Jamf Nation Community

Bumping this back to the top, are others seeing the same behavior?

bump

Main intent here is also a bump, but as a sidebar, is there a “Lost Mode” workflow in Catalina similar to on the iOS side? I mostly like that MDM workflow on iOS. I hope something similar exists for Mac.

That being said, I want to make sure I don’t have to fight with activation lock ever on Macs when we start seeing Catalina in the wild.

Just received this from Jamf Support re. the ticket I filed regarding this:

I had a conversation with our principal engineer for MDM, as well as a technical relationship manager who deals directly with Apple. We're able to reproduce those same results on our end.

As it stands, that feature is not functioning for Catalina. I'll be filing a product issue internally for that and our engineers will open an Apple RADAR ticket as it seems to be an issue on the Apple side. For the moment there's not really a workaround, other than staying on Mojave. I'll be tying your case to that issue and you'll receive an automated email when the status of that changes.

Is there any update to this?

No, I have heard nothing unfortunately.

Just been Talking to Jamf Support as well, they have confirmed its a Product Issue PI-007593
Though they are treating it as Minor, I would say this should warrant a higher priority

I agree. Jamf does not seem to be doing much at all about this.

It's a known bug, use this plist as a work around to grey that option out in iCloud using com.apple.icloud.managed.plist :)

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>DisableFMMiCloudSetting</key>
        <true/>
    </dict>
</plist>

@ricardtolosa Thank you, this worked. In general, how did you know that com.apple.icloud.managed even existed, and what plist settings you could use for it?
I searched the "Configuration Profile Reference PDF" (https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf) and it doesn't mention this.
How would one know this existed?

Thanks,
Nathan

@ricardtolosa Thank you!

The above plist works only if the user doesn't already have Find My Mac enabled. It does effectively disable the button to enable it.

Hi @NathanH,
Trial and error and combination of google and the mighty Mac Admins Slack :)
@split.io, this setting will only grey the setting out, not disable it.

Happy to see it works for you both 👍🏻

Can't believe this is still open, JAMF support just sent me to this link after having a Catalina machine locked by Find My Mac... Wouldn't even let me use disk utilities to erase the HDD or delete partition without find my mac pw to re-image the machine... Luckily user provided password however isn't this why us Admin's pay for JAMF PRO in the first place? This definitely warrants a higher priority! This setting is worse than I could have imagined!

@DrewM what version of Jamf Pro are you running? 10.20.0 brought support for Activation Lock on Macs. This, along with a configuration profile scoped to the results of an extension attribute checking for FMM status, allows me to disable FMM via configuration profile for those that don't have it enabled (using the same config as @ricardtolosa above). Activation Lock Bypass takes care of those who do.

It took a while for Jamf to action the feature request around this, but it did eventually happen.

Running Jamf Pro 10.22.1-t1592683582
@jtrant Do you mind providing all the steps needed to setup exactly as noted?
Thank you in advance, this article could use and update if Jamf Support is pointing to it as reference for those encountering FMM Locked machines with Catalina

Check for FMM status:

# This script will check the status of Find My Mac and return 'Enabled' or 'Disabled' as appropriate

fmmToken=$(/usr/sbin/nvram -x -p | /usr/bin/grep fmm-mobileme-token-FMM)
if [ -z "$fmmToken" ];
then echo "<result>Disabled</result>"
else echo "<result>Enabled</result>"
fi

Configuration policy to disable FMM (scoped to a smart group based on the results of the above):
Preference domain: com.apple.icloud.managed
PLIST: {DisableFMMiCloudSetting=true}

For Macs with FMM enabled, you'll find the bypass key under Management > Activation Lock Bypass. This should already have been the case with the Mac you encountered, unless it has not inventoried since the feature was enabled.

Just to point out, this is not a Jamf KB article, it's a forum post so Jamf will not update/maintain it.

I noticed I was unable to disable Activation Lock using the command on my Catalina machines, so I got in touch with Jamf and learned about: PI-008558 ("Unable to Prevent or Disable Activation Lock on macOS Catalina"). I haven't tested the prestage settting but according to Jamf that is not currently working either. I have not tested the bypass code.

Disabling Activation Lock using a Restrictions MDM payload doesn't work, but I've had no issues with the method above which greys out that particular checkbox in iCloud settings.

The .plist that @ricardtolosa provided above doesn't disable the Find My Mac iCloud setting for me in the macOS Catalina 10.15.6 GM candidate. Is anyone else seeing this? Or seeing it work in 10.15.5? (in which case there may be a regression in 10.15.6)

Yes this plist option isnt working for me in 10.15.6 anymore.

This seems to still be an issue in 11.0.1

There's multiple keys required. However it won't disable it if it's been enabled.

If you check out the macOS Security Compliance Project - Here's the rule file with the domain and keys required to lock it off. It wont disable it if it's already on but it'll disable the ability to turn it on.
https://github.com/usnistgov/macos_security/blob/main/rules/sysprefs/sysprefs_find_my_disable.yaml

Is this fixed? I cant get this working tried using the @ricardtolosa plist but when user now logs in for first time in icloud find my is automatically on and plist make it greyed out so user cant turn it off. Im testing this on BigSur 11.2.3

Its the same in macOS Monterey 12.0.1 with Jamf Pro 10.33. Unable to disable Find My Mac with Configuration Profiles.