For reporting purposes these may be some handy extension attributes:
Find My Mac:
#!/bin/bash
# Purpose: to see if machine is enrolled in Find My Mac
plistBud="/usr/libexec/PlistBuddy"
loggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`
if [[ -e "/Users/$loggedInUser/Library/Preferences/MobileMeAccounts.plist" ]]; then
FindMyMac=`$plistBud -c "print :Accounts:0:Services:11:Enabled" /Users/$loggedInUser/Library/Preferences/MobileMeAccounts.plist`
else
FindMyMac="Not Enabled"
fi
echo "<result>$FindMyMac</result>"
Note: If iCloud has been enabled but Find My Mac has not been enabled yet, then the value it's looking for will not report back correctly. Keep that in mind.
iCloud
#!/bin/bash
# Purpose: to grab iCloud status
plistBud="/usr/libexec/PlistBuddy"
loggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`
if [[ -e "/Users/$loggedInUser/Library/Preferences/MobileMeAccounts.plist" ]]; then
iCloudStatus=`$plistBud -c "print :Accounts:0:LoggedIn" /Users/$loggedInUser/Library/Preferences/MobileMeAccounts.plist`
else
iCloudStatus="Not Enabled"
fi
echo "<result>$iCloudStatus</result>"
For disabling:
As far as disabling, you can try to prevent it but there may be ways around it:
Basically use a config profile to block Internet Accounts and iCloud.
You will probably also want to remove the iCloud Drive from the Finder sidebar. There's a python script someone has created that might come in handy so that it removes it.
Also some other neat articles regarding Find My Mac (in a situation where a user leaves and had Find My Mac enabled):
http://ilostmynotes.blogspot.com/2013/11/disable-find-my-mac-by-modifiying-nvram.html
https://clburlison.com/find-my-mac/
The below will report if a Mac has been enrolled into FindMyMac:
#!/bin/sh
#
# Will reply Set if Find My Mac is set for this Mac
#
fmmToken=$(/usr/sbin/nvram -x -p | /usr/bin/grep fmm-mobileme-token-FMM)
if [ -z "$fmmToken" ];
then
echo "<result>Not Set</result>"
else
echo "<result>Set</result>"
fi
Thanks for the EAs and the links. I haven't tested yet, and will, but has anyone tried clearing the nvram? Curious how Find My Mac responds for the person who enrolled after this is done.
I will test this out for myself and post my results.
Thank you again for the help.
@cgolebio This should clear the NVRAM fmm key:
/usr/sbin/nvram -d fmm-mobileme-token-FMM
But i think the Mac will need a restart for it to take affect.
In my imaging workflow I run the below to clear NVRAM:
/usr/sbin/nvram -c
Has anyone else spoken to Apple about the prospect of adding controls for these to Mac OS X? I notice that there is granular control for iCloud functionality in iOS but, in our instance at least, this is of no use as we have managed OS X devices, but the iOS devices are unmanaged.
For reference purposes if you want to disable FMM without requiring a reboot the following works in 10.13.2. Removing the fmm-computer-name and restarting the FindMyMacd process were not 100% required however since they are all related better safe (plus I didn't test anything older than 10.13.
#!/bin/sh
nvram -d fmm-computer-name
nvram -d fmm-mobileme-token-FMM
killall -HUP findmydeviced
killall -HUP FindMyMacd
