Help

Apple iCloud on company managed Mac's

YLIL
New Contributor III

Sunday

Hi All,

We have company managed Macs with Jamf. We do have sensitive company data on the computers which we do not allow to be transferred out of the company environment. We block the use of external storages.

If we allow users to connect their Apple id's and iCloud, will they be able to transfer company data from the computer to their iCloud?

Is there anything we can do to prevent this? Maybe block their iCloud somehow? Any suggestions?

Thanks in advance

Reply
5 REPLIES 5

agungsujiwo
Contributor II

Sunday

Hi @YLIL ,

Block iCloud Drive via Configuration Profile 

  • In Jamf Pro, create a Configuration Profile with the following restrictions:
    • Restrictions > Functionality

Disable iCloud Drive
iCloud Restrictions.png


0 Kudos
Reply

YLIL
New Contributor III
In response to agungsujiwo

Sunday

Thanks @agungsujiwo 

Are there other ways the user could transfer information by connecting their Apple id if iCloud is blocked?

0 Kudos
Reply

agungsujiwo
Contributor II
In response to YLIL

yesterday

Potential Data Transfer Methods :

  1. AirDrop
  2. iMessage & Mail
  3. Handoff & Universal Clipboard
  4. Apple Notes & Reminders Sync
  5. Personal App Store Purchases & Third-Party Cloud Apps,

A user can download apps like Dropbox, Google Drive, OneDrive from the Mac App Store or the web to transfer data.

     6. Sidecar (iPad as a Second Display),

Users could display confidential data on an iPad and take screenshot.

  1. Screenshot dan Screen Recording
  2. Bluetooth File Sharing
  3. File Sharing via macOS Sharing Services
  4. Upload  Personal Cloud via Web Browser

   11. Remote Desktop



0 Kudos
Reply

AJPinto
Esteemed Contributor

Sunday

Unless you are allowing BYOD, you don't want to allow the use of personal Apple Accounts. These are organizationally owned devices and need to be used as such. If you want to allow the use of Apple Accounts, use Managed Apple Accounts. 

 

Even with MDM controls over preventing copying data to iCloud, that does not prevent other exfiltration methods like iMessage, AitDrop, or even emails. The amount of mitigating controls to allow personal Apple Accounts securely is significant. 

Reply

sdagley
Esteemed Contributor II
In response to AJPinto

Sunday

Let's all hope that this year's release of macOS Whatchamacallit finally brings the ability to limit what domain can be used to sign in with an Apple Account on MDM enrolled Macs. It boggles my mind in all the time that Apple has offered Managed Apple IDs/Accounts that that limitation still isn't available.

Reply