Find My Mac, Locked Device and Future Prevention

TomDay
Release Candidate Programs Tester

So we might be learning this lesson the hard way, but we have an Air that a student has locked via his iCloud account and does not know the code. We've been fighting with Apple support and GSX to get it unlocked but in the interim we've begun discussing how to prevent this in the future. Only way I really see would be to disable the iCloud preference pane (configuration profile I assume?), correct? If that is the case, then you are debating the cost benefit of them being able to utilize the iCloud features against locking and wiping a device as well.

If we go the route of disabling the iCloud pref pane, a user could still enable this during an OS upgrade to right?

Finally, wondering if there is an extension attribute or another way to query all my devices to see who has iCloud enabled on their laptops?

1 ACCEPTED SOLUTION

stevewood
Honored Contributor II
Honored Contributor II

I did some more testing of my own, and found that if iCloud was not enabled at all the MobileMeAccounts.plist file did not exist, so I wanted to update what I have:

#!/bin/bash

# Purpose: to grab iCloud status

plistBud="/usr/libexec/PlistBuddy"

loggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`

if [[ -e "/Users/$loggedInUser/Library/Preferences/MobileMeAccounts.plist" ]]; then
    iCloudStatus=`$plistBud -c "print :Accounts:0:LoggedIn" /Users/$loggedInUser/Library/Preferences/MobileMeAccounts.plist`
else
    iCloudStatus="Not Enabled"
fi

echo "<result>$iCloudStatus</result>"

And for Find My Mac:

#!/bin/bash

# Purpose: to see if machine is enrolled in Find My Mac

plistBud="/usr/libexec/PlistBuddy"

loggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`

if [[ -e "/Users/$loggedInUser/Library/Preferences/MobileMeAccounts.plist" ]]; then

    FindMyMac=`$plistBud -c "print :Accounts:0:Services:11:Enabled" /Users/$loggedInUser/Library/Preferences/MobileMeAccounts.plist`

else

    FindMyMac="Not Enabled"

fi

echo "<result>$FindMyMac</result>"

View solution in original post

13 REPLIES 13

bpavlov
Honored Contributor

Some food for thought because we've considered it. iCloud can be setup in two preference panes. iCloud and Internet Accounts. So if you make use of Mail/Contacts/Calendar forget about blocking the iCloud sys pane. It might deter an end user but not fully prevent iCloud on the computer.

I briefly recall looking at how to determine whether iCloud is on a computer. At least in 10.10 the couple of minutes of research showed a lot of different results, but it looks like some of that info may be located in ~/Library/Preferences/MobileMeAccounts.plist. The research consisted of me using Composer, doing a NEW & MODIFIED SNAPSHOT and in between turning on iCloud with all services to see what changes on the computer. There may be better ways to deal with it though.

Another thing you can do if the concern is the computer being tied to their Find My Mac feature on their iCloud account, I believe its tied to NVRAM and can be cleared out after a re-image. You might even be able to do some reporting based off this.

These two links might be a good start.
http://ilostmynotes.blogspot.com/2013/11/disable-find-my-mac-by-modifiying-nvram.html

https://clburlison.com/find-my-mac/

Hopefully this info is somewhat helpful and can get you started. Curious to see what others reply with.

stevewood
Honored Contributor II
Honored Contributor II

@TomDay I cannot speak to how to disable the ability to enable FMM, but I can help with the Extension Attribute. The following should give you the status of iCloud and FMM. You may want to break these into to separate EAs so that you can scope to FMM:

#!/bin/bash

# Purpose: to grab iCloud status and see if machine is enrolled in Find My Mac

plistBud="/usr/libexec/PlistBuddy"

loggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`

iCloudStatus=`$plistBud -c "print :Accounts:0:LoggedIn" /Users/$loggedInUser/Library/Preferences/MobileMeAccounts.plist`
FindMyMac=`$plistBud -c "print :Accounts:0:Services:11:Enabled" /Users/$loggedInUser/Library/Preferences/MobileMeAccounts.plist`

echo "<result>iCloud: $iCloudStatus  FMM: $FindMyMac</result>"

I have to give credit to @andrewseago for this, as I used his EA to get Keychain Sync and iCloud Doc Sync status to get the idea for this.

As always, test, test, test.

stevewood
Honored Contributor II
Honored Contributor II

I did some more testing of my own, and found that if iCloud was not enabled at all the MobileMeAccounts.plist file did not exist, so I wanted to update what I have:

#!/bin/bash

# Purpose: to grab iCloud status

plistBud="/usr/libexec/PlistBuddy"

loggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`

if [[ -e "/Users/$loggedInUser/Library/Preferences/MobileMeAccounts.plist" ]]; then
    iCloudStatus=`$plistBud -c "print :Accounts:0:LoggedIn" /Users/$loggedInUser/Library/Preferences/MobileMeAccounts.plist`
else
    iCloudStatus="Not Enabled"
fi

echo "<result>$iCloudStatus</result>"

And for Find My Mac:

#!/bin/bash

# Purpose: to see if machine is enrolled in Find My Mac

plistBud="/usr/libexec/PlistBuddy"

loggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`

if [[ -e "/Users/$loggedInUser/Library/Preferences/MobileMeAccounts.plist" ]]; then

    FindMyMac=`$plistBud -c "print :Accounts:0:Services:11:Enabled" /Users/$loggedInUser/Library/Preferences/MobileMeAccounts.plist`

else

    FindMyMac="Not Enabled"

fi

echo "<result>$FindMyMac</result>"

TomDay
Release Candidate Programs Tester

@bpavlov Thanks I'll look at both panes; iCloud and Internet Accounts

@stevewood Perfect thanks for those EAs! testing them out now, just have to play with the smart group settings. I don't think I have the values set right for the criteria, getting hits on computers I know don't have FMM or iCloud enabled on.

stevewood
Honored Contributor II
Honored Contributor II

@TomDay Breaking out each into their own EA, like I posted in my last post, will help with SG creation. The Smart Group for each should just be looking for a true value. So I setup an "iCloud On" SG with the following criteria:

optional image ALT text

And that found the machines in our environment that have iCloud turned on. You would use the same logic for Find My Mac.

TomDay
Release Candidate Programs Tester

Ah @stevewood , "True", is what I needed!. Working perfectly now, thanks!

bpavlov
Honored Contributor

Just a small note and something to be aware of:

If a user setups an iCloud account for the first time, but does not enable Find My Mac from the beginning, then it will not have a value that you can pick up on from that plist. In other words, the file MobileMeAccounts.plist will exist but it won't be able to print anything related to Find My Mac because the Enabled key won't exist. If you enable it and then disable it, it will report False, but not before it has been enabled at least once it seems.

gurduv
New Contributor III

Here's my take of the FFM EA, which check the NVRam to see if FFM was enabled. Downside is that when a Mac is formatted the NVRam record stays until NVRam is reseted :

#!/bin/sh
# to see if machine is enrolled in Find My Mac

    if [ $(nvram -p | grep -c 'fmm-mobileme-token-FMM') -eq 0 ]; then 
        FindMyMac="Not Enabled"
    else
        FindMyMac="Enabled"
    fi

echo "<result>$FindMyMac</result>"

dgreening
Valued Contributor II

I have been purging the FMM token from NVRAM as part of our Imaging setup script in order to avoid this issue.

#!/bin/sh
# Purge any Find My Mac tokens from NVRAM

/usr/sbin/nvram -d fmm-mobileme-token-FMM
echo "FMM Token Purged"

gurduv
New Contributor III

@dgreening Great idea, I'll use it.

spraguga
Contributor

@dgreening Does this still work if the user has left the company and has enabled the iCloud lock on the computer? Or does this still require a ticket to Apple to unlock?

sdagley
Esteemed Contributor II

It appears that /usr/sbin/nvram -d fmm-mobileme-token-FMM no longer works, or at least doesn't work in macOS Catalina. Anyone found a method that does?

MikeF
Contributor II

What we have been using for this was a terminal command. We reformat all of our macs when they come back from a user. We found that while doing this we just open terminal and run this command
nvram -c
On the next reboot with will clear the NV ram and clears the find my mac flag.
We have also found this to work if the user runs this. It the find my mac flag is set run this and it updates on the next reboot.