I'm experiencing an issue with iCloud restrictions not being enforced, curious if anyone else has encountered this issue? The goal is to disable: iCloud Drive, Desktop & Documents sync, Keychain, Photos, Bookmarks, and Find My.
The issue appears when a user logs into iCloud for the first time on a newly-enrolled Mac. The restriction profiles are confirmed to be installed prior to a user signing into iCloud, but iCloud Drive and Desktop & Documents are set to enabled and able to be manipulated by the user in System Preferences. The remaining iCloud restrictions will sometimes be enforced, other times will be user adjustable. (Observed in macOS 11.4, issue does not appear in 10.15.7).
I have 6 individual signed profiles uploaded to Jamf (one for each restriction). If a Mac is logged into iCloud with those services already enabled, the profiles are immediately enforced and the services become unchecked and greyed-out in System Preferences. (which is the desired behavior)
I have created a new test profile where all iCloud restriction payloads are under a single profile (instead of split up amongst 6). That seems to be enforced for users that have not yet logged into iCloud in 11.4, and for existing iCloud users as well.
Anyone else run into this?
@daniel_ross @carlos_velle The only thing that has consistently enforced the iCloud restrictions for us is to proceed with bundling all of the iCloud restrictions under a single profile (which is kind of the opposite of what I do for all other profile payloads).
The problem has continued through 11.6 and continues in the Monterey betas as well. Here's mine: https://github.com/ducksrfr/mac_admin/blob/master/profiles/disable_icloud_services.mobileconfig