Jamf Nation Community

MPL · 3 weeks ago

Hello All,

I've seen some older posts on here in regards to logging users out of their iCloud account but can't get them working as of right now.

We are looking to disable iCloud across our org, but some users are logged in. I've tested disabling iCloud via a config profile, which works, but doesn't log anyone out of iCloud that's already logged in.

Does anyone have a working script that logs a user out of their iCloud account?

jamf-42 · 3 weeks ago

Not sure there is one these days... We use a dialog, repeating daily, then more often.. and a smart group and config profile that blocks it when its not logged in. That gets most... then its a quiet word for the remaining.

sdagley · 3 weeks ago

@MPL It's been a while since I looked at this, but when I was working on disabling iCloud services via a Restrictions payload not turning off the services but simply disabling the UI for the service I did not find a way to sign the user out without requiring user interaction. My guess is this is still the case so you'll need an EA like the one below to find users who are signed in to an Apple ID and use it as a Smart Group criteria to scope a Policy to notify users they need to log out.

#!/bin/sh

# EA - Get Apple ID

result="None"

## Get logged in Apple ID user
loggedInUser=$( echo "show State:/Users/ConsoleUser" | scutil | awk '/Name :/ && ! /loginwindow/ { print $3 }' )

iCloudAccount=$(defaults read /Users/$loggedInUser/Library/Preferences/MobileMeAccounts.plist Accounts | grep AccountID | cut -d '"' -f 2)

if [ -n "$iCloudAccount" ]; then
    result="$iCloudAccount"
fi

echo "<result>$result</result>"

AJPinto · 3 weeks ago

You can block the iCloud services with MDM, but there is no way to force log a user out. Honestly, Apples entire management of AppleID's on devices is absolutely miserable. This is an Apple gap, not Jamf, and I cannot stress enough submit Apple Feedback on this.

Product Feedback - Apple

mrrobertbuss · 2 weeks ago

I would like to block the ability of an end user from creating an Apple ID. We don't want personal Apple ID's on our corporate devices. What would be the best way to do this? I tried Restrictions but don't know the app name for this. I know I can restrict the Apple Store but I need full blockage of creating an account. Preferably the block should happen during enrollment. Any ideas?

jamf-42 · 2 weeks ago

disable in prestage - block via restrictions config profile - done

use app restrictions to kill App Store

mrrobertbuss · 2 weeks ago

Apple Id creation is prestage is disabled.

App Store is restricted.

IDK how to "block via restrictions config profile" - any help here with this config profile?

jamf-42 · 2 weeks ago

the restrictions profile is something we all love to hate.. due to all the settings it pushes.. but blocking Apple ID is one of many parts

A_Collins · 2 weeks ago

#!/bin/bash

currentUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{print $3}')
homeFolder="/Users/$currentUser"

/usr/bin/sqlite3 $homeFolder/Library/Accounts/Accounts4.sqlite "DELETE FROM ZACCOUNT WHERE ZUSERNAME LIKE '%@%'"
exit 0

mrrobertbuss · 2 weeks ago

I receive this error message on 3 macs:

Script result: Error: unable to open database "/Users/robert.buss/Library/Accounts/Accounts4.sqlite": authorization denied

Jamf Nation Community

Force Logout of iCloud