Jamf Nation Community

howie_isaacks · ‎12-09-2021

We are about to restrict usage of iCloud to not allow iCloud Drive or Find my Mac. Before I do this, I need a good way to find out who has these features turned on. I have an extension attribute that will tell me who has iCloud signed in but I'm stuck on trying to find out who has iCloud Drive turned on and/or Find my Mac active. Does anyone know how I can track if these services are turned on?

Jason33 · ‎12-10-2021

Create an extension attribute with the following, and place it where you want it to show up in Inventory. Then create a Smart Group to target the users that have it Enabled. You can then use the Jamf Helper tool to notify them that they need to sign out.

#!/bin/bash

# Jamf Extension Attribute to determine if Find My Mac is enabled

fmmStatus=$(defaults read /Library/Preferences/com.apple.FindMyMac.plist FMMEnabled)

if [[ "$fmmStatus" == 0 ]]; then
echo "<result>Disabled</result>"
else
echo "<result>Enabled</result>"
fi

howie_isaacks · ‎12-10-2021

Thanks! It didn't occur to me that since Find my Mac is a machine wide setting the plist would obviously be in /Library/Preferences, not in ~/Library/Preferences. I was looking in the wrong place. Now I just have to figure out how to detect if iCloud Drive enabled.

MrP · ‎12-10-2021

@howie_isaacks wrote:
We are about to restrict usage of iCloud to not allow iCloud Drive or Find my Mac. Before I do this, I need a good way to find out who has these features turned on. I have an extension attribute that will tell me who has iCloud signed in but I'm stuck on trying to find out who has iCloud Drive turned on and/or Find my Mac active. Does anyone know how I can track if these services are turned on?

#!/bin/bash

##
# iCloud/MobileMe
##
# Detect icloud/mobileme sign-ins
mobileMeConfigs=`find /Users/ -name "MobileMeAccounts.plist" 2> /dev/null`
if [ ! -z "$mobileMeConfigs" ]; # if variable isn't empty, configurations files were found, so check if the configuration files have account data
then
	for configFile in $mobileMeConfigs;
	do
		echo "System: iCloud: Found iCloud account configuration $configFile. Inspecting"
		# Getting the account IDs from the config file if they exist
		config=`defaults read $configFile 2>/dev/null | grep "AccountID =" | perl -pe 's/^\s*AccountID =\s"//' | perl -pe 's/";//'`
		if [ ! -z "$config" ];
		then
			echo "System: iCloud: iCloud accounts found in user profiles.  Investigate!"
			echo "System: iCloud: Account: $config found in: $configFile"
			
		else
			echo "System: iCloud: iCloud account configuration empty, ignoring."
		fi
	done
fi

This will tell you if they have signed into icloud. Not sure that helps.

howie_isaacks · ‎12-10-2021

Thanks for this. My understanding from testing is that if a user has logged into iCloud, the plist file called MobileMeAccounts.plist will be present at ~/Library/Preferences. This enables me to create an extension attribute that will search for this plist and report if it's present or not.

These commands will let me know if the user has signed into iCloud. If they sign out, the plist stays.

if [[ -e ~/Library/Preferences/MobileMeAccounts.plist ]]
then
echo "<result>1</result>"
else
echo "<result>0</result>"
fi

Also, if they turn off Find my Mac, the plist in /Library/Preferences stays. Since only a few of my users have likely signed into iCloud, this isn't that big of a deal. Going forward, I will only allow the use of some iCloud services, not all of them. I think I will just deploy the Extension attributes for Find my Mac status and iCloud logged in status and see what comes up.

BlackGloveEng1 · ‎03-31-2023

If we would like to check the general iCloud logged in status, we would perform:

currentUser=$(stat -f%Su /dev/console)

iCloudLoggedInCheck=$(defaults read /Users/$currentUser/Library/Preferences/MobileMeAccounts Accounts)

if [[ "$iCloudLoggedInCheck" = *"AccountID"* ]]; then
iCloudLoggedIn="Yes"
else
iCloudLoggedIn="No"
fi

Jamf Nation Community

Find users who have iCloud Drive and Find my Mac turned on