Jamf Nation Community

@TomDay I cannot speak to how to disable the ability to enable FMM, but I can help with the Extension Attribute. The following should give you the status of iCloud and FMM. You may want to break these into to separate EAs so that you can scope to FMM:

#!/bin/bash

# Purpose: to grab iCloud status and see if machine is enrolled in Find My Mac

plistBud="/usr/libexec/PlistBuddy"

loggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`

iCloudStatus=`$plistBud -c "print :Accounts:0:LoggedIn" /Users/$loggedInUser/Library/Preferences/MobileMeAccounts.plist`
FindMyMac=`$plistBud -c "print :Accounts:0:Services:11:Enabled" /Users/$loggedInUser/Library/Preferences/MobileMeAccounts.plist`

echo "<result>iCloud: $iCloudStatus  FMM: $FindMyMac</result>"

I have to give credit to @andrewseago for this, as I used his EA to get Keychain Sync and iCloud Doc Sync status to get the idea for this.

As always, test, test, test.

@bpavlov Thanks I'll look at both panes; iCloud and Internet Accounts

@stevewood Perfect thanks for those EAs! testing them out now, just have to play with the smart group settings. I don't think I have the values set right for the criteria, getting hits on computers I know don't have FMM or iCloud enabled on.

@TomDay Breaking out each into their own EA, like I posted in my last post, will help with SG creation. The Smart Group for each should just be looking for a true value. So I setup an "iCloud On" SG with the following criteria:

optional image ALT text

And that found the machines in our environment that have iCloud turned on. You would use the same logic for Find My Mac.

Ah @stevewood , "True", is what I needed!. Working perfectly now, thanks!

Just a small note and something to be aware of:

If a user setups an iCloud account for the first time, but does not enable Find My Mac from the beginning, then it will not have a value that you can pick up on from that plist. In other words, the file MobileMeAccounts.plist will exist but it won't be able to print anything related to Find My Mac because the Enabled key won't exist. If you enable it and then disable it, it will report False, but not before it has been enabled at least once it seems.

Here's my take of the FFM EA, which check the NVRam to see if FFM was enabled. Downside is that when a Mac is formatted the NVRam record stays until NVRam is reseted :

#!/bin/sh
# to see if machine is enrolled in Find My Mac

    if [ $(nvram -p | grep -c 'fmm-mobileme-token-FMM') -eq 0 ]; then 
        FindMyMac="Not Enabled"
    else
        FindMyMac="Enabled"
    fi

echo "<result>$FindMyMac</result>"

I have been purging the FMM token from NVRAM as part of our Imaging setup script in order to avoid this issue.

#!/bin/sh
# Purge any Find My Mac tokens from NVRAM

/usr/sbin/nvram -d fmm-mobileme-token-FMM
echo "FMM Token Purged"

@dgreening Great idea, I'll use it.

@dgreening Does this still work if the user has left the company and has enabled the iCloud lock on the computer? Or does this still require a ticket to Apple to unlock?

It appears that /usr/sbin/nvram -d fmm-mobileme-token-FMM no longer works, or at least doesn't work in macOS Catalina. Anyone found a method that does?

What we have been using for this was a terminal command. We reformat all of our macs when they come back from a user. We found that while doing this we just open terminal and run this command
nvram -c
On the next reboot with will clear the NV ram and clears the find my mac flag.
We have also found this to work if the user runs this. It the find my mac flag is set run this and it updates on the next reboot.