Help

Restricting remote wipe for macOS

jlong
New Contributor II

Posted on ‎03-31-2017 10:48 AM

Hi all! Any suggestions for the best way to restrict the following scenario?

  1. User signs in to Mac with a personal iCloud account.
  2. User enable "Finds my Mac"
  3. User's iCloud accounts gets compromised, or they leave the company, and a remote wipe command is inappropriately issued.

"Find My Mac" can be restricted in a configuration profile, but this won't prevent a remote wipe if FMM was setup before the profile was issued. It would be nice if there was either a way to restrict only the remote/lock wipe functionality (rather than turning off the entire FMM feature) and/or disabling this capability for someone that's already turned it on.

Another option of course would be restricting usage of personal iCloud accounts in general, but that's something we'd like to avoid doing in light of the effects on user experience.

0 Kudos
Reply
2 REPLIES 2

jlong
New Contributor II

Posted on ‎03-31-2017 10:51 AM

Guess to answer my own question somewhat, a method could be:

  1. Restricting FMM through config profile.
  2. Resetting/removing values in NVRAM: https://tidbits.com/article/16638

If anyone has a better method please share.

0 Kudos
Reply

hkabik
Valued Contributor

Posted on ‎03-31-2017 03:01 PM

I have an extension attribute that checks to see if FMM is enabled and a smart group built from it that removes the NVRAM value as you have listed.

0 Kudos
Reply