Jamf Nation Community

wstewart3 · ‎11-04-2014

Ran across this article:
http://arstechnica.com/security/2014/11/critics-chafe-as-macs-send-sensitive-docs-to-icloud-without-warning/

And we are discussing if this is enough of a reason to lock down iCloud on our apple products. I am looking through casper to see what we can do.

From what I can tell, we have two options:
Either restrict iCloud

Or diable autosaves from the iCloud settings.
We need to disable Autosave in:
System Preferences > iCloud > Documents & Data

The best way I can see to do this is to go into "Managed Preferences" -> "System Preferences" -> "Manual Setting". This asks for a key and a value and I am not quite sure where to find these values out. Could someone give me some guidance?

Look · ‎11-04-2014

Not quite what your after, but in 10.9 or earlier at least this will disable the prompt new users get to setup iCloud.
We have it in the first run script.
It doesn't disable it as such, just stops it being setup by default if the user has and enters an Apple ID.

defaults write /System/Library/User Template/Non_localized/Library/Preferences/com.apple.SetupAssistant DidSeeCloudSetup -bool TRUE

wstewart3 · ‎11-05-2014

Thanks for the info! We may do that in the future but I am currently a little more worried about people currently using iCloud.

I guess the better question is:
When you go into Managed Preferences ->System Preferences -> Manual Setting

It asks for a "Key" and a "value" and I guess the default value there is com.apple.systempreferences

What is the best way to go about finding these values and their keys? There must be some trick for identifying them. Anyone have any ideas?

mm2270 · ‎11-05-2014

We block iCloud access from a network level and then block access to the iCloud System preference pane so users can't set it up. Unfortunately, Apple has integrated iCloud so deep into the OS that there are numerous ways a user can set it up right from contact menus, without even needing to go into the Pref Pane. Its a bit of a pain, and there are few effective ways to completely block it.

As for the keys you're referring to, just set the setting up on a test Mac and then locate the preference file that got modified and examine it to see what was added. You may need to do it several times. First time to see what plist gets modified, second time to do a before and after capture of the plist to see what's being added or changed. I haven't looked into it, so I can't say exactly what gets set.

Look · ‎11-05-2014

You could use composer with a new&modified snapshot to find the plist files being modified when you make the change.
Textwrangler and a few other nice text editors will show you the contents of the plist and you can probably locate the setting there, usually they are fairly logically named, although textwrangler has a live refresh so if you have the plist open you will see the changes being made when you click back to it as soon as you modify the setting.
Then use a completely custom Managed Preferences entry to modify the exact plist and value you want...

grahamfw · ‎11-18-2014

I think I've found a way to do it with SQL. It looks like (at least for Mavericks, haven't tested this with Yosemite yet) that the value exists in the TCC.db located in ~/Library/Application Support/com.apple.TCC .

Again, for Mavericks, it's in the access table:

service,client,client_type,allowed,prompt_count,csreq
kTCCServiceUbiquity,com.apple.TextEdit,0,0,1,NULL

You'll want to set the 'allowed' value to 0 to block it, which you can do with sqlite3 (this is user specific, so maybe use the full path):

sudo sqlite3 ~/Library/Application Support/com.apple.TCC/TCC.db "UPDATE access SET allowed = '0' WHERE service = 'kTCCServiceUbiquity' and client = 'com.apple.TextEdit';"

That will run without ill effects if iCloud is not yet enabled since if no rows meet that criteria, nothing will get updated.

EDIT: This appears to work the same in Yosemite as well.

Jamf Nation Community

Disabling iCloud setting?