Disable iCloud, iCloud Drive and Find my Mac on existing systems

cgolebio
New Contributor III

Hi,
I am rolling out Casper, and I have existing Mac systems in various states. Some users have logged into iCloud and others have not. I would like to find out if anybody has been challenged with logging users out of iCloud and disabling iCloud, disabling Find My Mac, and ensuring iCloud drive does not connect.

We have alternatives in place for file sharing and cloud storage. Being in the corporate space, preventing the use of iCloud is a measure of security. It is not a problem for newly rolled out and enrolled systems, except for preventing iCloud Drive mounting through other methods other than System Preferences.

6 REPLIES 6

bpavlov
Honored Contributor

For reporting purposes these may be some handy extension attributes:

Find My Mac:

#!/bin/bash

# Purpose: to see if machine is enrolled in Find My Mac

plistBud="/usr/libexec/PlistBuddy"

loggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`

if [[ -e "/Users/$loggedInUser/Library/Preferences/MobileMeAccounts.plist" ]]; then
    FindMyMac=`$plistBud -c "print :Accounts:0:Services:11:Enabled" /Users/$loggedInUser/Library/Preferences/MobileMeAccounts.plist`
else
    FindMyMac="Not Enabled"
fi

echo "<result>$FindMyMac</result>"

Note: If iCloud has been enabled but Find My Mac has not been enabled yet, then the value it's looking for will not report back correctly. Keep that in mind.

iCloud

#!/bin/bash

# Purpose: to grab iCloud status

plistBud="/usr/libexec/PlistBuddy"

loggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`

if [[ -e "/Users/$loggedInUser/Library/Preferences/MobileMeAccounts.plist" ]]; then
    iCloudStatus=`$plistBud -c "print :Accounts:0:LoggedIn" /Users/$loggedInUser/Library/Preferences/MobileMeAccounts.plist`
else
    iCloudStatus="Not Enabled"
fi

echo "<result>$iCloudStatus</result>"

For disabling:
As far as disabling, you can try to prevent it but there may be ways around it:
Basically use a config profile to block Internet Accounts and iCloud.
You will probably also want to remove the iCloud Drive from the Finder sidebar. There's a python script someone has created that might come in handy so that it removes it.

Also some other neat articles regarding Find My Mac (in a situation where a user leaves and had Find My Mac enabled):
http://ilostmynotes.blogspot.com/2013/11/disable-find-my-mac-by-modifiying-nvram.html
https://clburlison.com/find-my-mac/

bentoms
Release Candidate Programs Tester

The below will report if a Mac has been enrolled into FindMyMac:

#!/bin/sh
#
# Will reply Set if Find My Mac is set for this Mac
#

fmmToken=$(/usr/sbin/nvram -x -p | /usr/bin/grep fmm-mobileme-token-FMM)

if [ -z "$fmmToken" ];
then
    echo "<result>Not Set</result>"
else
    echo "<result>Set</result>"
fi

cgolebio
New Contributor III

Thanks for the EAs and the links. I haven't tested yet, and will, but has anyone tried clearing the nvram? Curious how Find My Mac responds for the person who enrolled after this is done.

I will test this out for myself and post my results.

Thank you again for the help.

bentoms
Release Candidate Programs Tester

@cgolebio This should clear the NVRAM fmm key:

/usr/sbin/nvram -d fmm-mobileme-token-FMM

But i think the Mac will need a restart for it to take affect.

In my imaging workflow I run the below to clear NVRAM:

/usr/sbin/nvram -c

Fishd
New Contributor

Has anyone else spoken to Apple about the prospect of adding controls for these to Mac OS X? I notice that there is granular control for iCloud functionality in iOS but, in our instance at least, this is of no use as we have managed OS X devices, but the iOS devices are unmanaged.

clburlison
New Contributor II

For reference purposes if you want to disable FMM without requiring a reboot the following works in 10.13.2. Removing the fmm-computer-name and restarting the FindMyMacd process were not 100% required however since they are all related better safe (plus I didn't test anything older than 10.13.

#!/bin/sh
nvram -d fmm-computer-name
nvram -d fmm-mobileme-token-FMM
killall -HUP findmydeviced
killall -HUP FindMyMacd