Force Logout of iCloud

Contributor II

Hello All,


I've seen some older posts on here in regards to logging users out of their iCloud account but can't get them working as of right now.


We are looking to disable iCloud across our org, but some users are logged in. I've tested disabling iCloud via a config profile, which works, but doesn't log anyone out of iCloud that's already logged in.


Does anyone have a working script that logs a user out of their iCloud account?




Valued Contributor II

Not sure there is one these days... We use a dialog, repeating daily, then more often..  and a smart group and config profile that blocks it when its not logged in. That gets most... then its a quiet word for the remaining. 

Esteemed Contributor II

@MPL It's been a while since I looked at this, but when I was working on disabling iCloud services via a Restrictions payload not turning off the services but simply disabling the UI for the service I did not find a way to sign the user out without requiring user interaction. My guess is this is still the case so you'll need an EA like the one below to find users who are signed in to an Apple ID and use it as a Smart Group criteria to scope a Policy to notify users they need to log out.


# EA - Get Apple ID


## Get logged in Apple ID user
loggedInUser=$( echo "show State:/Users/ConsoleUser" | scutil | awk '/Name :/ && ! /loginwindow/ { print $3 }' )

iCloudAccount=$(defaults read /Users/$loggedInUser/Library/Preferences/MobileMeAccounts.plist Accounts | grep AccountID | cut -d '"' -f 2)

if [ -n "$iCloudAccount" ]; then

echo "<result>$result</result>"

Honored Contributor III

You can block the iCloud services with MDM, but there is no way to force log a user out. Honestly, Apples entire management of AppleID's on devices is absolutely miserable. This is an Apple gap, not Jamf, and I cannot stress enough submit Apple Feedback on this.


Product Feedback - Apple

New Contributor III

I would like to block the ability of an end user from creating an Apple ID. We don't want personal Apple ID's on our corporate devices. What would be the best way to do this? I tried Restrictions but don't know the app name for this. I know I can restrict the Apple Store but I need full blockage of creating an account. Preferably the block should happen during enrollment. Any ideas? 

Valued Contributor II

disable in prestage - block via restrictions config profile - done 

use app restrictions to kill App Store

New Contributor III

Apple Id creation is prestage is disabled.

App Store is restricted.

IDK how to "block via restrictions config profile" - any help here with this config profile? 


Valued Contributor II

the restrictions profile is something we all love to hate.. due to all the settings it pushes.. but blocking Apple ID is one of many parts




currentUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{print $3}')

/usr/bin/sqlite3 $homeFolder/Library/Accounts/Accounts4.sqlite "DELETE FROM ZACCOUNT WHERE ZUSERNAME LIKE '%@%'"
exit 0

New Contributor III

I receive this error message on 3 macs: 

Script result: Error: unable to open database "/Users/robert.buss/Library/Accounts/Accounts4.sqlite": authorization denied