Enable managed AppleID sign in at setup only.

New Contributor

Appologies if this has already been addressed however after a bit of a search through the messages I am strugling to find an answer to the following scenario. 


I am using JamfPro to setup and manage new company iPhones with the intention of providing staff with a work tool that is locked down for business with apps etc being pushed centrally to the devices. It is intended that Managed Apple ID's are being used to enable staff to use imessage. 


The area that I am struggling with is getting the users to be able to log into their managed ID's at the enrollment stage, prior to the configurations kicking in and preventing account modifications.


Witin PreStage Enrollments I have left  'Apple ID and iCloud' as a Setup Assistant Option, however devices are skipping past the question.


The only work around I have found is to remove the configuration restriction for Modifying Account Settings to enable sign in and then to restrict them once more, which is less than ideal.


I feel like I am missing an obvious solution somewhere along the line.


Thanks in advance for any wisdom provided



Contributor II

You should be able to create a Smart Group with the criteria "iTunes Store Account" is "Active", and then assign the restrictions profile to that group.

New Contributor

Thanks for the response, I'll give it a try

New Contributor II

We are having a similar issue. When functionality restrictions restrict "modifying account settings" the prestage setup assistant option for "Apple ID and iCloud" is not displayed even though it is the only option we have unchecked. When "modifying account settings" is allowed, the setup assistant option IS displayed during enrollment. We do not have "install configuration profiles before setup assistant" selected in the profile because we don't want the profile to enforce any restrictions prior to the "setup Assistant" precisely because we do want students to login to their Managed AppleID before the modifying account settings restriction kicks in.

What am I missing?


In the meantime we deploy the iPads with "modifying account settings" allowed and are forced to then manually run an inventory check which we've designed to pick up a passcode and then deploy another config that restricts the "modifying account settings". Hardly a no-touch solution and quite cumbersome.