Help

disabling iCloud logOUT

matt_wiese
New Contributor III

Posted on ‎11-10-2021 10:55 AM

I know there have been some conversation regarding a possible restriction for iCloud where you can only sign in with a corporate/managed Apple ID. My questions is whether there is a way to disable the user even logging once signed in to any iCloud/Apple ID account. Would it work to just make them do so, then disable iCloud altogether?

Reply
7 REPLIES 7

bwoods
Valued Contributor

‎11-11-2021 08:44 AM - edited ‎11-11-2021 08:44 AM

@matt_wiese I had to do something similar when the activation lock feature came out. I ended up disabling all iCloud services. (find my mac most importantly) then I sent a user interaction policy that opened the Apple ID preference pane. The notification kept popping up until they complied.

Reply

matt_wiese
New Contributor III
In response to bwoods

Posted on ‎11-11-2021 08:54 AM

@bwoods  I like that approach given current limitations posed by macOS. Would it be appropriate to ask to see your user interaction policy?

Reply

bwoods
Valued Contributor
In response to matt_wiese

Posted on ‎11-11-2021 09:07 AM

The policy was deleted long ago, but I still have references to the script. You should be able to add this to the files and processes payload. 

open /System/Library/PreferencePanes/InternetAccounts.prefPane
Reply

bwoods
Valued Contributor
In response to bwoods

Posted on ‎11-11-2021 09:11 AM

You'll also want to disable all of the listed items with a configuration profile. New>Restrictions>Functionality.

bwoods_0-1636650698090.png

 

Reply

matt_wiese
New Contributor III
In response to bwoods

Posted on ‎11-11-2021 10:03 AM

please forgive the continued questions;

if I have this right, that command was configured to just execute within the Files and Processes policy payload (maybe scoped to a Smart Group), so they would log in to iCloud to get it to stop appearing. And the iCloud services would be restricted.

This doesn't lock in their iCloud account that is signed in though, right? We're essentially trying to find a way to block the use of non-managed iCloud / AppleIDs and we were looking at effectively "locking" iCloud once they're signed in as kind of a workaround.

Reply

bwoods
Valued Contributor
In response to matt_wiese

Posted on ‎11-11-2021 10:41 AM

1. This is basically opening internet accounts for them so that they can sign out of iCloud. Apple has made it impossible to force a user out of their iCloud accounts via script or Configuration profile. You're basically annoying the user into submission.

2. If you disable all of the services they will be less inclined to even want to use iCloud anymore. Once you have your managed Apple Id, you can turn the restriction off.

3. For my project, I created an extension attribute to find who had Find my mac enabled. For this, you would need one to see who's logged into icloud. Once the EA has run through your fleet, you can create a smart group.

Reply

bwoods
Valued Contributor
In response to bwoods

Posted on ‎11-11-2021 10:45 AM

Something like this should help you build your EA but you can look all around jamf nation or the macadmins slack channel to find something that will eventually work: Find out who is signed in to iCloud and with what ... - Jamf Nation Community - 231071

Reply