Jamf Nation Community

user-LYBGeLSLLt · ‎05-07-2023

Hello Everyone,

is it possible to forbid the user to log in with his private Apple ID ?
I already found a script to get out which AppleID is logged in but we want to restrict that the User is only allowed to login with the company Apple ID...

Thank in Advance.

Vinyboy · ‎05-07-2023

I've the same question.
We tried disabling "Apple ID Preference Pane" from jamf using configuration profile.

But still looking for more option.
Thank you.

user-LYBGeLSLLt · ‎05-07-2023

How do you did that ? Does it work ?

Vinyboy · ‎05-07-2023

We tried this and it works,

Levi_ · ‎05-08-2023

I too have this restriction enabled however users still login in some half formed way. Even though the panel is restricted, there are some apps that prompt for AppleID login I'm guessing the messaging app or something else and it half signs them in. I don't know exactly how they do this, I have asked and gotten a "what's that" and legitimately believe them because that's a normal answer. However I am not trying to go around asking and then it's known they can achieve this in some unapproved way.

Jacek_ADC · ‎08-10-2023

Hi,
i was struggling the last few days with the same. On our side we had an additional CP for restricting changing computername (this because the jamf pro built in feature for this stopped working with ventura)
The first one for: com.apple.loginwindow
The second one for: com.apple.systempreferences
this problem with the computer name was also discussed here in the forum

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0"> 
<dict>
<key>UseComputerNameForComputerRecordName</key>
<false/>
</dict>
</plist>

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0"> 
<dict>
<key>DisabledSystemSettings</key>
<array>
<string>com.apple.Sharing-Settings.extension</string>
</array>
</dict>
</plist>

However, this helped for the issue with the computer name, but also enabled or better explained: disabled the restriction for the apple id pane we had configured sooner.
it took some weeks after i start to find some user which has registered an apple id. So i started to search for an solution. I discovered today, that the additional workaround CP for the computer name restriction is no more needed.

So today i was able to find the solution for us:

unscope the CP for the computername restriction
waiting until removed from the macbooks
unscoping the cp restriction for the appleid pane
waiting until removed
scope back the apple id pane restriction cp

Maybe this help you a little bit. Also when you do not have an additional CP for the computer name, try once to unscope the CP for the AppleID restriction and scope back.

user-LYBGeLSLLt · ‎05-07-2023

Ja its an option to deny use Apple ID ? But i want to activate it and the User should only allowed to Use company ID...if if restrict it like your Idea then the User cant use any ID´s, right ?

Vinyboy · ‎05-07-2023

Did you check this?

https://support.apple.com/guide/apple-business-manager/use-managed-apple-ids-axm78b477c81/web

sdagley · ‎05-08-2023

@user-LYBGeLSLLt There is currently no mechanism to restrict the domain used to sign in to Apple ID. If that would be useful to your org file feedback with Apple. In the meantime you'll need to monitor the ID used to sign in and notify users that aren't compliant. Here's an EA that will report the ID used (I didn't write it, but my notes don't have a record of who did):

#!/bin/sh

result="<result>None</result>"

## Get logged in iCloud  user
loggedInUser=$( echo "show State:/Users/ConsoleUser" | scutil | awk '/Name :/ && ! /loginwindow/ { print $3 }' )

iCloudAccount=$( defaults read /Users/$loggedInUser/Library/Preferences/MobileMeAccounts.plist Accounts | grep AccountID | cut -d '"' -f 2)

if [ -n "$iCloudAccount" ]; then
    result="<result>$iCloudAccount</result>"
fi

echo "$result"

user-LYBGeLSLLt · ‎05-08-2023

Thank you very much, i already have this Script :)
So there isnt a another Way as manually to contact the User :)

Thank you very much

sdagley · ‎05-08-2023

@user-LYBGeLSLLt You could set up a Smart Group that uses the result of that EA to automate notifications to the user they're not using a valid Apple ID for your organization, but in terms of blocking them from doing that in the first place, no, there's no mechanism for doing that at this time.

ganidran · ‎08-23-2023

This doesn't work on Ventura just as an fyi - seems pref. plist is different now

spesh · ‎08-28-2023

Came here to say this. Don't suppose you found a replacement by any chance?

ganidran · ‎08-28-2023

Yes! Worked on this over the weekend. Essentially found another plist in the system library. This could prove problematic if there's more than one user per device but we don't have those scenarios. It checks for that new plist and if it doesn't find it, goes on to check for the mobileme plist (we still have a few folks on Monterey).

Edit: I use this script as an extension attribute but can be modified to use as needed :D

GabeShack · ‎05-09-2023

we would pop a message on any students in that group that weren't logged into their district managed apple id and just badger them until they would switch.

Gabe Shackney
Princeton Public Schools

mrrobertbuss · ‎04-05-2024

Hello - can you provide the script for this: I already found a script to get out which AppleID is logged in.

I would like to know who/which Apple ID is being used if any.

ganidran · ‎04-05-2024

Would this work? I haven't tested yet:

#!/bin/bash
for user in $(dscl . list /Users UniqueID | awk '$2 >= 500 {print $1}'); do
    userHome=$(dscl . read /Users/"$user" NFSHomeDirectory | sed 's/NFSHomeDirectory://' | grep "/" | sed 's/^[ \t]*//')
    appleid=$(dscl . readpl "${userHome}" dsAttrTypeNative:LinkedIdentity appleid.apple.com:linked\ identities:0:full\ name 2> /dev/null | awk -F'full name: ' '{print $2}')
    if [[ "${appleid}" == "" ]]; then
        echo "User:${user} has not signed in with an Apple ID"
    else
        echo "User:${user} is signed in with AppleID:${appleid}"
    fi
done

Found in: https://www.hexnode.com/mobile-device-management/help/script-to-fetch-the-apple-ids-of-users-on-mac/

sdagley · ‎04-07-2024

@ganidran That script doesn't work (at least running on macOS Sonoma). It just returns a not signed in result for all users.

ganidran · ‎04-08-2024

Good call! I finally got a chance to test it too and got the same results sadly.

I ended up modifying this guy to output the email another way and my testing worked on Sonoma and Big Sur but no tests on versions in between them. Big Sur is the only other OS I have on hand haha. Hope that helps!

Jamf Nation Community

Forbid private AppleID on Company Mac