Disable Find My Mac

al_c
New Contributor III

I set a Restrictions configuration profile to disable Find My Mac. I ensured that I'm part of the scope and that the config profile actually installed on my machine. My machine is checking in with no problem. However, I'm still able to turn on/off Find My Mac after the Restrictions profile is installed 1fa377625e134d43a7d020bfd31cea1d

Anyone having this issue or recommend a better way of disabling? What scares me the most is a user being able to remote wipe their Mac without IT's consent.

41 REPLIES 41

DBrowning
Valued Contributor II

This has been an issue since Catalina. You need to create a manual profile with the following setting. Also, if its already enabled, there is no way to automate to turn it off.

833fef818f5447cba69031a9506a142f

Swordfish
New Contributor II

This worked! Awesome! Thank you!!!!

Worked like a charm! Thank you!

chriso16
New Contributor III

Has anyone tested this in MacOS Sonoma it seems after upgrading it's enabled again

Jared_Y
Release Candidate Programs Tester

It is working on Sonoma for me. The Turn ON button doesn't do anything when clicked. 

 

Screenshot 2023-10-03 at 13.24.29.png

Screenshot 2023-10-03 at 13.24.40.png

chriso16
New Contributor III

Thanks I also get the same behavior I guess this is new behavior as in Ventura it's just grayed out.

chriso16_0-1696354355791.png

 

 

spoe
New Contributor

@DBrowning I need to do this myself. Would you, or someone, share their profile please?

DBrowning
Valued Contributor II

hey @spoe everything you need can be seen in the screenshot. You'll need to create a plist file with the below and then upload it.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>DisableFMMiCloudSetting</key>
        <true/>
    </dict>
</plist>

fredrik_virding
Contributor

@DBrowning

Most epic. Will also try this! Will this help disable "Activation Lock"? Have that set in the Prestage.

DBrowning
Valued Contributor II

This will only gray out the option to turn on FindMyMac.

fredrik_virding
Contributor

Cool!

It sure will help alot.

Is the Activation Lock + Find My Mac feature that unreliable?

DBrowning
Valued Contributor II

There has been a bug in the payload from Jamf for disabling FindMyMac since Catalina. This is just a way to make sure the option is grayed out like it should be if using the payload in the Jamf Restrictions Payload.

fredrik_virding
Contributor

Ah! I see! Still very nice! Thanks for info and config!

AHolmdahl
New Contributor III

@DBrowning You can create an extension attribute which shows which Macs have "Find My" turned on.

!/bin/bash

Check if "Find My Mac" is enabled

if nvram -xp | grep '<key>fmm-mobileme-token-FMM</key>' > /dev/null 2>&1; then FindMyMac="Enabled" else FindMyMac="Disabled" fi
echo "<result>$FindMyMac</result>"

Hi @AHolmdahl, thanks for this small script.

Does it still work?  I have it published in Jamf but the Extension Attribute so it when you look at a machine in inventory is blank

I was able to get it to work using this:

 

fmmToken=$(/usr/sbin/nvram -x -p | /usr/bin/grep fmm-mobileme-token-FMM)

if [ -z "$fmmToken" ];
then echo "<result>Disabled</result>"
else echo "<result>Enabled</result>"
fi

AHolmdahl
New Contributor III

Then you can purge the FMM tokens from NVRAM:

!/bin/bash

/usr/sbin/nvram -d fmm-mobileme-token-FMM
echo "FMM Tokens Purged"
exit 0

N.B. It will require a restart for changes to take effect.

DBrowning
Valued Contributor II

@AHolmdahl I just manually ran the nvram -d fmm-mobileme-token-FMM command rebooted and FMM is still enabled.

AHolmdahl
New Contributor III

@dbrowning My bad ... the nvram command seems to be deprecated.

Phil_P
New Contributor II

If we push the .plist to disable the Find My Mac button does that mean it will be stuck in the Enabled state for those that already have it turned on? I'm dealing with this headache today on a new laptop from a former employee. 

Did you figure out a way around this? I ran the config profile to disable FMM but it just disabled the option. Users that had FMM on still have it on and now we cannot turn it off.

I'm thinking about turning this on for everyone at my org as well. My thought was, yes, maybe those folks that have FMM on won't be able to turn it off, but those individuals could make an IT request and I imagine we could add them to the Exclusion for the Config Profile.

Testing that part out before I scope it to everyone.

Yes, this is basically what I had to do as well. Two profiles, opposites. I remove the user from one scope then add them to the other to allow us to turn off FMM for repair. 

karthikeyan_mac
Valued Contributor

Its the same in macOS Monterey 12.0.1 with Jamf Pro 10.33. Unable to disable Find My Mac with Configuration Profiles.

jlombardo
Contributor

Has anyone figured out a way to disable find my mac through Jamf if it is enabled?  Depressingly we have a good chunk of our fleet that has it on and it would be nice if we can disable it from the MDM.

dpwlg
New Contributor III

Has anyone found out a way to disable FMM on a machine that already has it turned on? Tried the steps above but was only able to grey out the option FMM. But still under options have the option as the user to turn it on/off. But I am trying to forcefully disable this option.

Brayton
New Contributor

No luck on my end. I made an extension attribute to show the status on each computer, then made smart groups that find all the computers with and without it. I then created the config profile to grey out the on / off switch, applied it to those that are already disabled and excluded those that are currently enabled. I then made a report of all that are enabled and we're manually contacting users to have them disable it. It's a PITA for a global company, but at least we can prevent it from being enabled in the future. Well, until a macOS update unwinds it all.

Yes same here, good to know and thanks for sharing! 

dpwlg
New Contributor III

Hey, mind sharing your extension attribute or the config setup to get this completed? Would really help out.

Jared_Y
Release Candidate Programs Tester

@dpwlg use the following EA (name it FindMyMac Status):

 

fmmToken=$(/usr/sbin/nvram -x -p | /usr/bin/grep fmm-mobileme-token-FMM)

if [ -z "$fmmToken" ];
then echo "<result>Disabled</result>"
else echo "<result>Enabled</result>"
fi

 

Create a Smart Group:

  • name: FindMyMac Enabled
  • (criteria) FindMyMac Status (operator) is (value) Enabled

Create a Configuration Profile:

  • name: Disable iCloud FindMyMac Option
  • Application & Custom Settings
    • domain: com.apple.icloud.managed
    • Upload File (copy & paste the following):

 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>DisableFMMiCloudSetting</key>
        <true/>
    </dict>
</plist>​

 

  • Scope: 
    • Targets: All Managed Clients (or relevant scope for your use case)
    • Exclusions: Smart Group: FindMyMac Enabled

Once the config profile is deployed you will be able to then contact the computers that show in the Smart Group "FindMyMac Enabled" (view > export csv). Once they disable FMM on their machine > have the computer check in to Jamf (sudo jamf recon or wait until next check-in) > It will then move them to the Config Profile and grey out/lock FMM in iCloud settings. 

 

thellum
New Contributor III

This was super helpful. Laying it out step by step allowed me to see the process from a high view and then implement very easily. Thank you!

ProfileCreator and iMazing Profile Editor both use this key instead: 

 

<key>allowCloudFMM</key>
<false/>

 

iMazing also shows '13.1' in red with an 'x', only for this key, no other ones. Like it's deprecated or something:

Screenshot 2023-04-19 at 3.31.23 PM.png

Not finding anything when searching developer.apple.com

Guess I'll just have to do some testing, but I want to use whatever best practice is / something that's not going to stop working in the near future.

techmchs
New Contributor III

Just one question: If I just created the EA and in my case, teachers are out for summer when they check in when they get back online will the exclusion list get populated in time for them to be excluded? hope that makes sense.

Swordfish
New Contributor II

Can you clarify what you mean by "EA"? Also, do the teacher currently have possession of the managed machines or will they be redeployed when they return?

If the machine is managed, the config profile will get pushed to the machine as soon as it checks in. 

techmchs
New Contributor III

Was referring to workflow above. EA is extension attribute. Was wondering if a smart group built of an EA would happen before the config profiles going out. 

Swordfish
New Contributor II

Ah, yes. I would like to say this would work but I can't say for sure as I have no tested that use case on my end. Sry. 

pete_c
Contributor III

macOS Ventura 13.4 still apparently does not recognize or enforce the `allowCloudFMM` key.

Creating a new profile directly in the JSS:

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>DisableFMMiCloudSetting</key> <true/> <key>allowCloudFMM</key> <true/> </dict> </plist>

Deploying to a 13.4 device without an iCloud account signed in disables the option in System Settings > iCloud > Apps Using iCloud > Find My Mac.

Deploying to a 13.4 device with an iCloud account already signed in and FMM active disables the option in System Settings > iCloud > Apps Using iCloud > Find My Mac, but still shows FMM as 'On'.

If disabling Find My Mac is important to your organization or security profile, please remember to file feedback.

pete_c
Contributor III

After restarting the device that previously reported On after receiving the profile, FMM still showed On.

whiteb
Contributor II

Look at using iMazing Profile Editor. It will show which keys are deprecated which is handy. There is another key you can use to restrict Find My. I'm not sure if it will turn it off if it's already on though, I haven't tested that.

<key>DisableFMMiCloudSetting</key> 

The above key is still working.

I noticed the key you mentioned wasn't working as well, and reached out to iMazing and they were super helpful. Unfortunately the deprecation of keys like this isn't documented and the knowledge seems to only get around via word of mouth by the mac admin community :\

Screenshot 2023-04-19 at 3.31.23 PM.png

Screenshot 2023-04-24 at 3.14.04 PM.png