Posted on 10-16-2019 01:53 PM
The Configuration Profile option to not allow Find My Mac appears to not work at all in Catalina. Is everyone else seeing this?
Where I have the option greyed out in Mojave, I can set up Find My Mac in Catalina with no issue whatsoever.
Posted on 10-16-2019 02:27 PM
Following
Posted on 10-17-2019 08:27 AM
Bumping this back to the top, are others seeing the same behavior?
Posted on 10-18-2019 09:07 AM
bump
Posted on 10-18-2019 09:41 AM
Main intent here is also a bump, but as a sidebar, is there a “Lost Mode” workflow in Catalina similar to on the iOS side? I mostly like that MDM workflow on iOS. I hope something similar exists for Mac.
That being said, I want to make sure I don’t have to fight with activation lock ever on Macs when we start seeing Catalina in the wild.
Posted on 10-18-2019 12:33 PM
Just received this from Jamf Support re. the ticket I filed regarding this:
I had a conversation with our principal engineer for MDM, as well as a technical relationship manager who deals directly with Apple. We're able to reproduce those same results on our end.
As it stands, that feature is not functioning for Catalina. I'll be filing a product issue internally for that and our engineers will open an Apple RADAR ticket as it seems to be an issue on the Apple side. For the moment there's not really a workaround, other than staying on Mojave. I'll be tying your case to that issue and you'll receive an automated email when the status of that changes.
Posted on 12-18-2019 09:38 AM
Is there any update to this?
Posted on 01-08-2020 08:58 AM
No, I have heard nothing unfortunately.
Posted on 01-09-2020 10:57 AM
Just been Talking to Jamf Support as well, they have confirmed its a Product Issue PI-007593
Though they are treating it as Minor, I would say this should warrant a higher priority
Posted on 01-10-2020 09:48 AM
I agree. Jamf does not seem to be doing much at all about this.
Posted on 01-13-2020 03:17 AM
It's a known bug, use this plist as a work around to grey that option out in iCloud using com.apple.icloud.managed.plist :)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>DisableFMMiCloudSetting</key>
<true/>
</dict>
</plist>
Posted on 01-16-2020 02:56 PM
@ricardtolosa Thank you, this worked.
In general, how did you know that com.apple.icloud.managed even existed, and what plist settings you could use for it?
I searched the "Configuration Profile Reference PDF" (https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf) and it doesn't mention this.
How would one know this existed?
Thanks,
Nathan
Posted on 01-24-2020 12:04 PM
@ricardtolosa Thank you!
The above plist works only if the user doesn't already have Find My Mac enabled. It does effectively disable the button to enable it.
Posted on 01-25-2020 02:35 AM
Posted on 07-08-2020 11:25 AM
Can't believe this is still open, JAMF support just sent me to this link after having a Catalina machine locked by Find My Mac... Wouldn't even let me use disk utilities to erase the HDD or delete partition without find my mac pw to re-image the machine... Luckily user provided password however isn't this why us Admin's pay for JAMF PRO in the first place? This definitely warrants a higher priority! This setting is worse than I could have imagined!
Posted on 07-08-2020 12:39 PM
@DrewM what version of Jamf Pro are you running? 10.20.0 brought support for Activation Lock on Macs. This, along with a configuration profile scoped to the results of an extension attribute checking for FMM status, allows me to disable FMM via configuration profile for those that don't have it enabled (using the same config as @ricardtolosa above). Activation Lock Bypass takes care of those who do.
It took a while for Jamf to action the feature request around this, but it did eventually happen.
Posted on 07-08-2020 12:48 PM
Running Jamf Pro 10.22.1-t1592683582
@jtrant Do you mind providing all the steps needed to setup exactly as noted?
Thank you in advance, this article could use and update if Jamf Support is pointing to it as reference for those encountering FMM Locked machines with Catalina
Posted on 07-08-2020 01:27 PM
Check for FMM status:
# This script will check the status of Find My Mac and return 'Enabled' or 'Disabled' as appropriate
fmmToken=$(/usr/sbin/nvram -x -p | /usr/bin/grep fmm-mobileme-token-FMM)
if [ -z "$fmmToken" ];
then echo "<result>Disabled</result>"
else echo "<result>Enabled</result>"
fi
Configuration policy to disable FMM (scoped to a smart group based on the results of the above):
Preference domain: com.apple.icloud.managed
PLIST: {DisableFMMiCloudSetting=true}
For Macs with FMM enabled, you'll find the bypass key under Management > Activation Lock Bypass. This should already have been the case with the Mac you encountered, unless it has not inventoried since the feature was enabled.
Just to point out, this is not a Jamf KB article, it's a forum post so Jamf will not update/maintain it.
Posted on 07-09-2020 09:32 AM
I noticed I was unable to disable Activation Lock using the command on my Catalina machines, so I got in touch with Jamf and learned about: PI-008558 ("Unable to Prevent or Disable Activation Lock on macOS Catalina"). I haven't tested the prestage settting but according to Jamf that is not currently working either. I have not tested the bypass code.
Posted on 07-09-2020 11:53 AM
Disabling Activation Lock using a Restrictions MDM payload doesn't work, but I've had no issues with the method above which greys out that particular checkbox in iCloud settings.
Posted on 07-12-2020 12:11 PM
The .plist that @ricardtolosa provided above doesn't disable the Find My Mac iCloud setting for me in the macOS Catalina 10.15.6 GM candidate. Is anyone else seeing this? Or seeing it work in 10.15.5? (in which case there may be a regression in 10.15.6)
Posted on 09-03-2020 07:23 PM
Yes this plist option isnt working for me in 10.15.6 anymore.
Posted on 11-20-2020 04:06 AM
This seems to still be an issue in 11.0.1
Posted on 11-20-2020 06:35 AM
There's multiple keys required. However it won't disable it if it's been enabled.
If you check out the macOS Security Compliance Project - Here's the rule file with the domain and keys required to lock it off. It wont disable it if it's already on but it'll disable the ability to turn it on.
https://github.com/usnistgov/macos_security/blob/main/rules/sysprefs/sysprefs_find_my_disable.yaml
Posted on 04-16-2021 02:02 AM
Is this fixed? I cant get this working tried using the @ricardtolosa plist but when user now logs in for first time in icloud find my is automatically on and plist make it greyed out so user cant turn it off. Im testing this on BigSur 11.2.3
Posted on 11-26-2021 12:22 AM
Its the same in macOS Monterey 12.0.1 with Jamf Pro 10.33. Unable to disable Find My Mac with Configuration Profiles.