Skip to main content
Solved

Allowing iMessage and connecting AirPods

  • December 22, 2023
  • 4 replies
  • 30 views
N
Forum|alt.badge.img+3

Hello everyone,

I am wondering what they proper way is to set up the following....

I'd like to allow folks to login with their personal Apple IDs to use iMessage and to be able to connect their AirPods to their MacOS computers but then restrict everything else in iCloud (iCloud Photos, iCloud Drive, Find My, etc.). I see where you can apply iCloud restrictions via Configuration Profile but not sure if applying these also conflict with allowing the aforementioned items I'd like to leave open. 

Thanks in advance.

Best answer by AJPinto

Don't allow them to log in to work devices with personal iCloud credentials. You can limit the blast radius a bit with a restrictions configuration profile, but MDM is very limited in what it can do with AppleIDs and stuff loves to bleed out in ways you did not expect. If you want people to use their AirPods with their work Macs, they can manually pair them. 

 

As far as iMessage, I would strongly recommend not using it. iMessage is a DLP nightmare. You are wanting to lock down photo sync, contact sync, iCloud Drive, etc, but want to give them access to a peer to peer encrypted messaging client with no journaling options that supports drag and drop of attachment to exfiltrate pretty much anything they want? Just an example of how difficult it is to properly contain an AppleID. 

    4 replies

    AJPinto
    Forum|alt.badge.img+26
    • AJPinto
    • Legendary Contributor
    • Answer
    • December 22, 2023

    Don't allow them to log in to work devices with personal iCloud credentials. You can limit the blast radius a bit with a restrictions configuration profile, but MDM is very limited in what it can do with AppleIDs and stuff loves to bleed out in ways you did not expect. If you want people to use their AirPods with their work Macs, they can manually pair them. 

     

    As far as iMessage, I would strongly recommend not using it. iMessage is a DLP nightmare. You are wanting to lock down photo sync, contact sync, iCloud Drive, etc, but want to give them access to a peer to peer encrypted messaging client with no journaling options that supports drag and drop of attachment to exfiltrate pretty much anything they want? Just an example of how difficult it is to properly contain an AppleID. 

    howie_isaacks
    N
    N
    Forum|alt.badge.img+3
    • nelsonsaenz
    • Author
    • New Contributor
    • December 22, 2023

    You solved most of my concerns with the AirPods not needing an Apple ID to connect to a computer. Appreciate the clarification! 

    AJPinto
    Forum|alt.badge.img+26
    • AJPinto
    • Legendary Contributor
    • December 22, 2023

    You solved most of my concerns with the AirPods not needing an Apple ID to connect to a computer. Appreciate the clarification! 


    woot. got to love the easy way out. They only want the AppleID to smart swap between devices, but have no need for an AppleID to just pair up and be used.

    N
    N
    Forum|alt.badge.img+3
    • nelsonsaenz
    • Author
    • New Contributor
    • December 22, 2023

    woot. got to love the easy way out. They only want the AppleID to smart swap between devices, but have no need for an AppleID to just pair up and be used.


    Thanks again, that will be very useful to know as I continue planning out the restrictions I put in place. 

    Terms & ConditionsCookie settingsAccessibility statement