Find My Mac Config Profile Block not working in Catalina

ocla__09
Contributor

The Configuration Profile option to not allow Find My Mac appears to not work at all in Catalina. Is everyone else seeing this?

Where I have the option greyed out in Mojave, I can set up Find My Mac in Catalina with no issue whatsoever.

24 REPLIES 24

Cayde-6
Valued Contributor

Following

ocla__09
Contributor

Bumping this back to the top, are others seeing the same behavior?

ocla__09
Contributor

bump

blackholemac
Valued Contributor III

Main intent here is also a bump, but as a sidebar, is there a “Lost Mode” workflow in Catalina similar to on the iOS side? I mostly like that MDM workflow on iOS. I hope something similar exists for Mac.

That being said, I want to make sure I don’t have to fight with activation lock ever on Macs when we start seeing Catalina in the wild.

ocla__09
Contributor

Just received this from Jamf Support re. the ticket I filed regarding this:

I had a conversation with our principal engineer for MDM, as well as a technical relationship manager who deals directly with Apple. We're able to reproduce those same results on our end.

As it stands, that feature is not functioning for Catalina. I'll be filing a product issue internally for that and our engineers will open an Apple RADAR ticket as it seems to be an issue on the Apple side. For the moment there's not really a workaround, other than staying on Mojave. I'll be tying your case to that issue and you'll receive an automated email when the status of that changes.

NathanH
New Contributor

Is there any update to this?

ocla__09
Contributor

No, I have heard nothing unfortunately.

andrewburns
New Contributor

Just been Talking to Jamf Support as well, they have confirmed its a Product Issue PI-007593
Though they are treating it as Minor, I would say this should warrant a higher priority

MikeF
Contributor II

I agree. Jamf does not seem to be doing much at all about this.

ricardtolosa
New Contributor III

It's a known bug, use this plist as a work around to grey that option out in iCloud using com.apple.icloud.managed.plist 🙂

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>DisableFMMiCloudSetting</key>
        <true/>
    </dict>
</plist>

NathanH
New Contributor

@ricardtolosa Thank you, this worked. In general, how did you know that com.apple.icloud.managed even existed, and what plist settings you could use for it?
I searched the "Configuration Profile Reference PDF" (https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf) and it doesn't mention this.
How would one know this existed?

Thanks,
Nathan

split_io
New Contributor

@ricardtolosa Thank you!

The above plist works only if the user doesn't already have Find My Mac enabled. It does effectively disable the button to enable it.

ricardtolosa
New Contributor III

Hi @NathanH,
Trial and error and combination of google and the mighty Mac Admins Slack 🙂
@split.io, this setting will only grey the setting out, not disable it.

Happy to see it works for you both 👍🏻

DrewM
New Contributor

Can't believe this is still open, JAMF support just sent me to this link after having a Catalina machine locked by Find My Mac... Wouldn't even let me use disk utilities to erase the HDD or delete partition without find my mac pw to re-image the machine... Luckily user provided password however isn't this why us Admin's pay for JAMF PRO in the first place? This definitely warrants a higher priority! This setting is worse than I could have imagined!

jtrant
Contributor III

@DrewM what version of Jamf Pro are you running? 10.20.0 brought support for Activation Lock on Macs. This, along with a configuration profile scoped to the results of an extension attribute checking for FMM status, allows me to disable FMM via configuration profile for those that don't have it enabled (using the same config as @ricardtolosa above). Activation Lock Bypass takes care of those who do.

It took a while for Jamf to action the feature request around this, but it did eventually happen.

DrewM
New Contributor

Running Jamf Pro 10.22.1-t1592683582
@jtrant Do you mind providing all the steps needed to setup exactly as noted?
Thank you in advance, this article could use and update if Jamf Support is pointing to it as reference for those encountering FMM Locked machines with Catalina

jtrant
Contributor III

Check for FMM status:

# This script will check the status of Find My Mac and return 'Enabled' or 'Disabled' as appropriate

fmmToken=$(/usr/sbin/nvram -x -p | /usr/bin/grep fmm-mobileme-token-FMM)
if [ -z "$fmmToken" ];
then echo "<result>Disabled</result>"
else echo "<result>Enabled</result>"
fi

Configuration policy to disable FMM (scoped to a smart group based on the results of the above):
Preference domain: com.apple.icloud.managed
PLIST: {DisableFMMiCloudSetting=true}

For Macs with FMM enabled, you'll find the bypass key under Management > Activation Lock Bypass. This should already have been the case with the Mac you encountered, unless it has not inventoried since the feature was enabled.

Just to point out, this is not a Jamf KB article, it's a forum post so Jamf will not update/maintain it.

mapurcel
Contributor II

I noticed I was unable to disable Activation Lock using the command on my Catalina machines, so I got in touch with Jamf and learned about: PI-008558 ("Unable to Prevent or Disable Activation Lock on macOS Catalina"). I haven't tested the prestage settting but according to Jamf that is not currently working either. I have not tested the bypass code.

jtrant
Contributor III

Disabling Activation Lock using a Restrictions MDM payload doesn't work, but I've had no issues with the method above which greys out that particular checkbox in iCloud settings.

sdagley
Honored Contributor II

The .plist that @ricardtolosa provided above doesn't disable the Find My Mac iCloud setting for me in the macOS Catalina 10.15.6 GM candidate. Is anyone else seeing this? Or seeing it work in 10.15.5? (in which case there may be a regression in 10.15.6)

wILLwILL2
New Contributor II

Yes this plist option isnt working for me in 10.15.6 anymore.

DBrowning
Valued Contributor

This seems to still be an issue in 11.0.1

boberito
Valued Contributor

There's multiple keys required. However it won't disable it if it's been enabled.

If you check out the macOS Security Compliance Project - Here's the rule file with the domain and keys required to lock it off. It wont disable it if it's already on but it'll disable the ability to turn it on.
https://github.com/usnistgov/macos_security/blob/main/rules/sysprefs/sysprefs_find_my_disable.yaml

RygielskiBartos
New Contributor II

Is this fixed? I cant get this working tried using the @ricardtolosa plist but when user now logs in for first time in icloud find my is automatically on and plist make it greyed out so user cant turn it off. Im testing this on BigSur 11.2.3