Forbid private AppleID on Company Mac

user-LYBGeLSLLt
New Contributor II

Hello Everyone,  

is it possible to forbid the user to log in with his private Apple ID ? 
I already found a script to get out which AppleID is logged in but we want to restrict that the User is only allowed to login with the company Apple ID...

Thank in Advance.

18 REPLIES 18

Vinyboy
New Contributor III

I've the same question.
We tried disabling "Apple ID Preference Pane" from jamf using configuration profile.

But still looking for more option.
Thank you.

How do you did that ? Does it work ?

We tried this and it works,


Disbale - Apple ID.JPG

Levi_
Contributor II

I too have this restriction enabled however users still login in some half formed way. Even though the panel is restricted, there are some apps that prompt for AppleID login I'm guessing the messaging app or something else and it half signs them in. I don't know exactly how they do this, I have asked and gotten a "what's that" and legitimately believe them because that's a normal answer. However I am not trying to go around asking and then it's known they can achieve this in some unapproved way.

Hi, 
i was struggling the last few days with the same. On our side we had an additional CP for restricting changing computername (this because the jamf pro built in feature for this stopped working with ventura) 
The first one for: com.apple.loginwindow
The second one for: com.apple.systempreferences
this problem with the computer name was also discussed here in the forum

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0"> 
<dict>
<key>UseComputerNameForComputerRecordName</key>
<false/>
</dict>
</plist>

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0"> 
<dict>
<key>DisabledSystemSettings</key>
<array>
<string>com.apple.Sharing-Settings.extension</string>
</array>
</dict>
</plist>

However, this helped for the issue with the computer name, but also enabled or better explained: disabled the restriction for the apple id pane we had configured sooner.
it took some weeks after i start to find some user which has registered an apple id. So i started to search for an solution. I discovered today, that the additional workaround CP for the computer name restriction is no more needed.

So today i was able to find the solution for us:

  1. unscope the CP for the computername restriction
  2. waiting until removed from the macbooks
  3. unscoping the cp restriction for the appleid pane
  4. waiting until removed
  5. scope back the apple id pane restriction cp

 Maybe this help you a little bit. Also when you do not have an additional CP for the computer name, try once to unscope the CP for the AppleID restriction and scope back.

 

user-LYBGeLSLLt
New Contributor II

Ja its an option to deny use Apple ID ? But i want to activate it and the User should only allowed to Use company ID...if if restrict it like your Idea then the User cant use any ID´s, right ? 

sdagley
Esteemed Contributor II

@user-LYBGeLSLLt There is currently no mechanism to restrict the domain used to sign in to Apple ID. If that would be useful to your org file feedback with Apple. In the meantime you'll need to monitor the ID used to sign in and notify users that aren't compliant. Here's an EA that will report the ID used (I didn't write it, but my notes don't have a record of who did):

 

#!/bin/sh

result="<result>None</result>"

## Get logged in iCloud  user
loggedInUser=$( echo "show State:/Users/ConsoleUser" | scutil | awk '/Name :/ && ! /loginwindow/ { print $3 }' )

iCloudAccount=$( defaults read /Users/$loggedInUser/Library/Preferences/MobileMeAccounts.plist Accounts | grep AccountID | cut -d '"' -f 2)

if [ -n "$iCloudAccount" ]; then
    result="<result>$iCloudAccount</result>"
fi

echo "$result"

 

Thank you very much, i already have this Script :) 
So there isnt a another Way as manually to contact the User :)

Thank you very much

sdagley
Esteemed Contributor II

@user-LYBGeLSLLt You could set up a Smart Group that uses the result of that EA to automate notifications to the user they're not using a valid Apple ID for your organization, but in terms of blocking them from doing that in the first place, no, there's no mechanism for doing that at this time.

ganidran
New Contributor III

This doesn't work on Ventura just as an fyi - seems pref. plist is different now

spesh
New Contributor III

Came here to say this. Don't suppose you found a replacement by any chance? 

ganidran
New Contributor III

Yes! Worked on this over the weekend. Essentially found another plist in the system library. This could prove problematic if there's more than one user per device but we don't have those scenarios. It checks for that new plist and if it doesn't find it, goes on to check for the mobileme plist (we still have a few folks on Monterey).

Edit: I use this script as an extension attribute but can be modified to use as needed :D

GabeShack
Valued Contributor III

we would pop a message on any students in that group that weren't logged into their district managed apple id and just badger them until they would switch.

Gabe Shackney
Princeton Public Schools

mrrobertbuss
Contributor

Hello - can you provide the script for this: I already found a script to get out which AppleID is logged in.

I would like to know who/which Apple ID is being used if any. 

Would this work? I haven't tested yet:

#!/bin/bash
for user in $(dscl . list /Users UniqueID | awk '$2 >= 500 {print $1}'); do
    userHome=$(dscl . read /Users/"$user" NFSHomeDirectory | sed 's/NFSHomeDirectory://' | grep "/" | sed 's/^[ \t]*//')
    appleid=$(dscl . readpl "${userHome}" dsAttrTypeNative:LinkedIdentity appleid.apple.com:linked\ identities:0:full\ name 2> /dev/null | awk -F'full name: ' '{print $2}')
    if [[ "${appleid}" == "" ]]; then
        echo "User:${user} has not signed in with an Apple ID"
    else
        echo "User:${user} is signed in with AppleID:${appleid}"
    fi
done

 Found in: https://www.hexnode.com/mobile-device-management/help/script-to-fetch-the-apple-ids-of-users-on-mac/

sdagley
Esteemed Contributor II

@ganidran That script doesn't work (at least running on macOS Sonoma). It just returns a not signed in result for all users.

ganidran
New Contributor III

Good call! I finally got a chance to test it too and got the same results sadly.

I ended up modifying this guy to output the email another way and my testing worked on Sonoma and Big Sur but no tests on versions in between them. Big Sur is the only other OS I have on hand haha. Hope that helps!