Remote lock using “Find My Mac”

New Contributor


Recently I have been experiencing issues with employees who leave the company remotely locking their company issued Mac with their Apple IDs. Does anyone know of a way to prevent this from happening in the future? How do other companies manage Apple IDs?



It kind of depends how deep you want to go. You could potentially prevent using iCloud altogether (block it in your DEP PreStage and block the preference pane), but if you wanted to keep that functionality, you could try sending out a configuration profile like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">

Contributor II
Contributor II

@lamont - There is a Configuration Profile Restriction that you can "Disallow Find My Mac," which applies to computers running Sierra or greater. You can find the checkbox for it (and a number of other iCloud services) in the "Functionality" tab of the Restrictions payload.


The iCloud 'Find my Mac' settings are save to NVRAM, so that even if you wipe the hard drive and reimage, the old iCloud account still has sway over the Mac. Make it a policy that when you take in a computer from an exiting employee that you immediately force a shutdown and zap the PRAM to clear the settings.

You can look at the contents of nvram with the command

nvram -p

The iCloud settings are contained within the variables, fmm-computer-name and fmm-mobileme-token-FMM... which I suppose you could also erase with on the command line with the nvram -d command, but why risk the computer checking in and locking before you get a chance to reset?

New Contributor II

@lamont If you have the device and the proof of purchase you are able to get override on the firmware lock placed by Find My Device. Visit Apple support and they will take care of it for you. Sometimes they need to check the device in for a few days, but make sure you have proof of original purchase in your possession for all your enterprise Apple devices is my best advice here. I agree with the other admins above though, easy solution is to have policies in place that simply block iCloud or Find My Device services. Otherwise, you could create enterprise Apple ID's for each Apple device and manage that way. Good if an end-user loses assets, stolen property, or off-boards without resetting, you can lock it down yourself now to mitigate those risks. I suppose a bit of a privacy concern regarding location services but, I'd talk to HR/Legal.