Hello Everyone,
is it possible to forbid the user to log in with his private Apple ID ?
I already found a script to get out which AppleID is logged in but we want to restrict that the User is only allowed to login with the company Apple ID...
Thank in Advance.
I've the same question.
We tried disabling "Apple ID Preference Pane" from jamf using configuration profile.
But still looking for more option.
Thank you.
I've the same question.
We tried disabling "Apple ID Preference Pane" from jamf using configuration profile.
But still looking for more option.
Thank you.
How do you did that ? Does it work ?
How do you did that ? Does it work ?
We tried this and it works,
Ja its an option to deny use Apple ID ? But i want to activate it and the User should only allowed to Use company ID...if if restrict it like your Idea then the User cant use any ID´s, right ?
Ja its an option to deny use Apple ID ? But i want to activate it and the User should only allowed to Use company ID...if if restrict it like your Idea then the User cant use any ID´s, right ?
Did you check this?
https://support.apple.com/guide/apple-business-manager/use-managed-apple-ids-axm78b477c81/web
@user-LYBGeLSLLt There is currently no mechanism to restrict the domain used to sign in to Apple ID. If that would be useful to your org file feedback with Apple. In the meantime you'll need to monitor the ID used to sign in and notify users that aren't compliant. Here's an EA that will report the ID used (I didn't write it, but my notes don't have a record of who did):
#!/bin/sh
result="<result>None</result>"
## Get logged in iCloud user
loggedInUser=$( echo "show State:/Users/ConsoleUser" | scutil | awk '/Name 
&& ! /loginwindow/ { print $3 }' )
iCloudAccount=$( defaults read /Users/$loggedInUser/Library/Preferences/MobileMeAccounts.plist Accounts | grep AccountID | cut -d '"' -f 2)
if [ -n "$iCloudAccount" ]; then
result="<result>$iCloudAccount</result>"
fi
echo "$result"
@user-LYBGeLSLLt There is currently no mechanism to restrict the domain used to sign in to Apple ID. If that would be useful to your org file feedback with Apple. In the meantime you'll need to monitor the ID used to sign in and notify users that aren't compliant. Here's an EA that will report the ID used (I didn't write it, but my notes don't have a record of who did):
#!/bin/sh
result="<result>None</result>"
## Get logged in iCloud user
loggedInUser=$( echo "show State:/Users/ConsoleUser" | scutil | awk '/Name && ! /loginwindow/ { print $3 }' )
iCloudAccount=$( defaults read /Users/$loggedInUser/Library/Preferences/MobileMeAccounts.plist Accounts | grep AccountID | cut -d '"' -f 2)
if [ -n "$iCloudAccount" ]; then
result="<result>$iCloudAccount</result>"
fi
echo "$result"
Thank you very much, i already have this Script :)
So there isnt a another Way as manually to contact the User :)
Thank you very much
Thank you very much, i already have this Script :)
So there isnt a another Way as manually to contact the User :)
Thank you very much
@user-LYBGeLSLLt You could set up a Smart Group that uses the result of that EA to automate notifications to the user they're not using a valid Apple ID for your organization, but in terms of blocking them from doing that in the first place, no, there's no mechanism for doing that at this time.
We tried this and it works,
I too have this restriction enabled however users still login in some half formed way. Even though the panel is restricted, there are some apps that prompt for AppleID login I'm guessing the messaging app or something else and it half signs them in. I don't know exactly how they do this, I have asked and gotten a "what's that" and legitimately believe them because that's a normal answer. However I am not trying to go around asking and then it's known they can achieve this in some unapproved way.
we would pop a message on any students in that group that weren't logged into their district managed apple id and just badger them until they would switch.
I too have this restriction enabled however users still login in some half formed way. Even though the panel is restricted, there are some apps that prompt for AppleID login I'm guessing the messaging app or something else and it half signs them in. I don't know exactly how they do this, I have asked and gotten a "what's that" and legitimately believe them because that's a normal answer. However I am not trying to go around asking and then it's known they can achieve this in some unapproved way.
Hi,
i was struggling the last few days with the same. On our side we had an additional CP for restricting changing computername (this because the jamf pro built in feature for this stopped working with ventura)
The first one for: com.apple.loginwindow
The second one for: com.apple.systempreferences
this problem with the computer name was also discussed here in the forum
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>UseComputerNameForComputerRecordName</key>
<false/>
</dict>
</plist>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>DisabledSystemSettings</key>
<array>
<string>com.apple.Sharing-Settings.extension</string>
</array>
</dict>
</plist>However, this helped for the issue with the computer name, but also enabled or better explained: disabled the restriction for the apple id pane we had configured sooner.
it took some weeks after i start to find some user which has registered an apple id. So i started to search for an solution. I discovered today, that the additional workaround CP for the computer name restriction is no more needed.
So today i was able to find the solution for us:
Maybe this help you a little bit. Also when you do not have an additional CP for the computer name, try once to unscope the CP for the AppleID restriction and scope back.
@user-LYBGeLSLLt There is currently no mechanism to restrict the domain used to sign in to Apple ID. If that would be useful to your org file feedback with Apple. In the meantime you'll need to monitor the ID used to sign in and notify users that aren't compliant. Here's an EA that will report the ID used (I didn't write it, but my notes don't have a record of who did):
#!/bin/sh
result="<result>None</result>"
## Get logged in iCloud user
loggedInUser=$( echo "show State:/Users/ConsoleUser" | scutil | awk '/Name && ! /loginwindow/ { print $3 }' )
iCloudAccount=$( defaults read /Users/$loggedInUser/Library/Preferences/MobileMeAccounts.plist Accounts | grep AccountID | cut -d '"' -f 2)
if [ -n "$iCloudAccount" ]; then
result="<result>$iCloudAccount</result>"
fi
echo "$result"
This doesn't work on Ventura just as an fyi - seems pref. plist is different now
This doesn't work on Ventura just as an fyi - seems pref. plist is different now
Came here to say this. Don't suppose you found a replacement by any chance?
Came here to say this. Don't suppose you found a replacement by any chance?
Yes! Worked on this over the weekend. Essentially found another plist in the system library. This could prove problematic if there's more than one user per device but we don't have those scenarios. It checks for that new plist and if it doesn't find it, goes on to check for the mobileme plist (we still have a few folks on Monterey).
Edit: I use this script as an extension attribute but can be modified to use as needed :D
Hello - can you provide the script for this: I already found a script to get out which AppleID is logged in.
I would like to know who/which Apple ID is being used if any.
Hello - can you provide the script for this: I already found a script to get out which AppleID is logged in.
I would like to know who/which Apple ID is being used if any.
Would this work? I haven't tested yet:
#!/bin/bash
for user in $(dscl . list /Users UniqueID | awk '$2 >= 500 {print $1}'); do
userHome=$(dscl . read /Users/"$user" NFSHomeDirectory | sed 's/NFSHomeDirectory://' | grep "/" | sed 's/^[ \\t]*//')
appleid=$(dscl . readpl "${userHome}" dsAttrTypeNative:LinkedIdentity appleid.apple.com:linked\\ identities:0:full\\ name 2> /dev/null | awk -F'full name: ' '{print $2}')
if [[ "${appleid}" == "" ]]; then
echo "User:${user} has not signed in with an Apple ID"
else
echo "User:${user} is signed in with AppleID:${appleid}"
fi
doneFound in: https://www.hexnode.com/mobile-device-management/help/script-to-fetch-the-apple-ids-of-users-on-mac/
Would this work? I haven't tested yet:
#!/bin/bash
for user in $(dscl . list /Users UniqueID | awk '$2 >= 500 {print $1}'); do
userHome=$(dscl . read /Users/"$user" NFSHomeDirectory | sed 's/NFSHomeDirectory://' | grep "/" | sed 's/^[ \\t]*//')
appleid=$(dscl . readpl "${userHome}" dsAttrTypeNative:LinkedIdentity appleid.apple.com:linked\\ identities:0:full\\ name 2> /dev/null | awk -F'full name: ' '{print $2}')
if [[ "${appleid}" == "" ]]; then
echo "User:${user} has not signed in with an Apple ID"
else
echo "User:${user} is signed in with AppleID:${appleid}"
fi
doneFound in: https://www.hexnode.com/mobile-device-management/help/script-to-fetch-the-apple-ids-of-users-on-mac/
@ganidran That script doesn't work (at least running on macOS Sonoma). It just returns a not signed in result for all users.
@ganidran That script doesn't work (at least running on macOS Sonoma). It just returns a not signed in result for all users.
Good call! I finally got a chance to test it too and got the same results sadly.
I ended up modifying this guy to output the email another way and my testing worked on Sonoma and Big Sur but no tests on versions in between them. Big Sur is the only other OS I have on hand haha. Hope that helps!
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.