Disable Find My Mac

al_c
New Contributor III

I set a Restrictions configuration profile to disable Find My Mac. I ensured that I'm part of the scope and that the config profile actually installed on my machine. My machine is checking in with no problem. However, I'm still able to turn on/off Find My Mac after the Restrictions profile is installed 1fa377625e134d43a7d020bfd31cea1d

Anyone having this issue or recommend a better way of disabling? What scares me the most is a user being able to remote wipe their Mac without IT's consent.

13 REPLIES 13

DBrowning
Valued Contributor

This has been an issue since Catalina. You need to create a manual profile with the following setting. Also, if its already enabled, there is no way to automate to turn it off.

833fef818f5447cba69031a9506a142f

spoe
New Contributor

@DBrowning I need to do this myself. Would you, or someone, share their profile please?

DBrowning
Valued Contributor

hey @spoe everything you need can be seen in the screenshot. You'll need to create a plist file with the below and then upload it.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>DisableFMMiCloudSetting</key>
        <true/>
    </dict>
</plist>

fredrik_virding
Contributor

@DBrowning

Most epic. Will also try this! Will this help disable "Activation Lock"? Have that set in the Prestage.

DBrowning
Valued Contributor

This will only gray out the option to turn on FindMyMac.

fredrik_virding
Contributor

Cool!

It sure will help alot.

Is the Activation Lock + Find My Mac feature that unreliable?

DBrowning
Valued Contributor

There has been a bug in the payload from Jamf for disabling FindMyMac since Catalina. This is just a way to make sure the option is grayed out like it should be if using the payload in the Jamf Restrictions Payload.

fredrik_virding
Contributor

Ah! I see! Still very nice! Thanks for info and config!

AHolmdahl
New Contributor III

@DBrowning You can create an extension attribute which shows which Macs have "Find My" turned on.

!/bin/bash

Check if "Find My Mac" is enabled

if nvram -xp | grep '<key>fmm-mobileme-token-FMM</key>' > /dev/null 2>&1; then FindMyMac="Enabled" else FindMyMac="Disabled" fi
echo "<result>$FindMyMac</result>"

AHolmdahl
New Contributor III

Then you can purge the FMM tokens from NVRAM:

!/bin/bash

/usr/sbin/nvram -d fmm-mobileme-token-FMM
echo "FMM Tokens Purged"
exit 0

N.B. It will require a restart for changes to take effect.

DBrowning
Valued Contributor

@AHolmdahl I just manually ran the nvram -d fmm-mobileme-token-FMM command rebooted and FMM is still enabled.

AHolmdahl
New Contributor III

@dbrowning My bad ... the nvram command seems to be deprecated.

Phil_P
New Contributor II

If we push the .plist to disable the Find My Mac button does that mean it will be stuck in the Enabled state for those that already have it turned on? I'm dealing with this headache today on a new laptop from a former employee.