Help

Apple ID and Configuration Profiles

gracoat
New Contributor

Posted on ‎09-07-2023 06:35 PM

Hello!  I have a fleet of Macs that are school-owned, and since they're managed and stored here in the school I have the AppleID System Pref blocked by creating a restriction in the configuration profiles. If a student clicks the "Apple ID" button in System Prefs (settings) they get a screen that says, "Blocked by administrator" or something to that effect.

It's been working great!

Until a student inadvertently found their way around it.

Said student, in Safari, went to iCloud.com and logged in with their personal AppleID. Safari detected that they were indeed logging in with a valid ID and a popup appeared saying "Would you like to use this AppleID on your Mac?" Of course the student hit okay, then was presented with a Username and Password dialogue box with which they typed a correct password, and voila!  Now the student "owns" the computer.  

Thankfully, the student is cool and came to me to tell me what happened. But in order for me to remove the AppleID from the computer, I have to remove the configuration profile first.  Not the end of the world, but it sure would be nice if that whole process could be blocked in the future.

Thoughts?

0 Kudos
3 REPLIES 3

PaulHazelden
Valued Contributor

Posted on ‎09-08-2023 04:31 AM

I use...

defaults write /Library/Preferences/com.apple.systempreferences.plist DisabledPreferencePanes -array-add "com.apple.preferences.AppleIDPrefPane"

And it totally kills access to the Preference pane. It shows up as greyed out. Any time something directs you there it will also fail to work. Give that a test and see if it works for you.
Simply run once at device set up and forget about it.

 

0 Kudos

gracoat
New Contributor

Posted on ‎09-08-2023 10:00 AM

Unfortunately, Safari still detects that a user is trying to log into their iCloud account and offers up a dialogue box for users to enter their iCloud info into.  When they hit "Okay" the configuration file is written without ever opening the System Pref Pane.

Note, we're using MacOS 13.x.x on the affected computers, if that matters.

0 Kudos

Ashok_A
Contributor

‎09-10-2023 12:57 AM - edited ‎09-10-2023 12:58 AM

@gracoat - Have you tried restricting the Internet Accounts option via Restrictions Payload? I had the same scenario where users aren't allowed to use the Apple ID on Company-owned Mac's for many Security reasons to keep the company data safe. Users were able to use and add their Apple ID when they sign-in to iCloud.com / FaceTime / iMessage / Contacts / Calendars and accidentally the Internet Accounts option adds their account to the Device.. 

I have restricted the Internet Accounts option from System Settings using Restriction Payload and its works

0 Kudos