Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the TidBITS Content Network for Apple consultants.

Disable Find My Mac by Resetting NVRAM

Find My Mac is an iCloud-based service that enables you to discover the location of a lost Mac, lock it, or erase it remotely. However, it turns out that it’s easy to disable Find My Mac, which could be bad news if your Mac is stolen or good news if you’re dealing with an old Mac that wasn’t properly reset.

The two main reasons to enable and use Find My Mac are to help recover a lost or stolen Mac and to eliminate the worry of misplacing it around the house. For most people, it’s a no-brainer — just open System Preferences > iCloud and select the Find My Mac button. The main downside is that if you’re concerned about your privacy, Find My Mac opens up an avenue by which you could conceivably be tracked.


Finding a Lost Mac -- Should your Mac go missing, you can log in to the iCloud Web site to deal with it. Click Find iPhone there, and then select the Mac from the menu at the top to see the Mac’s location on a map. A box in the corner shows your Mac’s battery level, lets you play a sound in case it just slipped between the couch cushions, lock it with a passcode (to prevent it from being erased) and display a custom message, or wipe it remotely yourself. You can also use the Find My iPhone app in iOS to perform the same tasks.


Unfortunately, Find My Mac requires that the Mac be powered on and connected to a Wi-Fi network, which means that anything you try to make happen on a lost Mac may be delayed or never occur at all. Plus, since Macs lack GPS chips, the reported location may not be all that precise even when a Mac can be located. At least Macs with solid-state storage and Power Nap turned on can report their locations while sleeping, which isn’t true of Macs with hard drives.

There is one other problem that my friend Will Mayall alerted me to recently, which is that resetting NVRAM disables Find My Mac. Will discovered this on his own, but it turns out that others have run across the same fact over the past few years, as evidenced by a quick Google search. In essence, Apple stores the Find My Mac data in NVRAM, which is good for keeping it around even if the hard drive is removed, but bad in the sense that it’s easy to reset NVRAM — just restart while holding down Command-Option-P-R. A quick test confirmed the problem in OS X 10.11 El Capitan, and nothing has changed in the public beta of macOS 10.12 Sierra.

The only way to prevent Find My Mac from being disabled is to set a firmware password, which you must enter whenever you start up from a disk other than the usual startup disk. Plus, if you try to reset NVRAM, you’re prompted for the firmware password, and when you enter it, the Mac instead boots into Recovery mode. In fact, when you lock your Mac via Find My Mac, what it’s doing is setting a firmware password.

Don’t set a firmware password without understanding the ramifications, though. If you forget your firmware password, regaining the use of the Mac will require a service appointment at an Apple Store or an Apple Authorized Service Provider, and you’ll have to bring an original receipt or invoice as proof of purchase. I recommend setting a firmware password that you’ll remember easily — and write it down somewhere safe as well.

Disabling Find My Mac Intentionally -- Now imagine that you’ve just bought a used Mac on eBay, and the previous user didn’t disable Find My Mac. Although that was most likely an oversight, that setting would enable them to lock or erase the Mac at any time, so you’ll want to turn off Find My Mac yourself. Resetting NVRAM will do the job without having to ask for help from the seller.

For Mac sysadmins who are getting multiple Macs back from users — graduating students or departing employees, perhaps — who may have turned on Find My Mac, resetting NVRAM from the keyboard for each Mac might be onerous. Happily, there is a command-line workaround published by Mac sysadmin Clayton Burlison — just enter these two commands or make them part of your imaging script:

nvram -d fmm-computer-name nvram -d fmm-mobileme-token-FMM

It’s a little distressing that Find My Mac is so easily circumvented, but at least setting a firmware password addresses the problem for those who are concerned. Ideally, Apple would tweak things in Sierra so the Find My Mac data was stored in both NVRAM and on disk, perhaps in the Recovery volume, so neither resetting NVRAM nor booting from another disk would be sufficient to disable it.

 

Try productivity tools from Smile that will make your job easier!
PDFpen: PDF toolkit for busy pros on Mac, iPhone, and iPad.
TextExpander: Your shortcut to accurate writing on Mac, Windows,
and iOS. Free trials and friendly support. <http://smle.us/smile-tb>
 

Comments about Disable Find My Mac by Resetting NVRAM
(Comments are closed.)

Will Mayall  2016-07-22 11:43
A terrific and comprehensive description of the value of Find My Mac, how it works, and the issue. Thanks!
Adam Engst  An apple icon for a TidBITS Staffer 2016-07-22 14:05
And thank you for the heads-up on this - I was surprised that it's been around for so long without more publicity.
Chris Saldanha  2016-07-22 13:13
If Apple can disable the firmware password, that means there's a hole in the security -- what stops the thief from following the same procedure that Apple would?
Adam Engst  An apple icon for a TidBITS Staffer 2016-07-22 14:06
Presumably just some sort of special knowledge that only service personnel can get easily. In other words, a firmware password isn't meant as a last line of defense, just another obstacle.
Firitia  2016-07-25 01:27
Only authorised Apple service providers can ask Apple and they have to show a customer's proof of ownership.
Kevin Ryan  2016-07-26 09:38
Thanks Adam! This was all news to me and good to know information.

Cheers,
Kevin Ryan
James Katt  2016-07-29 00:22
A firmware password and full disk encryption essentially bricks your Mac if it is stolen
artMonster  2016-08-01 00:46
Just getting around to reading this. Why not just set the firmware password the same as your regular login password? Less likely to ever forget what it is, and no less secure overall.
Anonymous  2016-09-09 00:58
couldn't someone just use an exploit like Thunderstrike with the right payload to get around even the firmware passwords?