+3I set a Restrictions configuration profile to disable Find My Mac. I ensured that I'm part of the scope and that the config profile actually installed on my machine. My machine is checking in with no problem. However, I'm still able to turn on/off Find My Mac after the Restrictions profile is installed
Anyone having this issue or recommend a better way of disabling? What scares me the most is a user being able to remote wipe their Mac without IT's consent.
+25This has been an issue since Catalina. You need to create a manual profile with the following setting. Also, if its already enabled, there is no way to automate to turn it off.
+25hey @spoe everything you need can be seen in the screenshot. You'll need to create a plist file with the below and then upload it.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>DisableFMMiCloudSetting</key>
<true/>
</dict>
</plist>
+4Most epic. Will also try this! Will this help disable "Activation Lock"? Have that set in the Prestage.
+25This will only gray out the option to turn on FindMyMac.
+25There has been a bug in the payload from Jamf for disabling FindMyMac since Catalina. This is just a way to make sure the option is grayed out like it should be if using the payload in the Jamf Restrictions Payload.
+6@DBrowning You can create an extension attribute which shows which Macs have "Find My" turned on.
if nvram -xp | grep '<key>fmm-mobileme-token-FMM</key>' > /dev/null 2>&1; then
FindMyMac="Enabled"
else
FindMyMac="Disabled"
fi
echo "<result>$FindMyMac</result>"
+6Then you can purge the FMM tokens from NVRAM:
/usr/sbin/nvram -d fmm-mobileme-token-FMM
echo "FMM Tokens Purged"
exit 0
N.B. It will require a restart for changes to take effect.
+25@AHolmdahl I just manually ran the nvram -d fmm-mobileme-token-FMM command rebooted and FMM is still enabled.
+3If we push the .plist to disable the Find My Mac button does that mean it will be stuck in the Enabled state for those that already have it turned on? I'm dealing with this headache today on a new laptop from a former employee.
+1If we push the .plist to disable the Find My Mac button does that mean it will be stuck in the Enabled state for those that already have it turned on? I'm dealing with this headache today on a new laptop from a former employee.
Did you figure out a way around this? I ran the config profile to disable FMM but it just disabled the option. Users that had FMM on still have it on and now we cannot turn it off.
+18Its the same in macOS Monterey 12.0.1 with Jamf Pro 10.33. Unable to disable Find My Mac with Configuration Profiles.
Did you figure out a way around this? I ran the config profile to disable FMM but it just disabled the option. Users that had FMM on still have it on and now we cannot turn it off.
I'm thinking about turning this on for everyone at my org as well. My thought was, yes, maybe those folks that have FMM on won't be able to turn it off, but those individuals could make an IT request and I imagine we could add them to the Exclusion for the Config Profile.
Testing that part out before I scope it to everyone.
+1I'm thinking about turning this on for everyone at my org as well. My thought was, yes, maybe those folks that have FMM on won't be able to turn it off, but those individuals could make an IT request and I imagine we could add them to the Exclusion for the Config Profile.
Testing that part out before I scope it to everyone.
Yes, this is basically what I had to do as well. Two profiles, opposites. I remove the user from one scope then add them to the other to allow us to turn off FMM for repair.
+7@DBrowning You can create an extension attribute which shows which Macs have "Find My" turned on.
if nvram -xp | grep '<key>fmm-mobileme-token-FMM</key>' > /dev/null 2>&1; then
FindMyMac="Enabled"
else
FindMyMac="Disabled"
fi
echo "<result>$FindMyMac</result>"
Hi @AHolmdahl, thanks for this small script.
Does it still work? I have it published in Jamf but the Extension Attribute so it when you look at a machine in inventory is blank
+7Hi @AHolmdahl, thanks for this small script.
Does it still work? I have it published in Jamf but the Extension Attribute so it when you look at a machine in inventory is blank
I was able to get it to work using this:
fmmToken=$(/usr/sbin/nvram -x -p | /usr/bin/grep fmm-mobileme-token-FMM)
if [ -z "$fmmToken" ];
then echo "<result>Disabled</result>"
else echo "<result>Enabled</result>"
fi+7Has anyone figured out a way to disable find my mac through Jamf if it is enabled? Depressingly we have a good chunk of our fleet that has it on and it would be nice if we can disable it from the MDM.
+4Has anyone found out a way to disable FMM on a machine that already has it turned on? Tried the steps above but was only able to grey out the option FMM. But still under options have the option as the user to turn it on/off. But I am trying to forcefully disable this option.
No luck on my end. I made an extension attribute to show the status on each computer, then made smart groups that find all the computers with and without it. I then created the config profile to grey out the on / off switch, applied it to those that are already disabled and excluded those that are currently enabled. I then made a report of all that are enabled and we're manually contacting users to have them disable it. It's a PITA for a global company, but at least we can prevent it from being enabled in the future. Well, until a macOS update unwinds it all.
+3No luck on my end. I made an extension attribute to show the status on each computer, then made smart groups that find all the computers with and without it. I then created the config profile to grey out the on / off switch, applied it to those that are already disabled and excluded those that are currently enabled. I then made a report of all that are enabled and we're manually contacting users to have them disable it. It's a PITA for a global company, but at least we can prevent it from being enabled in the future. Well, until a macOS update unwinds it all.
Yes same here, good to know and thanks for sharing!
+4No luck on my end. I made an extension attribute to show the status on each computer, then made smart groups that find all the computers with and without it. I then created the config profile to grey out the on / off switch, applied it to those that are already disabled and excluded those that are currently enabled. I then made a report of all that are enabled and we're manually contacting users to have them disable it. It's a PITA for a global company, but at least we can prevent it from being enabled in the future. Well, until a macOS update unwinds it all.
Hey, mind sharing your extension attribute or the config setup to get this completed? Would really help out.
+14Hey, mind sharing your extension attribute or the config setup to get this completed? Would really help out.
@dpwlg use the following EA (name it FindMyMac Status):
fmmToken=$(/usr/sbin/nvram -x -p | /usr/bin/grep fmm-mobileme-token-FMM)
if [ -z "$fmmToken" ];
then echo "<result>Disabled</result>"
else echo "<result>Enabled</result>"
fi
Create a Smart Group:
Create a Configuration Profile:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>DisableFMMiCloudSetting</key>
<true/>
</dict>
</plist>
Once the config profile is deployed you will be able to then contact the computers that show in the Smart Group "FindMyMac Enabled" (view > export csv). Once they disable FMM on their machine > have the computer check in to Jamf (sudo jamf recon or wait until next check-in) > It will then move them to the Config Profile and grey out/lock FMM in iCloud settings.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.