The Find My service _MUST_ be disabled. A Mobile Device Management (MDM) solution _MUST_ be used to carry out remote locking and wiping instead of Apple's Find My service. Apple's Find My service uses a personal AppleID for authentication. Organizations should rely on MDM solutions, which have much more secure authentication requirements, to perform remote lock and remote wipe.
This is implemented by a Configuration Profile. mobileconfig profile info: com.apple.applicationaccess: allowFindMyDevice: False allowFindMyFriends: False com.apple.icloud.managed: DisableFMMiCloudSetting: True