Posted on 03-14-2022 07:21 AM
We have found ourselves in a situation where a user created an AppleID for the purpose of logging in to the Mac App Store to install some apps.When he did that, the Mac latched on to that AppleID and enabled all the goodies that AppleIDs can use - including Find My Mac. The problem is that the user's Mac has died and needs to be repaired. The user has no idea what his AppleID password is and he's locked the account. Account recovery apparently takes 3 weeks to complete. Since Find My Mac is enabled and the user has no way of logging in on the computer nor on iCloud.com we can't disable it or remove the computer from the account. We may have to write this computer off and move on. (Another similar situation that you may find yourself is that a former employee logged in with their AppleID, but didn't remove it from their account when they left and now the computer needs repair while that user is 100% unreachable)
What I would like to do is identify all Macs that have an AppleID logged in on them so we can reach out specifically to those users and have them disable Find My Mac or remove the computer from their accounts. I know how to block the AppleID/iCloud system preferences to prevent future associations, but we need to identify all the Macs that could potentially put us in this same situation. Is such a thing possible using an EA?
Posted on 03-14-2022 07:59 AM
Hi, I found this on github for icloud account details. https://github.com/bp88/Jamf-Pro-Extension-Attributes/blob/master/iCloud%20Account%20Details.sh
There is also another EA I have to check if the Find my Mac is enabled:
#!/bin/sh
# Determine whether Find My Mac has been set on Mac.
# Values are stored in NRAM and will be: "Enabled" or "Disabled".
fmmToken=$(/usr/sbin/nvram -x -p | /usr/bin/grep "fmm-mobileme-token-FMM")
if [ -z "$fmmToken" ]; then
echo "<result>Disabled</result>"
else
echo "<result>Enabled</result>"
fi
exit 0
Posted on 04-05-2024 11:13 AM
Hello - after running this script, how do I see who has an AppleID? I see in the logs "completed" but not sure where to look for that information. Do I create a smart group of some kind?
Posted on 03-14-2022 08:30 AM
@AVmcclint If you're using Automated Device Enrollment you can enable the "Prevent user from enabling Activation Lock" in your PreStage Enrollment configuration to avoid future occurrences of this problem.
As for unlocking already locked devices, AppleCare for Enterprise has a process for requesting Activation Lock be removed if you can provide proof of ownership. If that's available via non-Enterprise level AppleCare I don't know, but it's probably worth a try.
Posted on 03-14-2022 01:07 PM
In terms of your already activation lock, this happens many times for us. The best bet to remove the Apple ID is actually calling the ABM team and getting them either a proof a purchase, or a Screenshot of the enrollment history of JAMF to verify its a business's laptop and they will remove the lock from their end. However, after they remove it, you need to do an internet recovery restore (partition the drive and reinstall macOS again). It is tedious but the only around it has we just started JAMF and learned the hard way.
Posted on 03-15-2022 09:41 AM
When you call AppleCare to remove the activation lock, you can state that the device is in your Apple Business/School Manager and that will work for the proof of purchase if it is in there.
Also in Jamf > device record > Management is an Activation Lock bypass code. Check there to see if Jamf captured it so you can bypass if needed.