- Jamf Nation Community
- Products
- Jamf Pro
- Disable iCloud, iCloud Drive and Find my Mac on ex...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Disable iCloud, iCloud Drive and Find my Mac on existing systems
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-04-2016 11:39 AM
Hi,
I am rolling out Casper, and I have existing Mac systems in various states. Some users have logged into iCloud and others have not. I would like to find out if anybody has been challenged with logging users out of iCloud and disabling iCloud, disabling Find My Mac, and ensuring iCloud drive does not connect.
We have alternatives in place for file sharing and cloud storage. Being in the corporate space, preventing the use of iCloud is a measure of security. It is not a problem for newly rolled out and enrolled systems, except for preventing iCloud Drive mounting through other methods other than System Preferences.
Reply
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-04-2016 12:06 PM
For reporting purposes these may be some handy extension attributes:
Find My Mac:
#!/bin/bash
# Purpose: to see if machine is enrolled in Find My Mac
plistBud="/usr/libexec/PlistBuddy"
loggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`
if [[ -e "/Users/$loggedInUser/Library/Preferences/MobileMeAccounts.plist" ]]; then
FindMyMac=`$plistBud -c "print :Accounts:0:Services:11:Enabled" /Users/$loggedInUser/Library/Preferences/MobileMeAccounts.plist`
else
FindMyMac="Not Enabled"
fi
echo "<result>$FindMyMac</result>"Note: If iCloud has been enabled but Find My Mac has not been enabled yet, then the value it's looking for will not report back correctly. Keep that in mind.
iCloud
#!/bin/bash
# Purpose: to grab iCloud status
plistBud="/usr/libexec/PlistBuddy"
loggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`
if [[ -e "/Users/$loggedInUser/Library/Preferences/MobileMeAccounts.plist" ]]; then
iCloudStatus=`$plistBud -c "print :Accounts:0:LoggedIn" /Users/$loggedInUser/Library/Preferences/MobileMeAccounts.plist`
else
iCloudStatus="Not Enabled"
fi
echo "<result>$iCloudStatus</result>"For disabling:
As far as disabling, you can try to prevent it but there may be ways around it:
Basically use a config profile to block Internet Accounts and iCloud.
You will probably also want to remove the iCloud Drive from the Finder sidebar. There's a python script someone has created that might come in handy so that it removes it.
Also some other neat articles regarding Find My Mac (in a situation where a user leaves and had Find My Mac enabled):
http://ilostmynotes.blogspot.com/2013/11/disable-find-my-mac-by-modifiying-nvram.html
https://clburlison.com/find-my-mac/
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-05-2016 02:48 PM
The below will report if a Mac has been enrolled into FindMyMac:
#!/bin/sh
#
# Will reply Set if Find My Mac is set for this Mac
#
fmmToken=$(/usr/sbin/nvram -x -p | /usr/bin/grep fmm-mobileme-token-FMM)
if [ -z "$fmmToken" ];
then
echo "<result>Not Set</result>"
else
echo "<result>Set</result>"
fi
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-05-2016 03:12 PM
Thanks for the EAs and the links. I haven't tested yet, and will, but has anyone tried clearing the nvram? Curious how Find My Mac responds for the person who enrolled after this is done.
I will test this out for myself and post my results.
Thank you again for the help.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-05-2016 03:17 PM
@cgolebio This should clear the NVRAM fmm key:
/usr/sbin/nvram -d fmm-mobileme-token-FMMBut i think the Mac will need a restart for it to take affect.
In my imaging workflow I run the below to clear NVRAM:
/usr/sbin/nvram -c
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-06-2016 03:29 AM
Has anyone else spoken to Apple about the prospect of adding controls for these to Mac OS X? I notice that there is granular control for iCloud functionality in iOS but, in our instance at least, this is of no use as we have managed OS X devices, but the iOS devices are unmanaged.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-08-2017 08:48 AM
For reference purposes if you want to disable FMM without requiring a reboot the following works in 10.13.2. Removing the fmm-computer-name and restarting the FindMyMacd process were not 100% required however since they are all related better safe (plus I didn't test anything older than 10.13.
#!/bin/sh
nvram -d fmm-computer-name
nvram -d fmm-mobileme-token-FMM
killall -HUP findmydeviced
killall -HUP FindMyMacd
Reply
