Allowing iMessage and connecting AirPods

nelsonsaenz
New Contributor II

Hello everyone,

I am wondering what they proper way is to set up the following....

I'd like to allow folks to login with their personal Apple IDs to use iMessage and to be able to connect their AirPods to their MacOS computers but then restrict everything else in iCloud (iCloud Photos, iCloud Drive, Find My, etc.). I see where you can apply iCloud restrictions via Configuration Profile but not sure if applying these also conflict with allowing the aforementioned items I'd like to leave open. 

Thanks in advance.

1 ACCEPTED SOLUTION

AJPinto
Honored Contributor II

Don't allow them to log in to work devices with personal iCloud credentials. You can limit the blast radius a bit with a restrictions configuration profile, but MDM is very limited in what it can do with AppleIDs and stuff loves to bleed out in ways you did not expect. If you want people to use their AirPods with their work Macs, they can manually pair them. 

 

As far as iMessage, I would strongly recommend not using it. iMessage is a DLP nightmare. You are wanting to lock down photo sync, contact sync, iCloud Drive, etc, but want to give them access to a peer to peer encrypted messaging client with no journaling options that supports drag and drop of attachment to exfiltrate pretty much anything they want? Just an example of how difficult it is to properly contain an AppleID. 

View solution in original post

4 REPLIES 4

AJPinto
Honored Contributor II

Don't allow them to log in to work devices with personal iCloud credentials. You can limit the blast radius a bit with a restrictions configuration profile, but MDM is very limited in what it can do with AppleIDs and stuff loves to bleed out in ways you did not expect. If you want people to use their AirPods with their work Macs, they can manually pair them. 

 

As far as iMessage, I would strongly recommend not using it. iMessage is a DLP nightmare. You are wanting to lock down photo sync, contact sync, iCloud Drive, etc, but want to give them access to a peer to peer encrypted messaging client with no journaling options that supports drag and drop of attachment to exfiltrate pretty much anything they want? Just an example of how difficult it is to properly contain an AppleID. 

nelsonsaenz
New Contributor II

You solved most of my concerns with the AirPods not needing an Apple ID to connect to a computer. Appreciate the clarification! 

AJPinto
Honored Contributor II

woot. got to love the easy way out. They only want the AppleID to smart swap between devices, but have no need for an AppleID to just pair up and be used.

nelsonsaenz
New Contributor II

Thanks again, that will be very useful to know as I continue planning out the restrictions I put in place.