macOS 15 - Sequoia
The macOS system must disable Find My service
Description
The Find My service must be disabled.A Mobile Device Management (MDM) solution must be used to carry out remote locking and wiping instead of Apple's Find My service.Apple's Find My service uses a personal AppleID for authentication. Organizations must rely on MDM solutions, which have much more secure authentication requirements, to perform remote lock and remote wipe.
Check
Verify the macOS system is configured to disable Find My service with the following command:/usr/bin/osascript -l JavaScript << EOSfunction run() {let pref1 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\.objectForKey('allowFindMyDevice'))let pref2 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.applicationaccess')\.objectForKey('allowFindMyFriends'))let pref3 = ObjC.unwrap($.NSUserDefaults.alloc.initWithSuiteName('com.apple.icloud.managed')\.objectForKey('DisableFMMiCloudSetting'))if ( pref1 == false && pref2 == false && pref3 == true ) {return("true")} else {return("false")}}EOSIf the result is not "true", this is a finding.
Fix
Configure the macOS system to disable Find My service by installing the "com.apple.applicationaccess" and "com.apple.icloud.managed" configuration profiles.