When hiring you always want to surround yourself with people smarter than you are and I have the pleasure of working with some incredibly talented people. We come up against problems everyday and even try to think of the things that might present problems in the future.
The subject of this post is one where we were thinking about all of the things we would need to do as we go in this summer where we will be retiring over 1000 devices. We have a checklist of things that we need to ask our user (faculty and students as young as 4th grade) to do before returning their equipment as well as a laundry list of things we have to do as well.
One of the issues surrounds that of how to handle the services associate with an AppleID. There are things you need to do with you iTunes account (deauthorizing the device) and you iCloud account amongst other things. It is the “Find My Mac” feature that presents an interesting problem.
As we retire our equipment, where these devices eventually end up is a mystery. If a user does not properly disassociate their AppleID iCloud account from the “Find My Mac” feature they will have the ability to play a sound, remote lock or even wipe that machine once it is in the hands of another person.
More simply said you can be locked out of or have your machine wiped by the previous owner of a device if this isn’t done properly.
What follows is distilled from an email on one possible solution for this problem as offered by Damien Barrett (@damienbarrett). Damien is an Apple Certified Macintosh Technician and Casper Certified Administrator. He is someone I have worked with for over 6 years and I can always count on to dig deep into an issue.
PROBLEM: Confidently and effectively disassociate “Find My Mac” enabled machines from 1000+ machines to avoid possibility of remote wiped, locked, or have sounds played after machines are released for .
While our fleet of Macbook Airs are imaged when they are retired, which puts a new OS on them, imaging does not disassociate the machines from an individual user’s iCloud account and “Find My Mac”.
A user can remove a Mac from their account which we will ask them to do as part of their turn-in checklist a more thorough solution is to find where this setting is stored on the computer (not the OS) and remove it.
SOLUTION: Clear the nvram
The “Find My Mac” setting is stored in each computer’s nvram. Specifically, a key called “fmm-mobileme-token-FMM”.
You can script the removal of this key and another called “fmm-computer-name” during the imaging process before these machines are released. While the FMM-enabled machine will still show up in a user’s AppleID iCloud settings, it’ll show up as offline and will not longer send pings to Apple’s FMM servers. A future user will not be able to wipe, lock, or play a sound on this forever-offline machine.
A quicker way to flush these nvram keys is to just clear all keys from nvram with the command “sudo nvram -c”
Upon completing these steps when the retired asset is in the hands of a new user they will be able to enable “Find My Mac” on the device within iCloud, under their own AppleID and have the service work without issue.
As I share this I want to acknowledge the potential for this to be used improperly and for questionable purposes. What is described herein is something to be used to prevent potential problems or issues when retiring a fleet of equipment and ensuring that the next owner of the device(s) can’t be locked out of their device or have their machines wiped.
The issues and things to consider in managing a large fleet of equipment with users at different levels of knowledge and ability is vast. Often you need to come up with solutions to problems or potential problems where you are still left wondering if you are doing it right. I welcome you to share your thoughts on what I’ve posted here and if you have other thoughts please do so in the comments below.