I set a Restrictions configuration profile to disable Find My Mac. I ensured that I'm part of the scope and that the config profile actually installed on my machine. My machine is checking in with no problem. However, I'm still able to turn on/off Find My Mac after the Restrictions profile is installed Anyone having this issue or recommend a better way of disabling? What scares me the most is a user being able to remote wipe their Mac without IT's consent.

Disable Find My Mac

This has been an issue since Catalina. You need to create a manual profile with the following setting. Also, if its already enabled, there is no way to automate to turn it off.

This worked! Awesome! Thank you!!!!

@dpwlg use the following EA (name it FindMyMac Status):

fmmToken=$(/usr/sbin/nvram -x -p | /usr/bin/grep fmm-mobileme-token-FMM)



if [ -z "$fmmToken" ];

then echo "<result>Disabled</result>"

else echo "<result>Enabled</result>"

fi

Create a Smart Group:

name: FindMyMac Enabled
(criteria) FindMyMac Status (operator) is (value) Enabled

Create a Configuration Profile:

name: Disable iCloud FindMyMac Option
Application & Custom Settings
- domain: com.apple.icloud.managed
- Upload File (copy & paste the following):

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

    <dict>

        <key>DisableFMMiCloudSetting</key>

        <true/>

    </dict>

</plist>

Scope:
- Targets: All Managed Clients (or relevant scope for your use case)
- Exclusions: Smart Group: FindMyMac Enabled

Once the config profile is deployed you will be able to then contact the computers that show in the Smart Group "FindMyMac Enabled" (view > export csv). Once they disable FMM on their machine > have the computer check in to Jamf (sudo jamf recon or wait until next check-in) > It will then move them to the Config Profile and grey out/lock FMM in iCloud settings.

This was super helpful. Laying it out step by step allowed me to see the process from a high view and then implement very easily. Thank you!

@dpwlg use the following EA (name it FindMyMac Status):

fmmToken=$(/usr/sbin/nvram -x -p | /usr/bin/grep fmm-mobileme-token-FMM)



if [ -z "$fmmToken" ];

then echo "<result>Disabled</result>"

else echo "<result>Enabled</result>"

fi

Create a Smart Group:

name: FindMyMac Enabled
(criteria) FindMyMac Status (operator) is (value) Enabled

Create a Configuration Profile:

name: Disable iCloud FindMyMac Option
Application & Custom Settings
- domain: com.apple.icloud.managed
- Upload File (copy & paste the following):

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

    <dict>

        <key>DisableFMMiCloudSetting</key>

        <true/>

    </dict>

</plist>

Scope:
- Targets: All Managed Clients (or relevant scope for your use case)
- Exclusions: Smart Group: FindMyMac Enabled

Once the config profile is deployed you will be able to then contact the computers that show in the Smart Group "FindMyMac Enabled" (view > export csv). Once they disable FMM on their machine > have the computer check in to Jamf (sudo jamf recon or wait until next check-in) > It will then move them to the Config Profile and grey out/lock FMM in iCloud settings.

ProfileCreator and iMazing Profile Editor both use this key instead:

<key>allowCloudFMM</key>

<false/>

iMazing also shows '13.1' in red with an 'x', only for this key, no other ones. Like it's deprecated or something:

Not finding anything when searching developer.apple.com

Guess I'll just have to do some testing, but I want to use whatever best practice is / something that's not going to stop working in the near future.

macOS Ventura 13.4 still apparently does not recognize or enforce the `allowCloudFMM` key.

Creating a new profile directly in the JSS:

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>DisableFMMiCloudSetting</key> <true/> <key>allowCloudFMM</key> <true/> </dict> </plist>

Deploying to a 13.4 device without an iCloud account signed in disables the option in System Settings > iCloud > Apps Using iCloud > Find My Mac.

Deploying to a 13.4 device with an iCloud account already signed in and FMM active disables the option in System Settings > iCloud > Apps Using iCloud > Find My Mac, but still shows FMM as 'On'.

If disabling Find My Mac is important to your organization or security profile, please remember to file feedback.

macOS Ventura 13.4 still apparently does not recognize or enforce the `allowCloudFMM` key.

Creating a new profile directly in the JSS:

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>DisableFMMiCloudSetting</key> <true/> <key>allowCloudFMM</key> <true/> </dict> </plist>

Deploying to a 13.4 device without an iCloud account signed in disables the option in System Settings > iCloud > Apps Using iCloud > Find My Mac.

Deploying to a 13.4 device with an iCloud account already signed in and FMM active disables the option in System Settings > iCloud > Apps Using iCloud > Find My Mac, but still shows FMM as 'On'.

If disabling Find My Mac is important to your organization or security profile, please remember to file feedback.

After restarting the device that previously reported On after receiving the profile, FMM still showed On.

Look at using iMazing Profile Editor. It will show which keys are deprecated which is handy. There is another key you can use to restrict Find My. I'm not sure if it will turn it off if it's already on though, I haven't tested that.

<key>DisableFMMiCloudSetting</key>

The above key is still working.

I noticed the key you mentioned wasn't working as well, and reached out to iMazing and they were super helpful. Unfortunately the deprecation of keys like this isn't documented and the knowledge seems to only get around via word of mouth by the mac admin community :\\

Hello @whiteb ,

I posted the original post when I noticed the key I had in place stopped working when we deployed macOS Ventura to our enterprise. However, I updated it after chatting with some users here who ran into the same issue. I can confirm that after updating the 13.4, the key I had put in place is still working, as you had stated. Please see below. I will def followup if this changes in anyway.

In addition, thank you for the iMazing Profile Editor tool. Really good to be aware of that.

Thanks, again!

----

PLIST file containing key value pairs for settings in the specified domain

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>DisableFMMiCloudSetting</key>
<true/>
</dict>
</plist>

------

Hello @whiteb ,

I posted the original post when I noticed the key I had in place stopped working when we deployed macOS Ventura to our enterprise. However, I updated it after chatting with some users here who ran into the same issue. I can confirm that after updating the 13.4, the key I had put in place is still working, as you had stated. Please see below. I will def followup if this changes in anyway.

In addition, thank you for the iMazing Profile Editor tool. Really good to be aware of that.

Thanks, again!

----

PLIST file containing key value pairs for settings in the specified domain

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>DisableFMMiCloudSetting</key>
<true/>
</dict>
</plist>

------

Awesome, great to hear! In my testing, turning Find My on seemed to require admin rights as well (which none of our users have).

@dpwlg use the following EA (name it FindMyMac Status):

fmmToken=$(/usr/sbin/nvram -x -p | /usr/bin/grep fmm-mobileme-token-FMM)



if [ -z "$fmmToken" ];

then echo "<result>Disabled</result>"

else echo "<result>Enabled</result>"

fi

Create a Smart Group:

name: FindMyMac Enabled
(criteria) FindMyMac Status (operator) is (value) Enabled

Create a Configuration Profile:

name: Disable iCloud FindMyMac Option
Application & Custom Settings
- domain: com.apple.icloud.managed
- Upload File (copy & paste the following):

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

    <dict>

        <key>DisableFMMiCloudSetting</key>

        <true/>

    </dict>

</plist>

Scope:
- Targets: All Managed Clients (or relevant scope for your use case)
- Exclusions: Smart Group: FindMyMac Enabled

Once the config profile is deployed you will be able to then contact the computers that show in the Smart Group "FindMyMac Enabled" (view > export csv). Once they disable FMM on their machine > have the computer check in to Jamf (sudo jamf recon or wait until next check-in) > It will then move them to the Config Profile and grey out/lock FMM in iCloud settings.

Just one question: If I just created the EA and in my case, teachers are out for summer when they check in when they get back online will the exclusion list get populated in time for them to be excluded? hope that makes sense.

Can you clarify what you mean by "EA"? Also, do the teacher currently have possession of the managed machines or will they be redeployed when they return?

If the machine is managed, the config profile will get pushed to the machine as soon as it checks in.

Can you clarify what you mean by "EA"? Also, do the teacher currently have possession of the managed machines or will they be redeployed when they return?

If the machine is managed, the config profile will get pushed to the machine as soon as it checks in.

Was referring to workflow above. EA is extension attribute. Was wondering if a smart group built of an EA would happen before the config profiles going out.

Ah, yes. I would like to say this would work but I can't say for sure as I have no tested that use case on my end. Sry.

This has been an issue since Catalina. You need to create a manual profile with the following setting. Also, if its already enabled, there is no way to automate to turn it off.

Worked like a charm! Thank you!

This has been an issue since Catalina. You need to create a manual profile with the following setting. Also, if its already enabled, there is no way to automate to turn it off.

Has anyone tested this in MacOS Sonoma it seems after upgrading it's enabled again

It is working on Sonoma for me. The Turn ON button doesn't do anything when clicked.

Thanks I also get the same behavior I guess this is new behavior as in Ventura it's just grayed out.

So I am working on checking and updating/cleaning up some polices and came to check in on this. I saw that it was now working for "Sonoma". But when I am testing with it today for "Sequoia" 15.4.1 It looks to not be working again maybe on this latest version? With "Allow iCloud Find My Mac" unchecked I am still able to enable and disable the feature.... Any one else tried this on the latest os? The being able to use the built in options instead of needing to set it with a Plist?

Thanks so much! 🤙

I just signed into a test computer running 15.4.1 with a personal Apple ID. The behavior I'm still seeing is that clicking 'Turn On' for Find My Mac doesn't do anything, so it does seem to be still working for us in the latest Sequoia.

But I'm still using a profile I made with iMazing Profile Editor and not Jamf's built-in one. Maybe theirs is bugged?

If you use Jamf's built-in one, create the profile, save it, look at it in a text editor, what key are they using?

DisableFMMiCloudSetting is still working in 15.4.1.

We disable this as part of a larger baseline config profile, but a standalone one that does just this would look like:

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

	<key>PayloadContent</key>

	<array>

		<dict>

			<key>DisableFMMiCloudSetting</key>

			<true/>

			<key>PayloadDisplayName</key>

			<string>iCloud Find My</string>

			<key>PayloadIdentifier</key>

			<string>com.apple.icloud.managed.E6510E38-D6AB-4B6F-A230-439CD08EFC16</string>

			<key>PayloadType</key>

			<string>com.apple.icloud.managed</string>

			<key>PayloadUUID</key>

			<string>E6510E38-D6AB-4B6F-A230-439CD08EFC16</string>

			<key>PayloadVersion</key>

			<integer>1</integer>

		</dict>

	</array>

	<key>PayloadDisplayName</key>

	<string>Disable Find My</string>

	<key>PayloadIdentifier</key>

	<string>2B0DAAC6-F620-4E62-BEB9-5E673DED4876</string>

	<key>PayloadOrganization</key>

	<string>Your Org Here</string>

	<key>PayloadType</key>

	<string>Configuration</string>

	<key>PayloadUUID</key>

	<string>2B0DAAC6-F620-4E62-BEB9-5E673DED4876</string>

	<key>PayloadVersion</key>

	<integer>1</integer>

</dict>

</plist>

I generally like to sign profiles before uploading so Jamf can't mess with them, but it's not always required.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded