This worked! Awesome! Thank you!!!!

Worked like a charm! Thank you!

Has anyone tested this in MacOS Sonoma it seems after upgrading it's enabled again

It is working on Sonoma for me. The Turn ON button doesn't do anything when clicked. 

Thanks I also get the same behavior I guess this is new behavior as in Ventura it's just grayed out.

Hi @AHolmdahl, thanks for this small script.

Does it still work?  I have it published in Jamf but the Extension Attribute so it when you look at a machine in inventory is blank

I was able to get it to work using this:

fmmToken=$(/usr/sbin/nvram -x -p | /usr/bin/grep fmm-mobileme-token-FMM)

if [ -z "$fmmToken" ];
then echo "<result>Disabled</result>"
else echo "<result>Enabled</result>"
fi

Did you figure out a way around this? I ran the config profile to disable FMM but it just disabled the option. Users that had FMM on still have it on and now we cannot turn it off.

I'm thinking about turning this on for everyone at my org as well. My thought was, yes, maybe those folks that have FMM on won't be able to turn it off, but those individuals could make an IT request and I imagine we could add them to the Exclusion for the Config Profile.

Testing that part out before I scope it to everyone.

Yes, this is basically what I had to do as well. Two profiles, opposites. I remove the user from one scope then add them to the other to allow us to turn off FMM for repair. 

Yes same here, good to know and thanks for sharing! 

Hey, mind sharing your extension attribute or the config setup to get this completed? Would really help out.

@dpwlg use the following EA (name it FindMyMac Status):

fmmToken=$(/usr/sbin/nvram -x -p | /usr/bin/grep fmm-mobileme-token-FMM)

if [ -z "$fmmToken" ];
then echo "<result>Disabled</result>"
else echo "<result>Enabled</result>"
fi

Create a Smart Group:

• name: FindMyMac Enabled
• (criteria) FindMyMac Status (operator) is (value) Enabled

Create a Configuration Profile:

• name: Disable iCloud FindMyMac Option
• Application & Custom Settings
  • domain: com.apple.icloud.managed
  • Upload File (copy & paste the following):

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>DisableFMMiCloudSetting</key>
        <true/>
    </dict>
</plist>​

• Scope: 
  • Targets: All Managed Clients (or relevant scope for your use case)
  • Exclusions: Smart Group: FindMyMac Enabled

Once the config profile is deployed you will be able to then contact the computers that show in the Smart Group "FindMyMac Enabled" (view > export csv). Once they disable FMM on their machine > have the computer check in to Jamf (sudo jamf recon or wait until next check-in) > It will then move them to the Config Profile and grey out/lock FMM in iCloud settings. 

This was super helpful. Laying it out step by step allowed me to see the process from a high view and then implement very easily. Thank you!

ProfileCreator and iMazing Profile Editor both use this key instead: 

<key>allowCloudFMM</key>
<false/>

iMazing also shows '13.1' in red with an 'x', only for this key, no other ones. Like it's deprecated or something:

Not finding anything when searching developer.apple.com

Guess I'll just have to do some testing, but I want to use whatever best practice is / something that's not going to stop working in the near future.

Just one question: If I just created the EA and in my case, teachers are out for summer when they check in when they get back online will the exclusion list get populated in time for them to be excluded? hope that makes sense.

Can you clarify what you mean by "EA"? Also, do the teacher currently have possession of the managed machines or will they be redeployed when they return?

If the machine is managed, the config profile will get pushed to the machine as soon as it checks in. 

Was referring to workflow above. EA is extension attribute. Was wondering if a smart group built of an EA would happen before the config profiles going out. 

Ah, yes. I would like to say this would work but I can't say for sure as I have no tested that use case on my end. Sry. 

After restarting the device that previously reported On after receiving the profile, FMM still showed On.

Look at using iMazing Profile Editor. It will show which keys are deprecated which is handy. There is another key you can use to restrict Find My. I'm not sure if it will turn it off if it's already on though, I haven't tested that.

<key>DisableFMMiCloudSetting</key> 

The above key is still working.

I noticed the key you mentioned wasn't working as well, and reached out to iMazing and they were super helpful. Unfortunately the deprecation of keys like this isn't documented and the knowledge seems to only get around via word of mouth by the mac admin community :\