboots into the recoveryOS, where the only options are to restart, shutdown, activate, or erase the Mac. To activate the Mac, select an administrator user and provide the password. This activation step requires an internet connection.

To be clear, this isn’t a Big Sur change. On Intel Macs running Big Sur the lock command still works as it has in the past. On Apple silicon though, instead of the lock command locking the Mac, it boots to recovery. Once in recovery, to get back to the installed OS with user data in tact, an admin account must authenticate. However, anyone can still choose to erase the disk and set the Mac up as new. Not much of a theft deterrant. The lock command has always been tied to EFI (and UEFI), and with EFI being gone on Apple silicon, Apple declined to port the feature over to the new boot process. Another interesting detail here; we have an official name for new Apple silicon recovery - recoveryOS.

Is this a non-issue for most organizations? Is losing a native lock function all that bad? That’s a question admins will have to answer for themselves, but generally in education I think it is a significant loss. There’s no longer a convenient way to lock down a Mac while also sending a direct message to the person on the other end - give us our stuff back. The new lock workflow on Apple silicon Macs isn’t a deterrent as a user can simply erase the disk and reinstall macOS.

Soon Apple silicon Macs will be the only hardware available to purchase. In the education world where price point rules, the $799 M1 MacBook Air SKU with 128 GB SSD is pretty much the only option next buying season. Will schools realize Macs can’t be locked remotely, even after investing in an expensive MDM solution? How will they recover costly hardware without a built in lock feature?

Feature Request - Lost Mode

Turns out iOS has the answer. Everyone’s talking about the iOS-ification of macOS anyway. Let’s steal all the positive enterprise innovations iOS has introduced. The MDM Lost Mode command has been available since iOS 9.3 and has much of the same features the old Mac lock command did. Lost Mode includes a message, phone number, and optional footnote. Once set the iDevice is locked into a screen showing the passed message values. Think of it as a variation on Find My iPhone as it uses much of the same underlying technology. MDM can even trigger that annoying Find My iPhone ding. What’s so convenient about this is it can only be enabled or disabled directly through MDM commands. No action can be taken on device to continue back to the home screen. Only MDM holds the keys.

https://developer.apple.com/documentation/devicemanagement/enablelostmodecommand/command https://developer.apple.com/documentation/devicemanagement/disablelostmodecommand/command https://developer.apple.com/documentation/devicemanagement/playlostmodesoundcommand/command

If there’s a way I’d love to see Apple make Mac more like iPhone and iPad, it’s this. Give Apple admins a new-to-Mac way of sending a message to the people that shouldn’t have institutionally owned hardware. Whether lost, stolen, or otherwise, Lost Mode is one of the most used features in managing iOS fleets. Bring it to Mac and restore the lock functionality lost on Apple silicon. Open cases and file feedback with Apple now to make your voice heard.

iPad lost mode example