Using Flex Policies to disable Find My Mac

Find My Mac is an incredible consumer feature that allows you to remotely locate or lock your device in a worst-case scenario. It can also be an enormous nuisance for Mac administrators when they have to work on unlocking a company-owned Mac that has this feature enabled by their employee’s Apple ID. You may no longer have access to the employee who locked the computer, meaning the feature cannot be disabled without contacting Apple and providing proof of ownership. Even if you can reach the employee and they’re cooperative, you may end up needing to have them push a remote wipe from iCloud before they can disable the feature and separate it from their Apple ID.

How can we prevent this from happening on new devices and on devices already in management? Here are some tools and a workflow that can get you on the road to disabling Find My Mac across your fleet.

WORKFLOW

1 – Custom Fact

First things first – we need a custom fact that can identify whether or not a device has a user account with Find My Mac enabled. Here’s an example fact that is working as of macOS 12.3.1 that will kick back a boolean whether a Find My Mac token is present in NVRAM on a given device:

#!/bin/sh

icount=$(nvram -p | awk '/fmm-mobileme-token-FMM/' | wc -c)
if [ $icount -gt 1 ]
	then
      echo "true"
    else
      echo "false"
fi

Optionally, you could set up an additional fact to scrape all the iCloud accounts signed into a Mac – this can be helpful if you want to follow up with your users to disable the feature in the future:

#!/bin/sh
# Get primary Apple ID for each account from Mac
# Ross Matsuda - Ntiva - August 2020

# Get current home folder
loggedInUser=$(/usr/bin/stat -f%Su /dev/console)

# Loop to hit all home folders
IFS=$'\n'
for user in $(dscl . list /Users UniqueID | awk '$NF >= 501 {$NF=""; print $0}' | sed 's/.$//'); do
userHome=$(dscl . read /Users/"$user" NFSHomeDirectory 2> /dev/null | sed 's/NFSHomeDirectory://' | grep "/" | sed 's/^[ \t]*//')
userAppleID=$(/usr/libexec/PlistBuddy -c "print :Accounts:0:AccountID" $userHome/Library/Preferences/MobileMeAccounts.plist 2> /dev/null | grep "@")

# Output
if [[ $userAppleID != "" ]]; then
    echo"$userAppleID "
  else
    echo"-"
fi

done

2 – MDM Configuration to lock the status of Find My Mac

While there aren’t any controls to purge an existing Find My Mac token if one is present on a Mac, we do have a way to lock the setting from being toggled. Build an MDM configuration with the following two keys (the pair of keys maximize the operating systems that this configuration can be supported in):

DisableFMMiCloudSetting=true 

allowCloudFMM=false

Here’s the full profile for you to customize and use.

3 – Policy with auto-assignment

Now we’ll need to set up a policy that uses auto-assignment to include any devices that do not have Find My Mac enabled (the fact result equals “false”). Any device that meets that requirement will be given the MDM configuration to lock Find My Mac status, preventing it from being turned on. Most importantly using this method of deployment ensures that you don’t end up deploying the profile to a Mac with the feature enabled, which would permanently lock the setting.

Find My Mac Enabled = false

Policy IDs contains [list of policies here]

Once you’ve set up this logic, you can then add an additional filter to auto-assignment to include the policies you’d like to begin acting upon

SUMMARY

With the above pieces in place, devices in your policy that do not have Find My Mac enabled will prevent users from enabling the feature. Any devices that do have Find My Mac enabled will be given the MDM profile after you and your users disable the feature, during its next audit. This allows you to take a minimally invasive approach to preventing use of the feature, only requiring your support team to interact with users who have already enabled it.