Posted on 03-08-2017 07:42 AM
Is it possible to completely disable iCloud all-together? I know we can disable elements of iCloud in a Configuration Profile, but if we wanted to force-sign-out users from iCloud, then prevent a user from logging into iCloud ever again, can we do this?
Solved! Go to Solution.
Posted on 03-09-2017 01:50 PM
I did a bit of googling and testing and I found a solution on the interwebs. Running the script below will remove the MobileMeAccounts.plist file, which in turn removes the iCloud account from the Mac. Doing that in tandem with disabling iCloud in the system preferences seems to be the most foolproof way to prevent iCloud access. A caveat though is that Find My Mac is still enabled on icloud.com and a user can still remotely lock and wipe a device that they may or may not have access to after exiting a company
#!/bin/bash
# Log out all users from iCloud
ls /Users/ | while read USERS ;
do
if [ -d /Users/$USERS/Library/Preferences/ ];
then
rm /Users/$USERS/Library/Preferences/MobileMeAccounts.plist
fi
done
killall cfprefsd
Posted on 03-08-2017 08:18 AM
I'm not familiar with a complete way to do this (eg sign folks out of iCloud.)
You can use the config profiles in Sierra to block a lot of the functionality.. (but for some reason not syncing photos.. dammit Apple, why?)
You can disable the iCloud preference pane as well.
You can use an EA to detect users that are signed into an iCloud account..
/usr/bin/defaults read $userHOME/Library/Preferences/MobileMeAccounts.plist | grep "AccountID"
and then you can either restrict things to those users, present them with dialogs including steps to remediate, etc.
Or you can go ballistic/nuclear and have your firewall blocked to the Apple range, which will cause a host of other things (such as DEP and Internet Recovery) to not work.
Posted on 03-09-2017 01:50 PM
I did a bit of googling and testing and I found a solution on the interwebs. Running the script below will remove the MobileMeAccounts.plist file, which in turn removes the iCloud account from the Mac. Doing that in tandem with disabling iCloud in the system preferences seems to be the most foolproof way to prevent iCloud access. A caveat though is that Find My Mac is still enabled on icloud.com and a user can still remotely lock and wipe a device that they may or may not have access to after exiting a company
#!/bin/bash
# Log out all users from iCloud
ls /Users/ | while read USERS ;
do
if [ -d /Users/$USERS/Library/Preferences/ ];
then
rm /Users/$USERS/Library/Preferences/MobileMeAccounts.plist
fi
done
killall cfprefsd
Posted on 10-24-2023 02:26 PM
Does this work still with MacOS Ventura or Sonoma?
Posted on 03-09-2017 01:53 PM
Add this to purge the Find My Mac NVRAM token and break the link. Its a good idea to use this in any Imaging setup script which you might have...
/usr/sbin/nvram -d fmm-mobileme-token-FMM
Posted on 05-04-2017 07:50 AM
Tested this script with the latest OSX Sierra, looks like it removes the account from iCloud in the system preferences but not from the internet accounts in system preferences (which is keeping iCloud features running).
Another problem i see is if you remove it while you have any type of iCloud notification (which in my case it was asking to enable two Factor Authentication) it will keep that notification up in system preferences with no way to remove it without adding another account and signing out manually. I assume there is a file that tells system preferences that there is a notification but not sure which file to remove to clear the cache on that.
Side Note: If you manually remove the iCloud account in internet accounts it removes the notification.
Posted on 02-20-2018 03:50 PM
Guys, I have a different problem. My organisation disabled iCloud on my Mac. How to enable it back?
Posted on 12-21-2018 08:31 AM
@Dmitry I guess you'd need to contact your IT staff about that and explain why you need it enabled. They probably didn't disable it just to annoy you; many organizations (mine included) have concerns around iCloud and the potential to sync/extract organizational data out to a 3rd party (particularly since there is no way (that I know of at least) to disable someone's AppleID, since it isn't really tied to the organization directly).
Posted on 07-11-2019 07:04 AM
Is this still valid and can be used to signout users from icloud.
We have enabled the icloud block option in JAMF but that does not signout icloud for the users
Can i use this to force signout of icloud for the users
Also is the applicable to the latest version macos 10.14.5