Posted on 12-06-2013 12:39 PM
Hello all and thanks for taking the time to assist or be assisted from the response to this post. As we are moving toward rolling out Mavericks our security team has informed me that we need to disable the ability of our users to use Keychain in the Cloud feature of iCloud. I would like to be able to still allow our users to enable iCloud and use the other features that go along with it, just to disable the new keychain feature that is available in Mavericks. Has anyone else out there been tasked with this? I know multiple way to disable the use and or access to iCloud in Sys Prefs, but was hoping to keep some of the functionality that is still on the safer side of everyday functions.
Posted on 01-25-2014 06:12 PM
Still looking down the surgical path, I moved the following file into a .zip file:
/System/Library/PrivateFrameworks/CloudServices.framework/XPCServices/com.apple.lakitu.xpc/Contents/MacOS/com.apple.lakitu
This caused activating Keychain Sync to authenticate with an Apple ID, prompt for a security code, and ask for a phone number that can receive SMS messages. However, the return code never shows up on the phone.
And Keychain Access launches and tests fine.
Again, I agree with C0n0r that surgery is not desirable, but I also know that those to whom we answer tend to prefer it.
We will still be looking at using the /private/etc/hosts file, as well as the PF firewall for several levels of managerial happiness.
Posted on 01-27-2014 04:51 PM
While setting this up in the hosts file, and running Wireshark to test, it turns out I needed to add in lines for p*-keyvalueservice.icloud.com as well, not just the escrowservice. With just the escrowservice url redirected, it looks as if the iCloud keychain still works - I haven't tested this fully yet.
Posted on 01-28-2014 08:04 AM
Thanks for reporting this as I haven't run Wireshark to fully test this yet. However, looking at the MobileMeAccounts.plist it looks like the 'p*-keyvalueservice.icloud.com' is associated with the Back to My Mac service. Can you confirm this was not enabled when you ran Wireshark?
Posted on 01-28-2014 02:58 PM
Correct, BTMM is off - but I want to block that as well, so it works out for me in the end.
This is what I see when enabling iCloud Keychain:
external image link
If I just block the escrowservice.icloud.com URL, then the iCloud Keychain still goes through the motions without error (asks me for my Apple ID, asks me to enter a 4 digit PIN, etc) so it would seem that it works ok. I don't really have a spare Mac at the moment to test to see if I can actually download the contents of my keychain.
If I block the keyvalueservice.icloud.com URL as well, I get an error when enabling Keychain saying "iCloud Keychain couldn't be set up because there was a problem communicating with iCloud."
Posted on 01-29-2014 06:48 AM
Thanks for sharing that info. Definitely good to know!
Posted on 02-03-2014 10:09 AM
My EA showed a false positive. Looking by Service number won't be accurate depending on what services are in use. Here's an updated one that seems to work:
#!/bin/sh
currUser=$( /usr/bin/who | /usr/bin/awk '/console/{ print $1 }' )
Keychain=$( /usr/libexec/PlistBuddy -c "Print Accounts:0:Services" "/Users/$currUser/Library/Preferences/MobileMeAccounts.plist" | grep -a1 KEYCHAIN_SYNC | grep Enabled )
echo "<result>$Keychain</result>”