Wednesday, November 6, 2013

Disable Find My Mac by Modifiying Nvram Configuration

`When Find My Mac (FMM) is enabled, it writes information into the Mac's nvram. This enables the configuration to persist across OS-level changes, including a full system re-image. This is great if it's been stolen and you want to track it, but not so great if you bought a second hand mac, or your employer gave you a repurposed mac. The previous owner will be able to track the mac's location and even issue a remote wipe.

Apple advises you to disable FMM when handing over ownership. That's fine if you have the owner's cooperation, but it's more problematic if the owner was some guy on craig's list, or last summer's intern who is now building water wells in Kenya. So we need a way to programmatically disable the functionality.

The relevant nvram variables are shown below. fmm-computer-name is just a base64 encoded string of the computer's host name.
$ nvram -x -p
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
[snip]
<key>fmm-computer-name</key>
<data>
bXljb21wdXRlcm5hbWU=
</data>
<key>fmm-mobileme-token-FMM</key>
<data>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
</data>
The fmm-mobileme-token-FMM data is a base64-encoded binary plist that holds the FMM configuration. The purpose seems pretty obvious, it will beacon to https://p08-fmip.icloud.com with the authToken, AppleID, and other machine metadata. The person ID and username in the plist correspond to the Apple ID account that registered with FMM. Values changed here to protect the innocent :)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>authToken</key>
<string>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA~</string>
<key>dataclassProperties</key>
<dict>
<key>com.apple.Dataclass.DeviceLocator</key>
<dict>
<key>apsEnv</key>
<string>Production</string>
<key>authMechanism</key>
<string>token</string>
<key>hostname</key>
<string>p08-fmip.icloud.com</string>
<key>scheme</key>
<string>https</string>
</dict>
</dict>
<key>enabledDataclasses</key>
<array>
<string>com.apple.Dataclass.DeviceLocator</string>
</array>
<key>personID</key>
<string>1111111111</string>
<key>userInfo</key>
<dict>
<key>InUseOwnerDisplayName</key>
<string>A User Name</string>
</dict>
<key>userid</key>
<integer>502</integer>
<key>username</key>
<string>myappleidusername@gmail.com</string>
</dict>
</plist>
The solution is just to kill the nvram variables:
nvram -d fmm-computer-name
nvram -d fmm-mobileme-token-FMM
And in fact, you should probably just clear everything during your re-imaging process:
nvram -c
Probably unnecessary but you could also disable the LaunchDaemon which lives here:
/System/Library/LaunchDaemons/com.apple.findmymac.plist
Or just check that the disable is active in /var/db/launchd.db/com.apple.launchd/overrides.plist:
        <key>com.apple.findmymacd</key>
<dict>
<key>Disabled</key>
<true/>
</dict>
<key>com.apple.findmymacmessenger</key>
<dict>
<key>Disabled</key>
<true/>
</dict>

10 comments:

Anonymous said...

When I type in the /System/Library/LaunchDaemons/com.apple.findmymac.plist I get a Permission Denied response. how do you know for sure if the previous kill commands work, there seem to be no responses.

G said...

Just do another "nvram -x -p" and the variables should be gone. You need to sudo launchctl unload the plist.

Anonymous said...

The variables are still there after using the kill commands. Any advice?

Anonymous said...

"The variables are still there after using the kill commands. Any advice?"

Boot from recovery, Re-format the drive and then issue the commands.

Anonymous said...

What if you don't see any variables? Does that mean that "Find my mac" was never setup?
I don't see any username or apple ID.

Anonymous said...

I'm not exactly sure where you go to edit this info? I can't find the file you mention to work in anywhere...

Anonymous said...

I have recently acquired a macbook air 2011 off of ebay. In order to avoid second-hand mac issues relating to icloud remote shut downs, I have performed the following actions:

-Secure erase (using parted magic), deleted old partition and created a new partition (using gparted).
-Cleared PRAM/NVRAM using keyboard procedure a few times, after HD was already wiped.
-Installed Ubuntu (I will be using Ubuntu, and maybe Windows through VB).

My question is if there is any way that Find My Mac capabilities could have persisted, and would it be able to shut me down if I connect the macbook to the internet and the seller (or sellers seller) decides to lock the device on icloud?.

Thanks much.

John Sawyer said...

Wouldn't the keyboard method for resetting PRAM/NVRAM do the job?:

Power down the Mac, then power it up (in other words, don't do this from a warm reboot, since that may not completely clear PRAM/NVRAM), and before the screen lights up, quickly hold down these keys simultaneously: Command-Option-P-R. Keep them held down until you hear the Macbook chime two more times after the powerup chime.

G said...

@John, maybe, I haven't tested it. But your method doesn't scale. There's no way you could do that when you have 1000 machines to reimage.

G said...

@John, maybe, I haven't tested it. But your method doesn't scale. There's no way you could do that when you have 1000 machines to reimage.