New config profile to ONLY block AppleID/Internet accounts setting in Ventura

AVmcclint
Honored Contributor

I am starting to hate macOS Ventura with a passion. Our users who are moving forward with Ventura are being prompted to login to their AppleIDs after they login to the computer. It's a Notification that pops up in the upper right,. The choices are to either click on the button in the notification that will take you to the AppleID login or you can click on the X... that also takes you to the AppleID login. We absolutely do not want our users logging in with their AppleIDs. I can't figure out how to stop this notification so I figured I could do a Config Profile that ONLY blocks access to the AppleID setting and/or the Internet Accounts setting. We are already using a config profile with the Restrictions settings configured. In theory I could just check the boxes to hide those, but we have a number of Macs that already have FindMyMac enabled and I really need users to disable that before I block their access to do so. So I thought maybe I can create a new profile in JamfPro that only contains that setting and scope that to Macs that don't have FindMyMac enabled, but it appears that you can't do that without redoing the entire profile to avoid conflicts with our existing Restrictions profile.  I know iMazing Profile Editor has the ability to be granular with settings. I found the setting in iMazing Profile Editor, so I enabled it and uploaded it to our JamfPro instance and pushed it to a Mac but it failed to block anything.

Does anyone know of a way to properly build a Config Profile that ONLY blocks the AppleID and Internet Accounts settings?

5 REPLIES 5

sdagley
Esteemed Contributor II

@AVmcclint Did you restart after installing the profile created by iMazing? Some of the restrictions payloads don't take effect until after a restart.

AVmcclint
Honored Contributor

I did, with no change. When I looked closer at Profile Editor a few minutes ago, I saw it had a tiny warning symbol next to the System Preferences settings. It indicates that blocking System Preferences is deprecated. I really hope this isn't true. We have legitimate reasons for blocking some settings - even from admin users. 

daniel_behan
Contributor III

This could be due to TouchID needing use of iCloud Keychain for passkeys, which is part of macOS Ventura and iOS 16.  TouchID for unlocking screensaver or even ApplePay doesn't require an AppleID, but storing a passkey to sync across multiple devices will.

AVmcclint
Honored Contributor

I just saw this in iMazing Profile Editor when trying to find a way to block FindMyMac. 

Screen Shot 2023-02-10 at 8.50.33 AM.png

So it looks like Apple is not going to let us block the things that matter the most to us.

How is everyone else dealing with users who enable FindMyMac then either forget their passwords or leave the company and we have to get the computer repaired? 

sdagley
Esteemed Contributor II

@AVmcclint If you set "Prevent user from enabling Activation Lock" in your PreStage Enrollment configuration that should prevent FMM from preventing re-enrollment.

And have you reviewed https://learn.jamf.com/en-US/bundle/technical-articles/page/Leveraging_Apples_Activation_Lock_Featur... ? My org prevents users from enabling Activation Lock, so I don't see the bypass code for user initiated activation lock it references, but I do see the Activation Lock Bypass section in a computer record's Management tab