Jamf Nation Community

@bwoods  I like that approach given current limitations posed by macOS. Would it be appropriate to ask to see your user interaction policy?

The policy was deleted long ago, but I still have references to the script. You should be able to add this to the files and processes payload. 

open /System/Library/PreferencePanes/InternetAccounts.prefPane

You'll also want to disable all of the listed items with a configuration profile. New>Restrictions>Functionality.

please forgive the continued questions;

if I have this right, that command was configured to just execute within the Files and Processes policy payload (maybe scoped to a Smart Group), so they would log in to iCloud to get it to stop appearing. And the iCloud services would be restricted.

This doesn't lock in their iCloud account that is signed in though, right? We're essentially trying to find a way to block the use of non-managed iCloud / AppleIDs and we were looking at effectively "locking" iCloud once they're signed in as kind of a workaround.

1. This is basically opening internet accounts for them so that they can sign out of iCloud. Apple has made it impossible to force a user out of their iCloud accounts via script or Configuration profile. You're basically annoying the user into submission.

2. If you disable all of the services they will be less inclined to even want to use iCloud anymore. Once you have your managed Apple Id, you can turn the restriction off.

3. For my project, I created an extension attribute to find who had Find my mac enabled. For this, you would need one to see who's logged into icloud. Once the EA has run through your fleet, you can create a smart group.

Something like this should help you build your EA but you can look all around jamf nation or the macadmins slack channel to find something that will eventually work: Find out who is signed in to iCloud and with what ... - Jamf Nation Community - 231071