In last week’s post on how to disable and prevent user-based Activation Lock, I highlighted a script that I wrote that can prompt users to log out of Find My Mac if a Mac has Activation Lock enabled, which allows the MDM to put a “disallow user-based Activation Lock” key in place on the machine.
With the initial release of that script pushed out the door, I got to work on the improvements I wanted to add for the next revision. In addition to my own list, I also included some feedback and feature requests that I received from the mac admin community.
If you want to download the latest script, you can find it on GitHub. If you want a breakdown of the changes, keep reading.
Added ability to always prompt the user to log out of Find My Mac, regardless of the Activation Lock status.
Most admins are only concerned with Activation Lock being disabled, and if it is disabled, then users can use Find My Mac all they want (this can be useful if they frequently lose their work laptop). However, if you want to force a user to remain logged out of Find My Mac, this feature is for you. If set to
true it will always prompt the user to log out of Find My Mac if it detects they have it turned on.
DisallowFindMy=true #Change to true if you want to always prompt the user when Find My Mac is enabled, regardless of the user-based activation lock status.
iCloud account email address reporting
The script will now grab the email address of the user who set Activation Lock on the Mac and include that in the script output so that the admin has that information if they need it.
Activation Lock status is: enabled, and is locked by user 'brian' with account 'firstname.lastname@example.org'.
User inputs for prompt delay and timeout.
By default, the script will prompt the user every 40 seconds to log out of Find My Mac until it detects that Activation Lock has been disabled (or until it sees Find My Mac has been turned off, depending on your setting). This is now customizable in the user input section (just be sure you’re giving your users enough time to enter their iCloud passwords when turning off Find My Mac). I’ve also included a timeout after x number of attempts so that the script will eventually give up so as not to hang up any other policies that need to run.
Added osascript to activate System Settings.
I thought this was fixed in macOS 13.1, but I was running into scenarios where the URL scheme to open System Settings wouldn’t bring that window to the forefront. I’ve added a
osascript -e 'tell application "System Settings"' -e 'activate' -e 'end tell' to make that windows presents itself properly on macOS Ventura.
Added SwiftDialog support (thanks Trevor Sysock – @bigmacadmin)
Most admins who are presenting dialog to end-users and aren’t using native MDM dialog tools are probably using SwiftDialog for its more flexible featureset over standard applescript dialogs. The user dialog function will leverage SwiftDialog for user prompts if it’s installed. If not, it will fall back to the osascript defaults.
Changed the URL scheme to open directly to the iCloud section of the Apple ID window. (thanks Keith Spitzer – @kspitzer14)
I was desperately trying to find how to open System Settings directly to the iCloud portion of the Apple ID window using macOS Ventura’s new System Settings URL scheme. It turns out, that doesn’t exist, but Keith discovered that the legacy Monterey URL scheme for the iCloud anchor still works in macOS Ventura! This helps streamline the user experience and opens System Settings directly to where that user needs to take action. This will probably work for the life of macOS Ventura, but I have a hunch that this particular URL will be fully deprecated in macOS 14. I would encourage you to submit feedback to Apple that you want a
x-apple.systempreferences:com.apple.iCloud-Settings.extension (as an example) iCloud extension added to the System Settings URL scheme.
Changed the default icon to FindMy.icns
With the ability to open System Settings directly to the iCloud section where the Find My Mac icon is visible, I decided to change the default icon used for dialogs to the findmy icon so that visually things are more clear to the end user as to what they need to be clicking on. You can of course change this to your liking in the Use Input section of the script.
Big thanks to the community for testing and submitting feature requests and ideas. I’m excited to see this script evolve and hopefully help ease the burden of Activation Lock issues on admins.