Help

How to restrict to only signing in with Managed Apple ID - Catalina

hunter990
Contributor

Posted on ‎01-23-2020 09:41 AM

Maybe I missed it, but doing a bunch of digging, and not sure how you limit to only signing in with a Managed Apple ID to iCloud in Catalina. I have even looked at the beta version and didn't see how to restrict it. Just digging into this to see if it a viable option. I don't see Catalina only allowing me to sign in with a managed Apple ID with a system that is managed by Jamf. If this is the case, it seems like a security issue.

0 Kudos
7 REPLIES 7

nelsoni
Contributor III

Posted on ‎01-23-2020 09:45 AM

You cannot limit MacOS to only allow logins from Managed Apple IDs. This is not an option on iOS either.

0 Kudos

hunter990
Contributor

Posted on ‎01-23-2020 09:54 AM

And that's what's disappointing. For good security it should be able to limit this on a managed system via MDM. I'll put in a feature request with Apple but at this time i don't see Notes or the other options being available for us here. I will test handoff to see if that allows sidecar for those that do have the devices.

FYI, to make this clear. I don't want this for logging into the system. I only want this for logging into iCloud. If the system is managed that should be able to be limited via MDM.

GabeShack
Valued Contributor III

Posted on ‎05-07-2021 10:43 AM

I'm also looking for a way to lock them into their Managed apple ID's once they are signed in.
When we handed out 1-2-1 devices we had each student sign into their managed apple ID, and I wish it would then lock them into not being able to switch their iCloud account to a personal one since we are using apple classroom on Macs. It looks like this is a feature in restrictions in iOS but not on the mac.

Gabe Shackney
Princeton Public Schools

Gabe Shackney
Princeton Public Schools
0 Kudos

eissey
New Contributor II
In response to GabeShack

Posted on ‎11-18-2021 07:45 AM

@GabeShack Where is this iOS restriction in Jamf?

0 Kudos

GabeShack
Valued Contributor III
In response to eissey

‎01-06-2022 01:39 PM - edited ‎01-06-2022 01:39 PM

@eissey 

I believe its in the "allow changes to accounts" restriction, which then blocks them from signing out of it, I think.  Sorry I haven't have time to look for it again lol.  With this one-to-one we are all pretty underwater right now.

Gabe Shackney
Princeton Public Schools
0 Kudos

sdagley
Esteemed Contributor II

Posted on ‎05-07-2021 10:53 AM

I think the only current option would be to have an EA that looks up the AppleID in use and a Smart Group to check it against your MAID domain. Membership in that group can either trigger an email when a Mac isn't in compliance or a Policy that puts up a really annoying compliance reminder on every check-in until corrected (or both).

0 Kudos

GabeShack
Valued Contributor III

Posted on ‎05-07-2021 11:13 AM

@sdagley EA attached in case anyone needs it also in this thread:

#!/bin/sh
## Get logged in user
loggedInUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{print $3}')
icloudaccount=$( defaults read /Users/$loggedInUser/Library/Preferences/MobileMeAccounts.plist Accounts | grep AccountID | cut -d '"' -f 2)

if [ -z "$icloudaccount" ] 
then
    echo "<result>Null</result>"
else
    echo "<result>$icloudaccount</result>"
fi

Now to find a solution for the annoying compliance reminder. I figure something using an open /System/Library/PreferencePanes/AppleIDPrefPane.prefPane/ at each checkin until they sign into their account.
Gabe Shackney
Princeton Public Schools

Gabe Shackney
Princeton Public Schools