Posted on 02-17-2016 08:49 AM
So we might be learning this lesson the hard way, but we have an Air that a student has locked via his iCloud account and does not know the code. We've been fighting with Apple support and GSX to get it unlocked but in the interim we've begun discussing how to prevent this in the future. Only way I really see would be to disable the iCloud preference pane (configuration profile I assume?), correct? If that is the case, then you are debating the cost benefit of them being able to utilize the iCloud features against locking and wiping a device as well.
If we go the route of disabling the iCloud pref pane, a user could still enable this during an OS upgrade to right?
Finally, wondering if there is an extension attribute or another way to query all my devices to see who has iCloud enabled on their laptops?
Solved! Go to Solution.
Posted on 02-17-2016 11:47 AM
I did some more testing of my own, and found that if iCloud was not enabled at all the MobileMeAccounts.plist file did not exist, so I wanted to update what I have:
#!/bin/bash
# Purpose: to grab iCloud status
plistBud="/usr/libexec/PlistBuddy"
loggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`
if [[ -e "/Users/$loggedInUser/Library/Preferences/MobileMeAccounts.plist" ]]; then
iCloudStatus=`$plistBud -c "print :Accounts:0:LoggedIn" /Users/$loggedInUser/Library/Preferences/MobileMeAccounts.plist`
else
iCloudStatus="Not Enabled"
fi
echo "<result>$iCloudStatus</result>"
And for Find My Mac:
#!/bin/bash
# Purpose: to see if machine is enrolled in Find My Mac
plistBud="/usr/libexec/PlistBuddy"
loggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`
if [[ -e "/Users/$loggedInUser/Library/Preferences/MobileMeAccounts.plist" ]]; then
FindMyMac=`$plistBud -c "print :Accounts:0:Services:11:Enabled" /Users/$loggedInUser/Library/Preferences/MobileMeAccounts.plist`
else
FindMyMac="Not Enabled"
fi
echo "<result>$FindMyMac</result>"
Posted on 02-17-2016 09:19 AM
Some food for thought because we've considered it. iCloud can be setup in two preference panes. iCloud and Internet Accounts. So if you make use of Mail/Contacts/Calendar forget about blocking the iCloud sys pane. It might deter an end user but not fully prevent iCloud on the computer.
I briefly recall looking at how to determine whether iCloud is on a computer. At least in 10.10 the couple of minutes of research showed a lot of different results, but it looks like some of that info may be located in ~/Library/Preferences/MobileMeAccounts.plist. The research consisted of me using Composer, doing a NEW & MODIFIED SNAPSHOT and in between turning on iCloud with all services to see what changes on the computer. There may be better ways to deal with it though.
Another thing you can do if the concern is the computer being tied to their Find My Mac feature on their iCloud account, I believe its tied to NVRAM and can be cleared out after a re-image. You might even be able to do some reporting based off this.
These two links might be a good start.
http://ilostmynotes.blogspot.com/2013/11/disable-find-my-mac-by-modifiying-nvram.html
https://clburlison.com/find-my-mac/
Hopefully this info is somewhat helpful and can get you started. Curious to see what others reply with.
Posted on 02-17-2016 09:51 AM
@TomDay I cannot speak to how to disable the ability to enable FMM, but I can help with the Extension Attribute. The following should give you the status of iCloud and FMM. You may want to break these into to separate EAs so that you can scope to FMM:
#!/bin/bash
# Purpose: to grab iCloud status and see if machine is enrolled in Find My Mac
plistBud="/usr/libexec/PlistBuddy"
loggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`
iCloudStatus=`$plistBud -c "print :Accounts:0:LoggedIn" /Users/$loggedInUser/Library/Preferences/MobileMeAccounts.plist`
FindMyMac=`$plistBud -c "print :Accounts:0:Services:11:Enabled" /Users/$loggedInUser/Library/Preferences/MobileMeAccounts.plist`
echo "<result>iCloud: $iCloudStatus FMM: $FindMyMac</result>"
I have to give credit to @andrewseago for this, as I used his EA to get Keychain Sync and iCloud Doc Sync status to get the idea for this.
As always, test, test, test.
Posted on 02-17-2016 11:47 AM
I did some more testing of my own, and found that if iCloud was not enabled at all the MobileMeAccounts.plist file did not exist, so I wanted to update what I have:
#!/bin/bash
# Purpose: to grab iCloud status
plistBud="/usr/libexec/PlistBuddy"
loggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`
if [[ -e "/Users/$loggedInUser/Library/Preferences/MobileMeAccounts.plist" ]]; then
iCloudStatus=`$plistBud -c "print :Accounts:0:LoggedIn" /Users/$loggedInUser/Library/Preferences/MobileMeAccounts.plist`
else
iCloudStatus="Not Enabled"
fi
echo "<result>$iCloudStatus</result>"
And for Find My Mac:
#!/bin/bash
# Purpose: to see if machine is enrolled in Find My Mac
plistBud="/usr/libexec/PlistBuddy"
loggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`
if [[ -e "/Users/$loggedInUser/Library/Preferences/MobileMeAccounts.plist" ]]; then
FindMyMac=`$plistBud -c "print :Accounts:0:Services:11:Enabled" /Users/$loggedInUser/Library/Preferences/MobileMeAccounts.plist`
else
FindMyMac="Not Enabled"
fi
echo "<result>$FindMyMac</result>"
Posted on 02-17-2016 12:49 PM
@bpavlov Thanks I'll look at both panes; iCloud and Internet Accounts
@stevewood Perfect thanks for those EAs! testing them out now, just have to play with the smart group settings. I don't think I have the values set right for the criteria, getting hits on computers I know don't have FMM or iCloud enabled on.
Posted on 02-17-2016 12:55 PM
@TomDay Breaking out each into their own EA, like I posted in my last post, will help with SG creation. The Smart Group for each should just be looking for a true value. So I setup an "iCloud On" SG with the following criteria:
And that found the machines in our environment that have iCloud turned on. You would use the same logic for Find My Mac.
Posted on 02-17-2016 01:16 PM
Ah @stevewood , "True", is what I needed!. Working perfectly now, thanks!
Posted on 02-29-2016 08:10 AM
Just a small note and something to be aware of:
If a user setups an iCloud account for the first time, but does not enable Find My Mac from the beginning, then it will not have a value that you can pick up on from that plist. In other words, the file MobileMeAccounts.plist will exist but it won't be able to print anything related to Find My Mac because the Enabled key won't exist. If you enable it and then disable it, it will report False, but not before it has been enabled at least once it seems.
Posted on 02-12-2017 04:58 AM
Here's my take of the FFM EA, which check the NVRam to see if FFM was enabled. Downside is that when a Mac is formatted the NVRam record stays until NVRam is reseted :
#!/bin/sh
# to see if machine is enrolled in Find My Mac
if [ $(nvram -p | grep -c 'fmm-mobileme-token-FMM') -eq 0 ]; then
FindMyMac="Not Enabled"
else
FindMyMac="Enabled"
fi
echo "<result>$FindMyMac</result>"
Posted on 02-13-2017 10:22 AM
I have been purging the FMM token from NVRAM as part of our Imaging setup script in order to avoid this issue.
#!/bin/sh
# Purge any Find My Mac tokens from NVRAM
/usr/sbin/nvram -d fmm-mobileme-token-FMM
echo "FMM Token Purged"
Posted on 02-16-2017 02:26 AM
@dgreening Great idea, I'll use it.
Posted on 11-30-2017 09:26 AM
@dgreening Does this still work if the user has left the company and has enabled the iCloud lock on the computer? Or does this still require a ticket to Apple to unlock?
Posted on 09-02-2020 06:54 PM
It appears that /usr/sbin/nvram -d fmm-mobileme-token-FMM
no longer works, or at least doesn't work in macOS Catalina. Anyone found a method that does?
Posted on 09-04-2020 06:47 AM
What we have been using for this was a terminal command.
We reformat all of our macs when they come back from a user. We found that while doing this we just open terminal and run this command
nvram -c
On the next reboot with will clear the NV ram and clears the find my mac flag.
We have also found this to work if the user runs this. It the find my mac flag is set run this and it updates on the next reboot.