Stolen Devices

Purpose

The purpose of this solution is to detect and lockdown machines that are marked as stolen. This article will help guide technicians in implementing the solution within a ConnectWise Automate environment.

Associated Content

Content	Type	Function
SEC - Encryption - Script - Lock Stolen System	Script	Tracks and locks down stolen systems.
SEC - Security - Internal Monitor - EDF-Based Stolen Systems Monitor	Internal Monitor	Detects online machines where the Mark As Stolen EDF is marked.
△ CUSTOM - Execute Script - Lock Stolen System	Alert Template	Executes the script against the computers detected by the internal monitor.

Implementation

• Read the solution-related documents carefully.
• Import the script SEC - Encryption - Script - Lock Stolen System.
• Reload the system cache and ensure that the EDFs mentioned in the script's document are properly imported.
• Create/import the Marked as Stolen search, which should look for machines where the Mark System As Stolen EDF is marked.
  
• Create/import the Marked as Stolen group, which should use the Marked as Stolen search as an Autojoin search.
  
• Import the internal monitor SEC - Security - Internal Monitor - EDF-Based Stolen Systems Monitor.
• Limit the monitor set to the Marked as Stolen group.
  
• Import/create the △ CUSTOM - Execute Script - Lock Stolen System alert template. It should execute the SEC - Encryption - Script - Lock Stolen System script on failure.
• Assign the alert template to the monitor set.
• Mark the Mark System As Stolen EDF on the concerned computers. Marking the System Lockdown EDF will enable the script's feature to BitLocker and shutdown the computer.