iCloud restrictions

howie_isaacks
Valued Contributor II

I am hoping to be able to restrict using iCloud Drive and Find my Mac. I used iMazing Profile Editor to create a plist file that I could use in a configuration profile. The profile works as it should for iCloud Drive, but it does nothing for Find my Mac. I don't want users storing company documents in iCloud Drive, and I do not want Find my Mac turned on. FMM has made getting Macs repaired through Apple a pain if it's turned on. I found a thread here discussing restrictions for iCloud. It included a link to a Github page that has a profile that looks promising. It doesn't work either. That page is here: https://github.com/ducksrfr/mac_admin/blob/master/profiles/disable_icloud_services.mobileconfig

I can totally lock out the ability to use iCloud completely, but I really don't want to. I'm trying to disable the things that can cause security issues, or difficulty for the users on the networks that we manage. Has anyone been able to successfully stop Find my Mac from being used without totally banning iCloud? Here's a screenshot of the profile that I made.

Screen Shot 2022-02-09 at 15.12.57.png

1 ACCEPTED SOLUTION

DBrowning
Valued Contributor II

if you add the following key and value, thats what I have in a config profile that i've uploaded and when someone logs into their iCloud account, FindMyMac is greyed out.

<key>DisableFMMiCloudSetting</key>
    <true/>

 

View solution in original post

8 REPLIES 8

dlbrabb
New Contributor III

You can create a configuration profile, and within Restrictions/Functionality, you can change enable/disable iCloud features.

howie_isaacks
Valued Contributor II

This was the first thing I tried. I got the same result that I described above.

karthikeyan_mac
Valued Contributor

 Disabling Find My Mac with Configuration Profiles does not work.

Refer the below discussion for more information.

https://community.jamf.com/t5/jamf-pro/disable-find-my-mac/m-p/258378#M239059

DBrowning
Valued Contributor II

if you add the following key and value, thats what I have in a config profile that i've uploaded and when someone logs into their iCloud account, FindMyMac is greyed out.

<key>DisableFMMiCloudSetting</key>
    <true/>

 

DBrowning
Valued Contributor II

yeah forgot to mention this is in com.apple.icloud.managed domain.

howie_isaacks
Valued Contributor II

Thank you! You have helped me a few times before on scripts. I really appreciate it! This worked after I added the key and value and changed the domain.

boberito
Valued Contributor

There's multiple things needed for Find My Mac I've found.

You can get an idea of the keys and all required by this link - https://github.com/usnistgov/macos_security/blob/main/rules/sysprefs/sysprefs_find_my_disable.yaml

karthikeyan_mac
Valued Contributor

@happyprovide You have to use Custom Payload for com.apple.icloud.managed preference to restrict the FMM settings to be modified but this will not disable the FMM if it's already enabled. This will prevent the user to turn off the settings if it's enabled already (No workaround).

Screenshot 2022-11-08 at 11.43.16 AM.png

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>DisableFMMiCloudSetting</key>
	<true/>
</dict>
</plist>

 Thanks.