How do I toggle this feature off or prevent it from being toggled on? I went to reset the users password via Recovery Setup Options, user had logged into personal Apple ID when MacBook was issued but didn't remember the password. FileVault is enabled an we escrow those PRK's, but it wasn't until after the user reset their Apple ID password and logged in with it on the recovery side before the system would even allow me to put in the escrow'd PRK. We don't manage Apple IDs, I really don't see the point in them if they can't purchase anything through them. Yes I've had a VPP setup for yrs, but there are those few who like to connect their watches and such. Any advice would be welcomed.
Apple does not allow for the granular management of AppleID's like you are wanting/needing. Its all or nothing. If you are not issuing managed AppleID's I suggest restricting the AppleID preference pane and all the apps (like Mail) that let you log in with an AppleID.