The Configuration Profile option to not allow Find My Mac appears to not work at all in Catalina. Is everyone else seeing this?
Where I have the option greyed out in Mojave, I can set up Find My Mac in Catalina with no issue whatsoever.
Main intent here is also a bump, but as a sidebar, is there a “Lost Mode” workflow in Catalina similar to on the iOS side? I mostly like that MDM workflow on iOS. I hope something similar exists for Mac.
That being said, I want to make sure I don’t have to fight with activation lock ever on Macs when we start seeing Catalina in the wild.
Just received this from Jamf Support re. the ticket I filed regarding this:
I had a conversation with our principal engineer for MDM, as well as a technical relationship manager who deals directly with Apple. We're able to reproduce those same results on our end.
As it stands, that feature is not functioning for Catalina. I'll be filing a product issue internally for that and our engineers will open an Apple RADAR ticket as it seems to be an issue on the Apple side. For the moment there's not really a workaround, other than staying on Mojave. I'll be tying your case to that issue and you'll receive an automated email when the status of that changes.
It's a known bug, use this plist as a work around to grey that option out in iCloud using com.apple.icloud.managed.plist 🙂
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>DisableFMMiCloudSetting</key> <true/> </dict> </plist>
@ricardtolosa Thank you, this worked.
In general, how did you know that com.apple.icloud.managed even existed, and what plist settings you could use for it?
I searched the "Configuration Profile Reference PDF" (https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf) and it doesn't mention this.
How would one know this existed?
Can't believe this is still open, JAMF support just sent me to this link after having a Catalina machine locked by Find My Mac... Wouldn't even let me use disk utilities to erase the HDD or delete partition without find my mac pw to re-image the machine... Luckily user provided password however isn't this why us Admin's pay for JAMF PRO in the first place? This definitely warrants a higher priority! This setting is worse than I could have imagined!
@DrewM what version of Jamf Pro are you running? 10.20.0 brought support for Activation Lock on Macs. This, along with a configuration profile scoped to the results of an extension attribute checking for FMM status, allows me to disable FMM via configuration profile for those that don't have it enabled (using the same config as @ricardtolosa above). Activation Lock Bypass takes care of those who do.
It took a while for Jamf to action the feature request around this, but it did eventually happen.
Check for FMM status:
# This script will check the status of Find My Mac and return 'Enabled' or 'Disabled' as appropriate fmmToken=$(/usr/sbin/nvram -x -p | /usr/bin/grep fmm-mobileme-token-FMM) if [ -z "$fmmToken" ]; then echo "<result>Disabled</result>" else echo "<result>Enabled</result>" fi
Configuration policy to disable FMM (scoped to a smart group based on the results of the above):
For Macs with FMM enabled, you'll find the bypass key under Management > Activation Lock Bypass. This should already have been the case with the Mac you encountered, unless it has not inventoried since the feature was enabled.
Just to point out, this is not a Jamf KB article, it's a forum post so Jamf will not update/maintain it.
I noticed I was unable to disable Activation Lock using the command on my Catalina machines, so I got in touch with Jamf and learned about: PI-008558 ("Unable to Prevent or Disable Activation Lock on macOS Catalina"). I haven't tested the prestage settting but according to Jamf that is not currently working either. I have not tested the bypass code.
There's multiple keys required. However it won't disable it if it's been enabled.
If you check out the macOS Security Compliance Project - Here's the rule file with the domain and keys required to lock it off. It wont disable it if it's already on but it'll disable the ability to turn it on.