Restricting remote wipe for macOS

New Contributor II

Hi all! Any suggestions for the best way to restrict the following scenario?

  1. User signs in to Mac with a personal iCloud account.
  2. User enable "Finds my Mac"
  3. User's iCloud accounts gets compromised, or they leave the company, and a remote wipe command is inappropriately issued.

"Find My Mac" can be restricted in a configuration profile, but this won't prevent a remote wipe if FMM was setup before the profile was issued. It would be nice if there was either a way to restrict only the remote/lock wipe functionality (rather than turning off the entire FMM feature) and/or disabling this capability for someone that's already turned it on.

Another option of course would be restricting usage of personal iCloud accounts in general, but that's something we'd like to avoid doing in light of the effects on user experience.


New Contributor II

Guess to answer my own question somewhat, a method could be:

  1. Restricting FMM through config profile.
  2. Resetting/removing values in NVRAM:

If anyone has a better method please share.

Valued Contributor

I have an extension attribute that checks to see if FMM is enabled and a smart group built from it that removes the NVRAM value as you have listed.