I hear a ton of stories about managed devices ending up in the hands of general consumers with Apple machines specifically... I wonder why? Is Apple particularly sloppy in this regard or is this just a matter of Apple computers being extremely popular for deployment with MDM?
The school I work for once had a student who had left the school sell a MacBook to an unsuspecting member of the public. It hadn’t been unenrolled.
We wrote it off and removed it from DEP for the poor guy. The student was long since gone and we had depreciated it anyway, so it wasn’t a huge loss. We realised not doing so was also potentially a reputation issue for the school also.
We’ve since tightened up leaving processes so this is unlikely to happen again.
The latter. MDM is way ahead on Macs, imho. Intune and Autopilot with Windows 10/11 and Azure are only just now catching up to what MDM and Jamf can do on Macs, or even what Group Policy can do on local devices.
The decommissioning process should generally catch these situations, but it’s not foolproof, and not all organizations have robust decom procedures. A lot of Macs are managed by like a University IT dept, but procured and released by individual departments, for example. The school of business might not bother to notify central IT that they’ve let go of a bunch of old equipment, for example, and if they do it’s in some outdated spreadsheet, so the machines don’t get released properly. Things like that.
Funny thing is that Intune/Autopilot aren't infallible either to this regard.
I acquired one of those weird lil' mini PCs that are all the rage, from Minisforum. The BIOS UUID was, essentially, 1-2-3-4-5, if we omit all the zeros. That UUID somehow tripped a fresh Windows install into Autopilot mode on the box to some random company that enrolled a similarly "blank" UUID in. I was absolutely befuddled and laughing my ass off once I figured out what happened... after the shock wore off of sitting at a Miratech Azure AD login.
... then dug out an AMI utility to go re-roll the RNG on the UUID since the OEM didn't do it and reinstalled Windows again and all was well in the world.
You'll also find this happens when you get a Mini PC with a sticker telling you "if you cannot log into your personal account, please turn off WiFi and LAN, select the skip option, and then log in"...
All they need to do is boot a damn flash drive. `AMIDEWINx64 /su auto` for the win... also thanks to Lenovo for accidentally leaving that executable in some BIOS updates.
I had this happen with a Samsung phone once that had the Knox registered to Rent-A-Center. I called up RAC and they said they had no record of the phone.
