- Jamf Nation Community
- Products
- Jamf Pro
- Allowing iMessage and connecting AirPods
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-22-2023 10:14 AM
Hello everyone,
I am wondering what they proper way is to set up the following....
I'd like to allow folks to login with their personal Apple IDs to use iMessage and to be able to connect their AirPods to their MacOS computers but then restrict everything else in iCloud (iCloud Photos, iCloud Drive, Find My, etc.). I see where you can apply iCloud restrictions via Configuration Profile but not sure if applying these also conflict with allowing the aforementioned items I'd like to leave open.
Thanks in advance.
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-22-2023 11:49 AM
Don't allow them to log in to work devices with personal iCloud credentials. You can limit the blast radius a bit with a restrictions configuration profile, but MDM is very limited in what it can do with AppleIDs and stuff loves to bleed out in ways you did not expect. If you want people to use their AirPods with their work Macs, they can manually pair them.
As far as iMessage, I would strongly recommend not using it. iMessage is a DLP nightmare. You are wanting to lock down photo sync, contact sync, iCloud Drive, etc, but want to give them access to a peer to peer encrypted messaging client with no journaling options that supports drag and drop of attachment to exfiltrate pretty much anything they want? Just an example of how difficult it is to properly contain an AppleID.
Reply
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-22-2023 11:49 AM
Don't allow them to log in to work devices with personal iCloud credentials. You can limit the blast radius a bit with a restrictions configuration profile, but MDM is very limited in what it can do with AppleIDs and stuff loves to bleed out in ways you did not expect. If you want people to use their AirPods with their work Macs, they can manually pair them.
As far as iMessage, I would strongly recommend not using it. iMessage is a DLP nightmare. You are wanting to lock down photo sync, contact sync, iCloud Drive, etc, but want to give them access to a peer to peer encrypted messaging client with no journaling options that supports drag and drop of attachment to exfiltrate pretty much anything they want? Just an example of how difficult it is to properly contain an AppleID.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-22-2023 11:56 AM
You solved most of my concerns with the AirPods not needing an Apple ID to connect to a computer. Appreciate the clarification!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-22-2023 12:15 PM
woot. got to love the easy way out. They only want the AppleID to smart swap between devices, but have no need for an AppleID to just pair up and be used.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-22-2023 02:19 PM
Thanks again, that will be very useful to know as I continue planning out the restrictions I put in place.
