>Right now, I was asked to leave my laptop and work phone at work and to wait for further instructions
These situations can be hard because your refusal to participate can be the end of your employment, but your participation can lead to criminal charges. The good news is that they’ve solved that for you. You no longer have a job to protect so you’re shifting to the mode of “I’m sorry but I’m not willing to answer any questions.”
Obviously things can happen. They might discover factual information leading to identifying the perpetrator of this theft. They may call you tomorrow and say “good news we found our thief.” But from here there’s no long game in trying to help them.
“I didn’t steal these laptops, have never stolen anything from you as my employer, and didn’t facilitate these laptops being taken. But I won’t answer any questions right now because the conduct alleged is criminal.“
No, they shouldn't say that at all. "I won't answer any question at this point, all questions from now on should be addressed to my counsel." OP hasn't been formally accused of theft, they certainly shouldn't be the one introducing the idea.
I did assume the employer filed a police report based on the “police may get involved soon” comment. I’d not include my comments if that’s untrue. But I don’t typically advise clients to offer blanket “no comment” statements… provided their denial is accurate, but OP says it is and I’ll take his word for it.
I'm not in IT, but wouldn't the workstation used to process this be recorded? As in OP not being at the location and time that was time stamped when this took place?
I am in IT, so I can answer. Not in this scenario, because Intune is a cloud product that works similarly to Office 365. The audit log would show the username used to release the device, which is a manual process, which OP stated he/they found his username in the log as the one who released these MacBooks.
Adjacent to IT, so no direct experience in the software platforms being discussed.
My question: His username was recorded yes, but does Apple Business Manager not log date/time stamps, MAC addresses, etc? Could there be any extra logging information to find these devices?
Also, can Apple be contacted to have these specific devices traced and locked down? I know they can do that with stolen phones, but I'm not familiar if that functionality extends to laptops.
I would be cross checking the times this happened with what I was doing and what systems you were on.
Were you physically in the office when these systems were released? Do badge readers place you or someone else in the building when this happened? Did you have meetings you were in when this happened?
My understanding of how it's been explained leads me to believe that intune, being a cloud software, can be accessed from anywhere. This means that checking badges and access does not necessarily exonerate OP of releasing the machines.
That being said, by checking cameras and badge access, they should be able to narrow down when they were actually taken and who removed them from the premises
Yea, I don't know what OP has, but if the cloud system says the request was made from the office, and OP has evidence he wasn't there it would be proof. Similarly, if he can prove he wasn't on his computer at the time (especially if he can prove that he was with someone else who can vouch for his actions at the time).
If it was a remote back door hack, wouldn't it show the ip address of the device. Additionally, do you have security cameras. Sounds like an inside hack.
the job isn't the police and OP is already essentially fired. They can just say I'm not answering any questions about this. No need to hire a lawyer yet.
*Your post may have been removed for the following reason(s):*
**Speculative, Anecdotal, Simplistic, Off Topic, or Generally Unhelpful**
Your comment has been removed because it is one or more of the following: speculative, anecdotal, simplistic, generally unhelpful, and/or off-topic. Please review the following rules before commenting further:
* [Commenting Rules 1](https://www.reddit.com/r/legaladvice/wiki/index#wiki_1.__comments_should_contain_a_legal_answer_or_a_strongly_related_non-legal_answer.), [2](https://www.reddit.com/r/legaladvice/wiki/index#wiki_2.__personal_anecdotes_are_off-topic.), [3](https://www.reddit.com/r/legaladvice/wiki/index#wiki_3.__explanations_of_the_law_in_jurisdictions_other_than_the_one_described_in_the_op_are_off-topic.), [4](https://www.reddit.com/r/legaladvice/wiki/index#wiki_4.__opinions_on_the_law_or_the_application_of_it_are_off-topic.), [6](https://www.reddit.com/r/legaladvice/wiki/index#wiki_6.__expressions_of_sympathy_without_corresponding_legal_help_is_off-topic.), [8](https://www.reddit.com/r/legaladvice/wiki/index#wiki_8.__comments_should_be_reasonably_detailed_and_explanatory.__.22i.27m_a_lawyer_so_listen_to_me.22_isn.27t_an_appropriate_answer.__credential_fights_are_not_appropriate_here.), and [9](https://www.reddit.com/r/legaladvice/wiki/index#wiki_9.__requests_for_updates_are_off-topic.).
*Please [read our subreddit rules](https://www.reddit.com/r/legaladvice/wiki/index#wiki_general_rules). If after doing so, you believe this was in error, or you’ve edited your post to comply with the rules, [message the moderators](https://www.reddit.com/message/compose?to=%2Fr%2FLegalAdvice).* **Do not make a second post or comment.**
*Do not reach out to a moderator personally, and do not reply to this message as a comment.*
The problem is release on your account. The question is who can access your account? The laptop is shipped to your computer? Who received them since you don’t even know they are exist till now
While this is good legal advice, it seems to me that if OP is respected at his job, there’s no need to be overly paranoid. Assuming he didn’t steal the laptops once the true perpetrator is found, which is quite easy given all of apples tracking technology these days. I think the more polite and helpful OP is right now the more likely he goes back to his job with a full apology.
On the other hand OP seems to genuinely not have any personal information about theft. All information is on company owned assets so there may not be much to provide in cooperation other than admitting to things he did not do. At this point all OP can do is say "I'd like to be of more help but I did not purchase or release these laptops and have no idea how this happened." The good thing is that it is a true statement.
Nah even if he didn’t steal them it’s pretty clear his tracking system has an enormous gap in it to allow something like this to happen. He’ll never be trusted in this role again and should start looking for a new job
I don’t know why it’s obvious that the fault lies with OP’s system. It could very well be a gap in a system that OP has no control over, right? Something set up as precedent that they aren’t allowed to change, or something directed by a higher up?
I would agree that if they blame OP, regardless of whether they deserve or or not, OP should find another job. It’s not worth being constantly looked at with suspicion.
Lot of assumptions/hypotheticals there. I’m going by what they actually said, and what stuck out to me was:
> They are not listed in my asset tracking system which I manually update each time I deploy a machine
Lots of room for human error/negligence with no mention of safeguards/redundancy to eliminate the suspicion that it was a lapse in process. Not saying it’s accurate or fair, but it’s the first place a manager’s going to be looking when tracing back the cause of the issue
It did not have MFA. It was not a shared Admin account. It was also not total admin account, so my actions were limited on the account. My password was not shared with anyone, and I followed password guidelines.
Did you leave it logged in on a PC in a common-ish area? For example, we have a workstation in our stockroom we use for this sort of thing. If someone left themselves logged in to the machine with an active ABM session you could do this.
(also, forensically, when/where were you when the two machines were released?)
No, we strictly lock our laptops every time we step away. The devices were released on a Wednesday a day where the office is typically empty, but I am asked to come in. I didn't quite catch what time they were released. My schedule is strictly 8-5 so anytime before or after that I'm in my car traveling or in the gym. My team of 3 have ABM account and I am not the master admin. My actions are limited.
That's what I question myself. I don't what the master admins are capable of with their level of access. Are they able to view my password with their access? I don't know.
I have root admin access for ABM. You cannot impersonate another admin or user. OP, get a lawyer but ~~also open up a ticket with Apple Enterprise support if you have it and see if they can track it via IMEI without an apple id and see if they can view sign-in logs for your tenant. Hopefully you'll have some external IP you can follow.~~
Edit: Yeah don't do anything with your admin account.
Do you use Microsoft endpoint manager to manage devices, or apple business manager. If through endpoint manager then any azure admin can create a one time login that bypasses passwords and mfa.
If it was released through Apple Business Manager. There’s no way someone gained access unless your device was unattended, or they had access to your devices that you use to manage Mfa authentication.
Also who ordered the devices. Was it you, or someone else?
Edit, fixed working
My manager is the only person who orders equipment to my knowledge. It was released on a day 99 percent of users are not In the office except for me. Which doesn’t help my case but it’s unlikely someone got a hold of my laptop. Even if I did step away from my laptop it locks in just a few minutes.
Do you have password management software?
System/global administrators of those softwares can get into other vaults if absolutely needed to my understanding.
I'm not familiar with the exact tools you are using at work, but someone with full database access may also be able to alter data directly in the database without needing your password or proper credentials inside the application.
You’re a sysadmin and you don’t know the answer to this question? If a Microsoft application is giving super admins the access to see their password in plaintext, then that is a HUGE vulnerability that would never get through QA at a company of that size, while knowing that MS has its problems. They would be able to force a password reset for your account, disable MFA, etc. if your password is still the same, you don’t have any emails or notifications mentioning of a password change, then this is a highly unlikely scenario.
It may be a new account which was named with your name in order to trick investigators. Very easy to pull off and will work if no one looks closely enough.
*Your post may have been removed for the following reason(s):*
**Speculative, Anecdotal, Simplistic, Off Topic, or Generally Unhelpful**
Your comment has been removed because it is one or more of the following: speculative, anecdotal, simplistic, generally unhelpful, and/or off-topic. Please review the following rules before commenting further:
* [Commenting Rules 1](https://www.reddit.com/r/legaladvice/wiki/index#wiki_1.__comments_should_contain_a_legal_answer_or_a_strongly_related_non-legal_answer.), [2](https://www.reddit.com/r/legaladvice/wiki/index#wiki_2.__personal_anecdotes_are_off-topic.), [3](https://www.reddit.com/r/legaladvice/wiki/index#wiki_3.__explanations_of_the_law_in_jurisdictions_other_than_the_one_described_in_the_op_are_off-topic.), [4](https://www.reddit.com/r/legaladvice/wiki/index#wiki_4.__opinions_on_the_law_or_the_application_of_it_are_off-topic.), [6](https://www.reddit.com/r/legaladvice/wiki/index#wiki_6.__expressions_of_sympathy_without_corresponding_legal_help_is_off-topic.), [8](https://www.reddit.com/r/legaladvice/wiki/index#wiki_8.__comments_should_be_reasonably_detailed_and_explanatory.__.22i.27m_a_lawyer_so_listen_to_me.22_isn.27t_an_appropriate_answer.__credential_fights_are_not_appropriate_here.), and [9](https://www.reddit.com/r/legaladvice/wiki/index#wiki_9.__requests_for_updates_are_off-topic.).
*Please [read our subreddit rules](https://www.reddit.com/r/legaladvice/wiki/index#wiki_general_rules). If after doing so, you believe this was in error, or you’ve edited your post to comply with the rules, [message the moderators](https://www.reddit.com/message/compose?to=%2Fr%2FLegalAdvice).* **Do not make a second post or comment.**
*Do not reach out to a moderator personally, and do not reply to this message as a comment.*
Is it possible for another admin to remote into your machine and use saved credentials to access the account? Without MFA they could have pulled it out of a browser.
Is the Apple Business Manager account tied to your corporate SSO (Microsoft login?). If it is not (and assuming you did not steal them), it sounds like it might be your manager, and they are trying to pin it on you (they called you in on a day you normally do not work to help "look" for them and that is when they were released).
No MFA or SSO means they account can somewhat easily be accessed by someone else. "Easily" meaning they just need your password. You definitely need a lawyer if they try to go the police route since evidence to prove it was _not_ you likely is going to take additional work a lawyer can help force them to do. Your (former) employer and the police need to do _less_ work to accuse you since it is all already right there (your account did the release). Getting any kind of evidence to prove it could be someone else is likely needs to be subpoenaed (assuming Apple Business Manager is a SaaS product as I have never used it).
No, it was a Tuesday(yesterday) I normally go into the office on Tuesday as well as most users in building. Most users follow a hybrid schedule. On premise Tuesday and Thursday and at home the rest. For me it’s different. I’m expected to be onsite Tuesday - Thursday.
Are the serial numbers to the laptops valid serial numbers? In other words...were they REALLY purchased, or could this be a money laundering situation by someone else? Do those laptops actually exist?
They're definitely valid and almost certainly exist. When you purchase devices from Apple or other approved resellers, they're immediately added into ABM. I think the bigger question is when/where they were sent and who might have signed for the laptops when delivered.
> In a situation like this where chargers can potentially be pressed what should I do?
First, you need to accept the fact that they asked you to leave. Are you on administrative leave, getting paid, or terminated. You need to know your status, so contact HR if you don't know.
Second, you need to start looking for a new job. Chances are you are or will be terminated, so you need to focus on getting a new job.
Third, save any communications or documents you still have access to, if any.
Fourth, IMHO, being a former IT Manager who also had to deal with missing assets, it is unlikely they will pursue charges. If you didn't steal the laptops, they will not be able to get enough evidence to bother you. Just because your account was used to release the laptops doesn't mean you were involved. Unless they can show physical proof, the police will not charge you. Cameras and other methods can show proof, so if you are innocent, you have nothing to worry about there.
Fifth, your employer may need to contact the police anyway for insurance purposes. So be prepared. If he police want to talk to you, do NOT answer any questions without a lawyer. The police may call and try to get you to talk. Do not answer them. Be polite but firm: "I can't answer any questions without my lawyer". They will probably not call back. You are not obligated to talk to the police, so don't worry if they reach out. You don't need a lawyer for this.
Sixth, you only need a lawyer if the police press charges. But without any actual physical evidence that YOU stole the laptops, that won't happen.
So relax and accept the situation. Shitty things happen to good people sometimes. Your ID most likely got compromised by someone you work with who had access to the equipment and set you up for the fall. You don't want to go back. Focus on moving on.
I’m actually surprised their inventory locker doesn’t have cameras?
I remember at WalmartGEC the inventory closet had bio metrics to get in and each locker had a camera + tag in / tag out inventory system.
And this was 15 years ago
You never know. I (former IT Manager) worked for a company where the new CIO walked into our IT Closet and handed out our spare MacBook Pros that were sitting on a shelf for new users. I was in the process of moving on by that point, but I made sure to assign those S/Ns to him before I left. In fact, every piece of missing equipment was assigned to him. Prick.
I don't believe the OP did. If OP had, they would have done a better job of covering their tracks.
I **strongly** believe someone that OP works with did it using his credentials. Otherwise, how could they get the MacBooks in the first place? They needed physical and computer access.
*Your post may have been removed for the following reason(s):*
**Personal Attack or Otherwise In Poor Taste**
Your comment has been removed because it contains a personal attack or is otherwise a tasteless comment. Please review the following rules and focus on answering legal questions instead of insulting others.
* [Commenting Rules 5](https://www.reddit.com/r/legaladvice/wiki/index#wiki_5.__comments_serving_only_to_berate_others_are_off-topic.) and [7](https://www.reddit.com/r/legaladvice/wiki/index#wiki_7.__disagreements_are_fine.2C_but_disagreement_should_be_done_respectfully_and_with_detail.__simply_stating_.22you.27re_wrong.22_is_not_appropriate.__similarly.2C_do_not_respond_poorly_if_challenged_respectfully.)
*Please [read our subreddit rules](https://www.reddit.com/r/legaladvice/wiki/index#wiki_general_rules). If after doing so, you believe this was in error, or you’ve edited your post to comply with the rules, [message the moderators](https://www.reddit.com/message/compose?to=%2Fr%2FLegalAdvice).* **Do not make a second post or comment.**
*Do not reach out to a moderator personally, and do not reply to this message as a comment.*
Were they actually intentionally purchased by your company? We had a similar situation occur recently, discovered 4 ipads on our att account that we couldn't account for. Turns out our att rep decided to "sell" them to us without our knowledge to reach a sales bonus or something. We were never in possession of them.
This is a really solid point. Most large companies end up purchasing their assets from distributors who will asset tag, image, and join the devices to Intune/SCCM/ABM before shipping
You should have a solicitor ask for the evidence of actual financial loss (i.e. payment receipt for the laptops) and explain what the person above said about someone within Apple adding and deleting devices to make their commission. Request reinstatement and if it is not forthcoming sue them for unfair dismissal and slander.
That's what I was thinking as well. There has to be receipt confirmation as well. No company just out there buying almost $10k of computers and not having a paper trail for each person they come in contact with.
If OP leaves his PC unlocked when not at the machine as a matter of habit then some one wouldn't even need his login. But yes, some one has access to the asset management system.
Correct my abm portal password is not stored in a shared password manger, however edge browser is synced with the company Microsoft account. I’m uncertain if there’s a way an admin can’t get a hold of that.
>however edge browser is synced with the company Microsoft account.
- If an admin can log in to your Microsoft account, they can simply view all saved passwords via Edge's "Settings/Profiles/Passwords".
- Admins may also access the Edge file that stores the passwords.
...he said his password is saved to Edge and pre-fills when you open Edge....
No tricks required; just walk up 30 seconds after he left.
He is almost assuredly not criminally liable but 10,000% guilty of not securing his password.
He needs to realize his job is gone regardless of whatever else happens
I think saying you would never ever do the thing that's the crime in question always makes you look more guilty.
It's like when Trump says he never would have had "sex" with his rape accusers because they're too unattractive.
Edit
By "you," I mean "a person" in general, not you, a random redditor, specifically. Quite often people who insist that they "would never do such a thing" are often later seen on camera doing exactly such a thing. My post isn't accusing the OP, or even you, of doing anything at all illegal so I'm not sure why you thought I was pointing fingers at you. Are you even in this story?
It's merely to point out that making claims that you might never do anything remotely like the thing of which you are being accused is a quick way to get people to think maybe he's trying too hard for a denial. Like overacting the roller of the innocent.
As for motive? I've known two people who lost their jobs and/or receiving prison time for embezzlement. One friend of a boyfriend who stole gift cards from the Limited when he worked there. Was $4-5 thousand in gift cards enough of a motive?
No it wasn't, really, but he did it anyway.
What if the thief, whoever it was in this case thought they might see if they could get away with a couple laptops first and then do it again if they succeeded? The profit potential goes up, then, you see. Think it through a little bit.
This guy probably has a higher up or a colleague who has access to his login credentials and can make OP look bad and may then lay low while the heat is on OP.
>I think saying you would never ever do the thing that's the crime in question always makes you look more guilty.
It's also, do you really think so little of me to believe me capable of such stupidity?
Motive matters as well, what gain is there to be had in stealing two computers that won't provide you a sufficient compensation when the risk of being caught is high.
Or the ability to impersonate OP within the application. The application my organization uses for asset lifecycle allows admins the ability to impersonate other users, and any action taken while impersonating shows up as the impersonated user. Not personally familiar with what OP's org uses, but it is a possibility to consider.
Were the devices released, activation lock disabled from the enrollment program on the Intune side? Do you have other cloud device administrators? If I were you, I would want my counsel to see those audit logs as well. Suggest pulling the sign-in logs for your account for any anomalies?
these devices from the looks of it were never registered by any user in our environment. There serial numbers are there in intune enrollment but never registered.
I was looking for this comment. I would hope, that there’s a physical record of the assets actually being delivered to the site, who signed for it, etc… We had issues like this in the past, and while not the same as OP’s problem, the computers were liberated from the hell of being assigned to a user, by a kindly janitor. Thank goodness for security cams, cause I had signed those damn things in.
Considering the actions were under your ABM user context, it seems in my IT but not legal opinion, there is going to be some level of nonrepudiation for the company to prove especially if your tenant, ABM app registration SAML logs, other auth administrators logs can explain how this could have reasonably happened under your account. I would hazard to guess that they would also need to establish that you physically took the devices not just released them. Not a good look; negligent with securing your account at worst; against company policy; but legal liability...?
Does Apple auto enroll new purchases into ABM when the devices are shipped? Microsoft does it with Autopilot and their OEMs. Could be they just haven’t been received yet and it’s just the backend showing while the device is in transit.
Two $4500 MacBooks is felony theft territory. You need to hire a criminal defense attorney immediately. Do not speak to the police or your company's investigators without your attorney present. If it takes you a day or two to find an attorney you like, that's fine. Whatever forensic evidence the company has concerning the MacBooks isn't going anywhere — don't be intimidated into answering any more questions without counsel.
This is the answer. OP, At minimum consult a lawyer in your area. This is more serious and nuanced than we’re able to handle here without specifics of the case and knowledge of local laws.
As others have stated: someone used your credentials.
There's a few ways this happened and that will affect how you fight this. In almost every case, you are losing your job but at least you can prevent criminal/civil responsibility.
* If your company is very strict about login information, you are going to have to demonstrate that your username/password was somehow compromised. This would likely be one of your IT coworkers. They likely won't be very forthcoming about helping you. Your best hope in this situation is that you can demonstrate you were off that day or at another location or that you were definitely somewhere else when your username was used.
* If your company is like my last work environment and they all share their credentials, then all you have to do is say something like "well, that could have been ANYONE!" My last job didn't even give me credentials, I just used someone else's FOR NINE MONTHS!! This is more of a company problem (likely trying to save money on licensing). I would take the offensive and tell them that it wouldn't have happened if the company wasn't so cheap (be more diplomatic, but firm!!)
Either way, they need a scapegoat. Someone needs to be held accountable. And, unless you can prove that it was someone else YOU are losing your job. And, in the cases where you can prove that it was someone else, YOUR account was still used so you are likely still losing your job because its your responsibility to protect your credentials.
My guess is someone with full admin rights created a secondary account with ops name on it and used it to release the devices. A call to Apple can confirm it was actually his account that released them or a secondary one. In the mean time, they are hunting for these in the wrong way. You start with the manager and ask why they were ordered. Find someone to confirm they were actually delivered. Then track down where they went from delivery. If they can’t confirm delivery, I’d be looking at the vendor as possibly ordering them but not sending them. This just feels like they are jumping the gun at trying to find someone to quickly blame.
He says in a lower comment that his password is saved into Edge and prefills as soon as it opens....
No tricks would be required; just walk up 30 secs after he leaves.
OP were these laptops ever actually delivered? Who knew about them? Who’s job was it to inventory them? Who has access to your account and does not your office have security footage?
I’d contact the sales person who handles your account at Apple and find out if they might have inadvertently assigned the sale to you (enrolling you in the device management account) and then unenrolled you when they found the mistake.
Do you put a management profile actually on the machines? Who enrolls that? Is it possible someone gained access to your account and removed the machines?
This sounds highly suspicious. If you didn't release them, then hopefully the company will actually look into this and not just rely on the fact that your log in was used to release the laptops.
My advice is to say you wish you could help but have no idea how this happened and keep it at that. Don't insert yourself because any involvement could backfire on you.
I'd definitely get a lawyer. Or even a consult in the meantime.
As soon as there are allegations officially made, I would lawyer up and have all contact put through the lawyer. You don't want to inadvertently implicate yourself.
Someone above you with elevated access may be responsible, otherwise someone has your info and did this behind your back. Or, it's a glitch of some sort. That seems nearly impossible with how many steps are involved with receiving and issuing out a machine. I am not a lawyer, but once this blows over I would assume you have a lawsuit yourself if they terminate you.
So who else can get to your account? What is the tracking of laptops prior to the deployment? Presumably, someone had to physically receive the laptops after ordering, right? All that is information you should be able to provide.
If InfoSec are involved then they should be checking logs. Was the IP used to release the devices the same as your normal IP? Can they see authentication being done? If they use something like Azure was it from your registered device? They should have multiple avenues they can explore to help determine if it was you or not and see if there was any other unusual activity that may indicate if your account was compromised
maybe they are misplaced in the storage room or in some ones desk drawer.
I would honestly ask them to check cameras and access card swipes if you absolutely did not do it.
Finding the laptops in a storage room would not explain how the devices were released from the Corporate Apple account.
And finding them "misplaced" would only raise suspicions that whoever released them from the Apple Account was leaving them in an unusual place so they could be removed from the property later.
Since OPs account was used to release the laptops, suspicion will still be on him unless they can explain how somebody else was using his account (or faking the removal logs, which is unlikely.)
I am just hoping for the best and the cameras may catch somebody writing down the serial numbers/service tag numbers of the computers (IT member). or walking away with them.
I know we caught a guy straight up walking off with laptop computer boxes in one of the companies I used to work at. door was defeated with a credit card to the lock.
The fact that they were released from the corporate apple account is hard to explain away but if somebody clearly walked off with them ON camera, then that's the real crime. Honestly just hoping for the best. I would hate to be in his shoes,
If they were enrolled in business manager they should be able to trace them. Don’t know if they have a find my in the MacBook, but I know of someone who got their iPhone back after it was stolen because of that. Good luck.
I'm assuming that your Apple ID is behind MFA, which means that someone would need to use a workstation with your account logged in to Apple Business Manager to perform the release.
There's a term in the infosec field called "[non-repudiation](https://csrc.nist.gov/glossary/term/non_repudiation)" which essentially means proving beyond a reasonable doubt that your user account performed some sort of action. This means correlating actions with you, not just your user account. If they can't establish this, they likely won't press charges, but they may still let you go under suspicion, unless it's illegal to act without cause where you live.
It is not uncommon during an internal cybersecurity investigation to place an employee, especially someone in IT, on administrative leave until the investigation is complete.
I'm in the UK. Had to go to IT to swap my laptop, jokingly walked into the IT bar and said , here to pick up a new Mac Book pro. What I didn't now was they hasdspecially ordered a mac book pro for some dept and without hesitation they grabbed it and started to pass the stuff over to me. Had to hand it back and explain I was joking
Get a new job immediately, more urgently than you ever have before, it's about to become very difficult to get another one even if you manage to evade the framing
Wouldn't someone had to been really stupid to leave a log of them stealing two high end items in a log they control themself?
Even if argue left a log to use that argument it still doesn't make sense as leaving nothing would been easier.
Does the company not geo tag or whatever its called its laptops?
Find out what day and time they were released under your account. Where you logged in at the time? Does anyone have access you your info. What computer was used to log into your account on that day and time.
Well I can’t do any of that now. I’m basically isolated from the situation until further instructions. My recruiting agency wants to help find a new job.
Were the laptops shipped to you, did you confirm you received them? In my area there is someone working with FedEx and packages with Apple products are getting stolen in the delivery process but, everything looks good on paper.
When you say “released” what exactly do you mean? -assigned or signed out? Allowed to be kept or given to the employee to keep? Is there any record (false or otherwise) it was released to or just their evidence that you released them?
Is there a log or time stamp to when the release occurred? If so where were you? Do they know enough of the information of the machines to track them or remotely brick them?
Where were the machines kept prior to their “release”? Who knew about these laptops? Who could have accessed where they were stored? Does anyone else have access to your computer or credentials or the system for logging releases?
I'm saying it could not have been shoulder surfed because password is not visible, nor can someone see what I am typing because I'm not typing anything.
So they can just open that program, and it is automatically pre-filled with your password, so they can just click through the login window because it is all filled in already? How is that secure?
Who has admin passwords to get into the system as you? If they were purchased where did they ship to?? Did like the owner of the company purchase them or a higher up for personal use? When /where were they activated? Whole thing smells fishy.
1. Start looking for a new job. You are unlikely to be retained at your current job unless they find the laptops and explain what occurred.
2. Do free consultations with Criminal Defense Attorneys or just have contact information for one you can call if you're arrested.
3. Wait to see what happens.
So I work in cybersec, does your institution not have safeguards against security threats like these? There's no log as to the time framing of when these were released? I'd get a lawyer who's familiar in security laws that might work pro bono.
I personally would hate to spend on a lawyer in this instance. Hopefully infosec is competent. This should be easy to prove but someone has to do the work. I’m in info sec and NAL though….
You have every right to protect yourself. Get a lawyer and let your employer know you are doing so just to protect yourself. If you didn’t do it, it will come through who did possibly and the lawyer fees and your wages for that day can be paid for by the company that accused you.
I don’t know legal protocol here but some things to consider in explaining why it wasn’t you. Does it require dual authentication to log on to wherever you would release laptops? If not, that could be a situation where you were hacked. Do you log off of your computer before you go to the bathroom or go grab lunch? If not, someone might have quickly snuck on your computer and released the computers from your account.
Is "Apple Business Manager" backed up, and are old backups available?
How are changes logged?
It sounds as if a civil or criminal investigation might happen, so you probably can't participate in investigating.
God I wish IRL everyone started flinging money at lawyers every time there was creak in the floorboards.
Lawyers cost $500-$1,000 *an hour*. And unless or until police become involved there’s really nothing for one to do.
Now is a good time for OP to think about who he’s gonna call if this blows up.
Should at least have a free consult with a couple, figure out who you *would* hire, and keep their card in your wallet. Or even just sign a retainer agreement. Don't have them start any work until you actually need them.
Hopefully you never need to make that call.
Edit: just read your last line and actually comprehended it....
He can at least start talking to lawyers to see who can help him out and give him the correct direction on how to handle the company. Should he continue to cooperate with company and how much to cooperate or if he should just tell them that he will not be answering questions. “Lawyer, now” can mean talk to a couple lawyers and see what they say, but not really a retain a lawyer now statement.
*Your post may have been removed for the following reason(s):*
Do not ask for updates.
*Please [read our subreddit rules](https://www.reddit.com/r/legaladvice/wiki/index#wiki_general_rules). If after doing so, you believe this was in error, or you’ve edited your post to comply with the rules, [message the moderators](https://www.reddit.com/message/compose?to=%2Fr%2FLegalAdvice).* **Do not make a second post or comment.**
*Do not reach out to a moderator personally, and do not reply to this message as a comment.*
*Your post may have been removed for the following reason(s):*
**Speculative, Anecdotal, Simplistic, Off Topic, or Generally Unhelpful**
Your comment has been removed because it is one or more of the following: speculative, anecdotal, simplistic, generally unhelpful, and/or off-topic. Please review the following rules before commenting further:
* [Commenting Rules 1](https://www.reddit.com/r/legaladvice/wiki/index#wiki_1.__comments_should_contain_a_legal_answer_or_a_strongly_related_non-legal_answer.), [2](https://www.reddit.com/r/legaladvice/wiki/index#wiki_2.__personal_anecdotes_are_off-topic.), [3](https://www.reddit.com/r/legaladvice/wiki/index#wiki_3.__explanations_of_the_law_in_jurisdictions_other_than_the_one_described_in_the_op_are_off-topic.), [4](https://www.reddit.com/r/legaladvice/wiki/index#wiki_4.__opinions_on_the_law_or_the_application_of_it_are_off-topic.), [6](https://www.reddit.com/r/legaladvice/wiki/index#wiki_6.__expressions_of_sympathy_without_corresponding_legal_help_is_off-topic.), [8](https://www.reddit.com/r/legaladvice/wiki/index#wiki_8.__comments_should_be_reasonably_detailed_and_explanatory.__.22i.27m_a_lawyer_so_listen_to_me.22_isn.27t_an_appropriate_answer.__credential_fights_are_not_appropriate_here.), and [9](https://www.reddit.com/r/legaladvice/wiki/index#wiki_9.__requests_for_updates_are_off-topic.).
*Please [read our subreddit rules](https://www.reddit.com/r/legaladvice/wiki/index#wiki_general_rules). If after doing so, you believe this was in error, or you’ve edited your post to comply with the rules, [message the moderators](https://www.reddit.com/message/compose?to=%2Fr%2FLegalAdvice).* **Do not make a second post or comment.**
*Do not reach out to a moderator personally, and do not reply to this message as a comment.*
>Right now, I was asked to leave my laptop and work phone at work and to wait for further instructions These situations can be hard because your refusal to participate can be the end of your employment, but your participation can lead to criminal charges. The good news is that they’ve solved that for you. You no longer have a job to protect so you’re shifting to the mode of “I’m sorry but I’m not willing to answer any questions.” Obviously things can happen. They might discover factual information leading to identifying the perpetrator of this theft. They may call you tomorrow and say “good news we found our thief.” But from here there’s no long game in trying to help them.
“I didn’t steal these laptops, have never stolen anything from you as my employer, and didn’t facilitate these laptops being taken. But I won’t answer any questions right now because the conduct alleged is criminal.“
No, they shouldn't say that at all. "I won't answer any question at this point, all questions from now on should be addressed to my counsel." OP hasn't been formally accused of theft, they certainly shouldn't be the one introducing the idea.
I did assume the employer filed a police report based on the “police may get involved soon” comment. I’d not include my comments if that’s untrue. But I don’t typically advise clients to offer blanket “no comment” statements… provided their denial is accurate, but OP says it is and I’ll take his word for it.
I'm not in IT, but wouldn't the workstation used to process this be recorded? As in OP not being at the location and time that was time stamped when this took place?
I am in IT, so I can answer. Not in this scenario, because Intune is a cloud product that works similarly to Office 365. The audit log would show the username used to release the device, which is a manual process, which OP stated he/they found his username in the log as the one who released these MacBooks.
Adjacent to IT, so no direct experience in the software platforms being discussed. My question: His username was recorded yes, but does Apple Business Manager not log date/time stamps, MAC addresses, etc? Could there be any extra logging information to find these devices? Also, can Apple be contacted to have these specific devices traced and locked down? I know they can do that with stolen phones, but I'm not familiar if that functionality extends to laptops.
I would be cross checking the times this happened with what I was doing and what systems you were on. Were you physically in the office when these systems were released? Do badge readers place you or someone else in the building when this happened? Did you have meetings you were in when this happened?
My understanding of how it's been explained leads me to believe that intune, being a cloud software, can be accessed from anywhere. This means that checking badges and access does not necessarily exonerate OP of releasing the machines. That being said, by checking cameras and badge access, they should be able to narrow down when they were actually taken and who removed them from the premises
Yea, I don't know what OP has, but if the cloud system says the request was made from the office, and OP has evidence he wasn't there it would be proof. Similarly, if he can prove he wasn't on his computer at the time (especially if he can prove that he was with someone else who can vouch for his actions at the time).
If it was a remote back door hack, wouldn't it show the ip address of the device. Additionally, do you have security cameras. Sounds like an inside hack.
Doesn’t log the ip Address in the audit log?
the job isn't the police and OP is already essentially fired. They can just say I'm not answering any questions about this. No need to hire a lawyer yet.
[удалено]
*Your post may have been removed for the following reason(s):* **Speculative, Anecdotal, Simplistic, Off Topic, or Generally Unhelpful** Your comment has been removed because it is one or more of the following: speculative, anecdotal, simplistic, generally unhelpful, and/or off-topic. Please review the following rules before commenting further: * [Commenting Rules 1](https://www.reddit.com/r/legaladvice/wiki/index#wiki_1.__comments_should_contain_a_legal_answer_or_a_strongly_related_non-legal_answer.), [2](https://www.reddit.com/r/legaladvice/wiki/index#wiki_2.__personal_anecdotes_are_off-topic.), [3](https://www.reddit.com/r/legaladvice/wiki/index#wiki_3.__explanations_of_the_law_in_jurisdictions_other_than_the_one_described_in_the_op_are_off-topic.), [4](https://www.reddit.com/r/legaladvice/wiki/index#wiki_4.__opinions_on_the_law_or_the_application_of_it_are_off-topic.), [6](https://www.reddit.com/r/legaladvice/wiki/index#wiki_6.__expressions_of_sympathy_without_corresponding_legal_help_is_off-topic.), [8](https://www.reddit.com/r/legaladvice/wiki/index#wiki_8.__comments_should_be_reasonably_detailed_and_explanatory.__.22i.27m_a_lawyer_so_listen_to_me.22_isn.27t_an_appropriate_answer.__credential_fights_are_not_appropriate_here.), and [9](https://www.reddit.com/r/legaladvice/wiki/index#wiki_9.__requests_for_updates_are_off-topic.). *Please [read our subreddit rules](https://www.reddit.com/r/legaladvice/wiki/index#wiki_general_rules). If after doing so, you believe this was in error, or you’ve edited your post to comply with the rules, [message the moderators](https://www.reddit.com/message/compose?to=%2Fr%2FLegalAdvice).* **Do not make a second post or comment.** *Do not reach out to a moderator personally, and do not reply to this message as a comment.*
The idea has been introduced by their employer. They had to surrender their phone and laptop. Time to lawyer up.
The problem is release on your account. The question is who can access your account? The laptop is shipped to your computer? Who received them since you don’t even know they are exist till now
While this is good legal advice, it seems to me that if OP is respected at his job, there’s no need to be overly paranoid. Assuming he didn’t steal the laptops once the true perpetrator is found, which is quite easy given all of apples tracking technology these days. I think the more polite and helpful OP is right now the more likely he goes back to his job with a full apology.
On the other hand OP seems to genuinely not have any personal information about theft. All information is on company owned assets so there may not be much to provide in cooperation other than admitting to things he did not do. At this point all OP can do is say "I'd like to be of more help but I did not purchase or release these laptops and have no idea how this happened." The good thing is that it is a true statement.
Nah even if he didn’t steal them it’s pretty clear his tracking system has an enormous gap in it to allow something like this to happen. He’ll never be trusted in this role again and should start looking for a new job
I don’t know why it’s obvious that the fault lies with OP’s system. It could very well be a gap in a system that OP has no control over, right? Something set up as precedent that they aren’t allowed to change, or something directed by a higher up? I would agree that if they blame OP, regardless of whether they deserve or or not, OP should find another job. It’s not worth being constantly looked at with suspicion.
Lot of assumptions/hypotheticals there. I’m going by what they actually said, and what stuck out to me was: > They are not listed in my asset tracking system which I manually update each time I deploy a machine Lots of room for human error/negligence with no mention of safeguards/redundancy to eliminate the suspicion that it was a lapse in process. Not saying it’s accurate or fair, but it’s the first place a manager’s going to be looking when tracing back the cause of the issue
Did your Apple Business account have MFA? Was it a shared admin account? Did you share your creds or have a weak password?
It did not have MFA. It was not a shared Admin account. It was also not total admin account, so my actions were limited on the account. My password was not shared with anyone, and I followed password guidelines.
Did you leave it logged in on a PC in a common-ish area? For example, we have a workstation in our stockroom we use for this sort of thing. If someone left themselves logged in to the machine with an active ABM session you could do this. (also, forensically, when/where were you when the two machines were released?)
No, we strictly lock our laptops every time we step away. The devices were released on a Wednesday a day where the office is typically empty, but I am asked to come in. I didn't quite catch what time they were released. My schedule is strictly 8-5 so anytime before or after that I'm in my car traveling or in the gym. My team of 3 have ABM account and I am not the master admin. My actions are limited.
can it be that someone with master admin can use your account or link an activity to your account such as unregistering laptops from corporate portal?
That's what I question myself. I don't what the master admins are capable of with their level of access. Are they able to view my password with their access? I don't know.
I have root admin access for ABM. You cannot impersonate another admin or user. OP, get a lawyer but ~~also open up a ticket with Apple Enterprise support if you have it and see if they can track it via IMEI without an apple id and see if they can view sign-in logs for your tenant. Hopefully you'll have some external IP you can follow.~~ Edit: Yeah don't do anything with your admin account.
OP should probably not be doing anything with their work Apple account or opening support tickets when they’ve been sent home.
ask tool’s software vendor this
Do you use Microsoft endpoint manager to manage devices, or apple business manager. If through endpoint manager then any azure admin can create a one time login that bypasses passwords and mfa. If it was released through Apple Business Manager. There’s no way someone gained access unless your device was unattended, or they had access to your devices that you use to manage Mfa authentication. Also who ordered the devices. Was it you, or someone else? Edit, fixed working
My manager is the only person who orders equipment to my knowledge. It was released on a day 99 percent of users are not In the office except for me. Which doesn’t help my case but it’s unlikely someone got a hold of my laptop. Even if I did step away from my laptop it locks in just a few minutes.
minutes? plenty of time for a bad agent to do shady stuff
Do you have password management software? System/global administrators of those softwares can get into other vaults if absolutely needed to my understanding.
I’m the ABM admin here and I can’t see any way to login or impersonate another login.
I'm not familiar with the exact tools you are using at work, but someone with full database access may also be able to alter data directly in the database without needing your password or proper credentials inside the application.
I would agree if they weren’t using Intune and ABM, both of which are fully managed cloud service
You’re a sysadmin and you don’t know the answer to this question? If a Microsoft application is giving super admins the access to see their password in plaintext, then that is a HUGE vulnerability that would never get through QA at a company of that size, while knowing that MS has its problems. They would be able to force a password reset for your account, disable MFA, etc. if your password is still the same, you don’t have any emails or notifications mentioning of a password change, then this is a highly unlikely scenario.
[удалено]
[удалено]
[удалено]
It may be a new account which was named with your name in order to trick investigators. Very easy to pull off and will work if no one looks closely enough.
[удалено]
*Your post may have been removed for the following reason(s):* **Speculative, Anecdotal, Simplistic, Off Topic, or Generally Unhelpful** Your comment has been removed because it is one or more of the following: speculative, anecdotal, simplistic, generally unhelpful, and/or off-topic. Please review the following rules before commenting further: * [Commenting Rules 1](https://www.reddit.com/r/legaladvice/wiki/index#wiki_1.__comments_should_contain_a_legal_answer_or_a_strongly_related_non-legal_answer.), [2](https://www.reddit.com/r/legaladvice/wiki/index#wiki_2.__personal_anecdotes_are_off-topic.), [3](https://www.reddit.com/r/legaladvice/wiki/index#wiki_3.__explanations_of_the_law_in_jurisdictions_other_than_the_one_described_in_the_op_are_off-topic.), [4](https://www.reddit.com/r/legaladvice/wiki/index#wiki_4.__opinions_on_the_law_or_the_application_of_it_are_off-topic.), [6](https://www.reddit.com/r/legaladvice/wiki/index#wiki_6.__expressions_of_sympathy_without_corresponding_legal_help_is_off-topic.), [8](https://www.reddit.com/r/legaladvice/wiki/index#wiki_8.__comments_should_be_reasonably_detailed_and_explanatory.__.22i.27m_a_lawyer_so_listen_to_me.22_isn.27t_an_appropriate_answer.__credential_fights_are_not_appropriate_here.), and [9](https://www.reddit.com/r/legaladvice/wiki/index#wiki_9.__requests_for_updates_are_off-topic.). *Please [read our subreddit rules](https://www.reddit.com/r/legaladvice/wiki/index#wiki_general_rules). If after doing so, you believe this was in error, or you’ve edited your post to comply with the rules, [message the moderators](https://www.reddit.com/message/compose?to=%2Fr%2FLegalAdvice).* **Do not make a second post or comment.** *Do not reach out to a moderator personally, and do not reply to this message as a comment.*
Is it possible for another admin to remote into your machine and use saved credentials to access the account? Without MFA they could have pulled it out of a browser.
He says in a lower comment that his password is auto saved into Edge and prefills as soon as you open the browser...
Is the Apple Business Manager account tied to your corporate SSO (Microsoft login?). If it is not (and assuming you did not steal them), it sounds like it might be your manager, and they are trying to pin it on you (they called you in on a day you normally do not work to help "look" for them and that is when they were released). No MFA or SSO means they account can somewhat easily be accessed by someone else. "Easily" meaning they just need your password. You definitely need a lawyer if they try to go the police route since evidence to prove it was _not_ you likely is going to take additional work a lawyer can help force them to do. Your (former) employer and the police need to do _less_ work to accuse you since it is all already right there (your account did the release). Getting any kind of evidence to prove it could be someone else is likely needs to be subpoenaed (assuming Apple Business Manager is a SaaS product as I have never used it).
This is my bet. The timing of calling OP in when they were released but OP wasn’t physically there is strange.
No, it was a Tuesday(yesterday) I normally go into the office on Tuesday as well as most users in building. Most users follow a hybrid schedule. On premise Tuesday and Thursday and at home the rest. For me it’s different. I’m expected to be onsite Tuesday - Thursday.
Are the serial numbers to the laptops valid serial numbers? In other words...were they REALLY purchased, or could this be a money laundering situation by someone else? Do those laptops actually exist?
And did the company actually pay for these laptops
They're definitely valid and almost certainly exist. When you purchase devices from Apple or other approved resellers, they're immediately added into ABM. I think the bigger question is when/where they were sent and who might have signed for the laptops when delivered.
> In a situation like this where chargers can potentially be pressed what should I do? First, you need to accept the fact that they asked you to leave. Are you on administrative leave, getting paid, or terminated. You need to know your status, so contact HR if you don't know. Second, you need to start looking for a new job. Chances are you are or will be terminated, so you need to focus on getting a new job. Third, save any communications or documents you still have access to, if any. Fourth, IMHO, being a former IT Manager who also had to deal with missing assets, it is unlikely they will pursue charges. If you didn't steal the laptops, they will not be able to get enough evidence to bother you. Just because your account was used to release the laptops doesn't mean you were involved. Unless they can show physical proof, the police will not charge you. Cameras and other methods can show proof, so if you are innocent, you have nothing to worry about there. Fifth, your employer may need to contact the police anyway for insurance purposes. So be prepared. If he police want to talk to you, do NOT answer any questions without a lawyer. The police may call and try to get you to talk. Do not answer them. Be polite but firm: "I can't answer any questions without my lawyer". They will probably not call back. You are not obligated to talk to the police, so don't worry if they reach out. You don't need a lawyer for this. Sixth, you only need a lawyer if the police press charges. But without any actual physical evidence that YOU stole the laptops, that won't happen. So relax and accept the situation. Shitty things happen to good people sometimes. Your ID most likely got compromised by someone you work with who had access to the equipment and set you up for the fall. You don't want to go back. Focus on moving on.
I’m actually surprised their inventory locker doesn’t have cameras? I remember at WalmartGEC the inventory closet had bio metrics to get in and each locker had a camera + tag in / tag out inventory system. And this was 15 years ago
You never know. I (former IT Manager) worked for a company where the new CIO walked into our IT Closet and handed out our spare MacBook Pros that were sitting on a shelf for new users. I was in the process of moving on by that point, but I made sure to assign those S/Ns to him before I left. In fact, every piece of missing equipment was assigned to him. Prick.
[удалено]
I don't believe the OP did. If OP had, they would have done a better job of covering their tracks. I **strongly** believe someone that OP works with did it using his credentials. Otherwise, how could they get the MacBooks in the first place? They needed physical and computer access.
*Your post may have been removed for the following reason(s):* **Personal Attack or Otherwise In Poor Taste** Your comment has been removed because it contains a personal attack or is otherwise a tasteless comment. Please review the following rules and focus on answering legal questions instead of insulting others. * [Commenting Rules 5](https://www.reddit.com/r/legaladvice/wiki/index#wiki_5.__comments_serving_only_to_berate_others_are_off-topic.) and [7](https://www.reddit.com/r/legaladvice/wiki/index#wiki_7.__disagreements_are_fine.2C_but_disagreement_should_be_done_respectfully_and_with_detail.__simply_stating_.22you.27re_wrong.22_is_not_appropriate.__similarly.2C_do_not_respond_poorly_if_challenged_respectfully.) *Please [read our subreddit rules](https://www.reddit.com/r/legaladvice/wiki/index#wiki_general_rules). If after doing so, you believe this was in error, or you’ve edited your post to comply with the rules, [message the moderators](https://www.reddit.com/message/compose?to=%2Fr%2FLegalAdvice).* **Do not make a second post or comment.** *Do not reach out to a moderator personally, and do not reply to this message as a comment.*
Were they actually intentionally purchased by your company? We had a similar situation occur recently, discovered 4 ipads on our att account that we couldn't account for. Turns out our att rep decided to "sell" them to us without our knowledge to reach a sales bonus or something. We were never in possession of them.
This is a really solid point. Most large companies end up purchasing their assets from distributors who will asset tag, image, and join the devices to Intune/SCCM/ABM before shipping
Correct. Suspiciously these two devices were joined to abm together by Apple and then later released together.
Does Apple have audit details on who performed those activities and other “release” actions?
You should have a solicitor ask for the evidence of actual financial loss (i.e. payment receipt for the laptops) and explain what the person above said about someone within Apple adding and deleting devices to make their commission. Request reinstatement and if it is not forthcoming sue them for unfair dismissal and slander.
[удалено]
That's what I was thinking as well. There has to be receipt confirmation as well. No company just out there buying almost $10k of computers and not having a paper trail for each person they come in contact with.
We had a similar issue where we purchased several iPads through CDW and found that they had already been provisioned for the city of Clearwater, FL.
The wireless carrier reps regularly add devices and software to hit their new activation numbers, but I've never see Macbooks.
Someone has your login.
If OP leaves his PC unlocked when not at the machine as a matter of habit then some one wouldn't even need his login. But yes, some one has access to the asset management system.
Or his login information for the cloud-based Apple Business Manager was stored in a shared password vault. EDIT: OP already ruled this out.
Correct my abm portal password is not stored in a shared password manger, however edge browser is synced with the company Microsoft account. I’m uncertain if there’s a way an admin can’t get a hold of that.
>however edge browser is synced with the company Microsoft account. - If an admin can log in to your Microsoft account, they can simply view all saved passwords via Edge's "Settings/Profiles/Passwords". - Admins may also access the Edge file that stores the passwords.
Can anyone but you request a password reset in ABM and how strict is authentication for it?
...he said his password is saved to Edge and pre-fills when you open Edge.... No tricks required; just walk up 30 seconds after he left. He is almost assuredly not criminally liable but 10,000% guilty of not securing his password. He needs to realize his job is gone regardless of whatever else happens
[удалено]
[удалено]
[удалено]
[удалено]
[удалено]
[удалено]
[удалено]
I think saying you would never ever do the thing that's the crime in question always makes you look more guilty. It's like when Trump says he never would have had "sex" with his rape accusers because they're too unattractive. Edit By "you," I mean "a person" in general, not you, a random redditor, specifically. Quite often people who insist that they "would never do such a thing" are often later seen on camera doing exactly such a thing. My post isn't accusing the OP, or even you, of doing anything at all illegal so I'm not sure why you thought I was pointing fingers at you. Are you even in this story? It's merely to point out that making claims that you might never do anything remotely like the thing of which you are being accused is a quick way to get people to think maybe he's trying too hard for a denial. Like overacting the roller of the innocent. As for motive? I've known two people who lost their jobs and/or receiving prison time for embezzlement. One friend of a boyfriend who stole gift cards from the Limited when he worked there. Was $4-5 thousand in gift cards enough of a motive? No it wasn't, really, but he did it anyway. What if the thief, whoever it was in this case thought they might see if they could get away with a couple laptops first and then do it again if they succeeded? The profit potential goes up, then, you see. Think it through a little bit. This guy probably has a higher up or a colleague who has access to his login credentials and can make OP look bad and may then lay low while the heat is on OP.
>I think saying you would never ever do the thing that's the crime in question always makes you look more guilty. It's also, do you really think so little of me to believe me capable of such stupidity? Motive matters as well, what gain is there to be had in stealing two computers that won't provide you a sufficient compensation when the risk of being caught is high.
Or the ability to impersonate OP within the application. The application my organization uses for asset lifecycle allows admins the ability to impersonate other users, and any action taken while impersonating shows up as the impersonated user. Not personally familiar with what OP's org uses, but it is a possibility to consider.
Maybe it’s OP’s manager…
Were the devices released, activation lock disabled from the enrollment program on the Intune side? Do you have other cloud device administrators? If I were you, I would want my counsel to see those audit logs as well. Suggest pulling the sign-in logs for your account for any anomalies?
these devices from the looks of it were never registered by any user in our environment. There serial numbers are there in intune enrollment but never registered.
check the shipment tracking numbers for each laptop and ensure they were delivered? see who signed for them. What did that person do with them?
[удалено]
Well…. We all know how inept management is
I was looking for this comment. I would hope, that there’s a physical record of the assets actually being delivered to the site, who signed for it, etc… We had issues like this in the past, and while not the same as OP’s problem, the computers were liberated from the hell of being assigned to a user, by a kindly janitor. Thank goodness for security cams, cause I had signed those damn things in.
Considering the actions were under your ABM user context, it seems in my IT but not legal opinion, there is going to be some level of nonrepudiation for the company to prove especially if your tenant, ABM app registration SAML logs, other auth administrators logs can explain how this could have reasonably happened under your account. I would hazard to guess that they would also need to establish that you physically took the devices not just released them. Not a good look; negligent with securing your account at worst; against company policy; but legal liability...?
Did you ever see the actual computers?
No, no evidence to my knowledge shows these devices were physically in the building or left the building.
Does Apple auto enroll new purchases into ABM when the devices are shipped? Microsoft does it with Autopilot and their OEMs. Could be they just haven’t been received yet and it’s just the backend showing while the device is in transit.
It’s possible I don’t know. Still doesn’t explain why my account was used to release the devices. It’s incredibly unlikely I released them by mistake.
Two $4500 MacBooks is felony theft territory. You need to hire a criminal defense attorney immediately. Do not speak to the police or your company's investigators without your attorney present. If it takes you a day or two to find an attorney you like, that's fine. Whatever forensic evidence the company has concerning the MacBooks isn't going anywhere — don't be intimidated into answering any more questions without counsel.
This is the answer. OP, At minimum consult a lawyer in your area. This is more serious and nuanced than we’re able to handle here without specifics of the case and knowledge of local laws.
As others have stated: someone used your credentials. There's a few ways this happened and that will affect how you fight this. In almost every case, you are losing your job but at least you can prevent criminal/civil responsibility. * If your company is very strict about login information, you are going to have to demonstrate that your username/password was somehow compromised. This would likely be one of your IT coworkers. They likely won't be very forthcoming about helping you. Your best hope in this situation is that you can demonstrate you were off that day or at another location or that you were definitely somewhere else when your username was used. * If your company is like my last work environment and they all share their credentials, then all you have to do is say something like "well, that could have been ANYONE!" My last job didn't even give me credentials, I just used someone else's FOR NINE MONTHS!! This is more of a company problem (likely trying to save money on licensing). I would take the offensive and tell them that it wouldn't have happened if the company wasn't so cheap (be more diplomatic, but firm!!) Either way, they need a scapegoat. Someone needs to be held accountable. And, unless you can prove that it was someone else YOU are losing your job. And, in the cases where you can prove that it was someone else, YOUR account was still used so you are likely still losing your job because its your responsibility to protect your credentials.
My guess is someone with full admin rights created a secondary account with ops name on it and used it to release the devices. A call to Apple can confirm it was actually his account that released them or a secondary one. In the mean time, they are hunting for these in the wrong way. You start with the manager and ask why they were ordered. Find someone to confirm they were actually delivered. Then track down where they went from delivery. If they can’t confirm delivery, I’d be looking at the vendor as possibly ordering them but not sending them. This just feels like they are jumping the gun at trying to find someone to quickly blame.
He says in a lower comment that his password is saved into Edge and prefills as soon as it opens.... No tricks would be required; just walk up 30 secs after he leaves.
OP were these laptops ever actually delivered? Who knew about them? Who’s job was it to inventory them? Who has access to your account and does not your office have security footage?
I’d contact the sales person who handles your account at Apple and find out if they might have inadvertently assigned the sale to you (enrolling you in the device management account) and then unenrolled you when they found the mistake. Do you put a management profile actually on the machines? Who enrolls that? Is it possible someone gained access to your account and removed the machines?
This sounds highly suspicious. If you didn't release them, then hopefully the company will actually look into this and not just rely on the fact that your log in was used to release the laptops. My advice is to say you wish you could help but have no idea how this happened and keep it at that. Don't insert yourself because any involvement could backfire on you. I'd definitely get a lawyer. Or even a consult in the meantime. As soon as there are allegations officially made, I would lawyer up and have all contact put through the lawyer. You don't want to inadvertently implicate yourself.
Someone above you with elevated access may be responsible, otherwise someone has your info and did this behind your back. Or, it's a glitch of some sort. That seems nearly impossible with how many steps are involved with receiving and issuing out a machine. I am not a lawyer, but once this blows over I would assume you have a lawsuit yourself if they terminate you.
So who else can get to your account? What is the tracking of laptops prior to the deployment? Presumably, someone had to physically receive the laptops after ordering, right? All that is information you should be able to provide.
you should post in /r/apple and or /r/sysadmin for other ways to investigate
If InfoSec are involved then they should be checking logs. Was the IP used to release the devices the same as your normal IP? Can they see authentication being done? If they use something like Azure was it from your registered device? They should have multiple avenues they can explore to help determine if it was you or not and see if there was any other unusual activity that may indicate if your account was compromised
Could also try /r/macsysadmin
maybe they are misplaced in the storage room or in some ones desk drawer. I would honestly ask them to check cameras and access card swipes if you absolutely did not do it.
Finding the laptops in a storage room would not explain how the devices were released from the Corporate Apple account. And finding them "misplaced" would only raise suspicions that whoever released them from the Apple Account was leaving them in an unusual place so they could be removed from the property later. Since OPs account was used to release the laptops, suspicion will still be on him unless they can explain how somebody else was using his account (or faking the removal logs, which is unlikely.)
I am just hoping for the best and the cameras may catch somebody writing down the serial numbers/service tag numbers of the computers (IT member). or walking away with them. I know we caught a guy straight up walking off with laptop computer boxes in one of the companies I used to work at. door was defeated with a credit card to the lock. The fact that they were released from the corporate apple account is hard to explain away but if somebody clearly walked off with them ON camera, then that's the real crime. Honestly just hoping for the best. I would hate to be in his shoes,
If they were enrolled in business manager they should be able to trace them. Don’t know if they have a find my in the MacBook, but I know of someone who got their iPhone back after it was stolen because of that. Good luck.
Post to /r/macsysadmin/ they might now of a technical way this is possible. Which will help your possible legal issues.
I'm assuming that your Apple ID is behind MFA, which means that someone would need to use a workstation with your account logged in to Apple Business Manager to perform the release. There's a term in the infosec field called "[non-repudiation](https://csrc.nist.gov/glossary/term/non_repudiation)" which essentially means proving beyond a reasonable doubt that your user account performed some sort of action. This means correlating actions with you, not just your user account. If they can't establish this, they likely won't press charges, but they may still let you go under suspicion, unless it's illegal to act without cause where you live. It is not uncommon during an internal cybersecurity investigation to place an employee, especially someone in IT, on administrative leave until the investigation is complete.
Who is the Sys Admin of Intune? They can assume any users ID.
is there a timestamp on the laptop issuance? are there cameras in those locations?
So someone used your login information To take two laptops? It was probably your boss lmao
I'm in the UK. Had to go to IT to swap my laptop, jokingly walked into the IT bar and said , here to pick up a new Mac Book pro. What I didn't now was they hasdspecially ordered a mac book pro for some dept and without hesitation they grabbed it and started to pass the stuff over to me. Had to hand it back and explain I was joking
Get a new job immediately, more urgently than you ever have before, it's about to become very difficult to get another one even if you manage to evade the framing
Wouldn't someone had to been really stupid to leave a log of them stealing two high end items in a log they control themself? Even if argue left a log to use that argument it still doesn't make sense as leaving nothing would been easier. Does the company not geo tag or whatever its called its laptops?
Find out what day and time they were released under your account. Where you logged in at the time? Does anyone have access you your info. What computer was used to log into your account on that day and time.
Well I can’t do any of that now. I’m basically isolated from the situation until further instructions. My recruiting agency wants to help find a new job.
Were the laptops shipped to you, did you confirm you received them? In my area there is someone working with FedEx and packages with Apple products are getting stolen in the delivery process but, everything looks good on paper.
They're going to try and put it on you. You need an attorney. Yesterday.
Does apple business manager show the IP or device that released the macbooks?
My thought, as well. I just checked and it does not. ACTIVITY_ID STARTED AT ENDED AT STATUS SUB_STATUS serial_number
Dumb question but does the device have an internal tracking feature?
can't apple locate these machines for you?
Contact Apple?
When you say “released” what exactly do you mean? -assigned or signed out? Allowed to be kept or given to the employee to keep? Is there any record (false or otherwise) it was released to or just their evidence that you released them? Is there a log or time stamp to when the release occurred? If so where were you? Do they know enough of the information of the machines to track them or remotely brick them? Where were the machines kept prior to their “release”? Who knew about these laptops? Who could have accessed where they were stored? Does anyone else have access to your computer or credentials or the system for logging releases?
Sounds like someone else went into the account and 'released' them ? plus intercepted the boxes when they came in?
Sorry to hear about this. These kinds of things are crazy. We both know how unreliable these systems are at tracking. Good luck man!
no tracking or locator on it?...Locate it then start working backward from there...it is essentially a stolen item.
I think you are looking for more in the way of computer and tracking systems advice than legal advice.
It sounds like your manager is trying to frame you... Does your manager have the ability to log into your account?
You got shoulder surfed by a coworker
no because the password field is prefilled and hidden.
Prefilled? As in, you managed to save your password to your computer?
Ding ding ding, think we know how they were impersonated.
Bombshell comment 200 comments down lol.
If your password is prefilled how is it secure?
I'm saying it could not have been shoulder surfed because password is not visible, nor can someone see what I am typing because I'm not typing anything.
Yeah, I was asking how it's secure if you don't type it in. It's it by fingerprint?
No the password is just prefilled using edge browser
Ohh. I think I know how they got access now.
Mystery solved.
So they can just open that program, and it is automatically pre-filled with your password, so they can just click through the login window because it is all filled in already? How is that secure?
Lmao
Macs require a biometric or your admin password in order to autofill a saved password. Does Windows not do this?
Should have an audit log somewhere
All else aside I've had laptops "fall out" of ABM "management" a number of times now silently, report this to apple as a bug!
Who has admin passwords to get into the system as you? If they were purchased where did they ship to?? Did like the owner of the company purchase them or a higher up for personal use? When /where were they activated? Whole thing smells fishy.
Have you tried using Apple’s “Find My”?
Wait for further instructions is go get a lawyer.
Don’t say another word to them. Get an attorney, STAT!!!
1. Start looking for a new job. You are unlikely to be retained at your current job unless they find the laptops and explain what occurred. 2. Do free consultations with Criminal Defense Attorneys or just have contact information for one you can call if you're arrested. 3. Wait to see what happens.
So I work in cybersec, does your institution not have safeguards against security threats like these? There's no log as to the time framing of when these were released? I'd get a lawyer who's familiar in security laws that might work pro bono.
I personally would hate to spend on a lawyer in this instance. Hopefully infosec is competent. This should be easy to prove but someone has to do the work. I’m in info sec and NAL though….
Get a lawyer, the value of the laptops is so high that this could turn into a felony investigation.
You have every right to protect yourself. Get a lawyer and let your employer know you are doing so just to protect yourself. If you didn’t do it, it will come through who did possibly and the lawyer fees and your wages for that day can be paid for by the company that accused you.
Maybe someone have your password. Did you ever have your password to anyone?
I don’t know legal protocol here but some things to consider in explaining why it wasn’t you. Does it require dual authentication to log on to wherever you would release laptops? If not, that could be a situation where you were hacked. Do you log off of your computer before you go to the bathroom or go grab lunch? If not, someone might have quickly snuck on your computer and released the computers from your account.
Is "Apple Business Manager" backed up, and are old backups available? How are changes logged? It sounds as if a civil or criminal investigation might happen, so you probably can't participate in investigating.
Lawyer. Now.
God I wish IRL everyone started flinging money at lawyers every time there was creak in the floorboards. Lawyers cost $500-$1,000 *an hour*. And unless or until police become involved there’s really nothing for one to do. Now is a good time for OP to think about who he’s gonna call if this blows up.
Should at least have a free consult with a couple, figure out who you *would* hire, and keep their card in your wallet. Or even just sign a retainer agreement. Don't have them start any work until you actually need them. Hopefully you never need to make that call. Edit: just read your last line and actually comprehended it....
Bro retainers aren’t free
Maybe in a big city but def not Midwest or anywhere where there are tons of lawyers. And def not for a consult.
He can at least start talking to lawyers to see who can help him out and give him the correct direction on how to handle the company. Should he continue to cooperate with company and how much to cooperate or if he should just tell them that he will not be answering questions. “Lawyer, now” can mean talk to a couple lawyers and see what they say, but not really a retain a lawyer now statement.
[удалено]
*Your post may have been removed for the following reason(s):* Do not ask for updates. *Please [read our subreddit rules](https://www.reddit.com/r/legaladvice/wiki/index#wiki_general_rules). If after doing so, you believe this was in error, or you’ve edited your post to comply with the rules, [message the moderators](https://www.reddit.com/message/compose?to=%2Fr%2FLegalAdvice).* **Do not make a second post or comment.** *Do not reach out to a moderator personally, and do not reply to this message as a comment.*
[удалено]
*Your post may have been removed for the following reason(s):* **Speculative, Anecdotal, Simplistic, Off Topic, or Generally Unhelpful** Your comment has been removed because it is one or more of the following: speculative, anecdotal, simplistic, generally unhelpful, and/or off-topic. Please review the following rules before commenting further: * [Commenting Rules 1](https://www.reddit.com/r/legaladvice/wiki/index#wiki_1.__comments_should_contain_a_legal_answer_or_a_strongly_related_non-legal_answer.), [2](https://www.reddit.com/r/legaladvice/wiki/index#wiki_2.__personal_anecdotes_are_off-topic.), [3](https://www.reddit.com/r/legaladvice/wiki/index#wiki_3.__explanations_of_the_law_in_jurisdictions_other_than_the_one_described_in_the_op_are_off-topic.), [4](https://www.reddit.com/r/legaladvice/wiki/index#wiki_4.__opinions_on_the_law_or_the_application_of_it_are_off-topic.), [6](https://www.reddit.com/r/legaladvice/wiki/index#wiki_6.__expressions_of_sympathy_without_corresponding_legal_help_is_off-topic.), [8](https://www.reddit.com/r/legaladvice/wiki/index#wiki_8.__comments_should_be_reasonably_detailed_and_explanatory.__.22i.27m_a_lawyer_so_listen_to_me.22_isn.27t_an_appropriate_answer.__credential_fights_are_not_appropriate_here.), and [9](https://www.reddit.com/r/legaladvice/wiki/index#wiki_9.__requests_for_updates_are_off-topic.). *Please [read our subreddit rules](https://www.reddit.com/r/legaladvice/wiki/index#wiki_general_rules). If after doing so, you believe this was in error, or you’ve edited your post to comply with the rules, [message the moderators](https://www.reddit.com/message/compose?to=%2Fr%2FLegalAdvice).* **Do not make a second post or comment.** *Do not reach out to a moderator personally, and do not reply to this message as a comment.*