Personal iCloud Account Concerns - iOS

kcasey
New Contributor II

Hello,

Since we began our Middle School 1:1 iPad deployment we have always restricted the use of iCloud due to Activation lock issues.

Next school year I want to let students log into iCloud using their Managed Apple ID to take advantage of the 200GB storage Apple now offers.

Now that there is the ability to prevent activation lock, are there any other concerns/experiences/suggestions regarding if students log into iCloud with a personal account? My first thought is them claiming the device through Find iPhone App?

We also take precaution to disallow the app store and we also restrict non MDM apps/profiles.

Any thoughts? Suggestions? Advice?

Thanks!

10 REPLIES 10

seraphina
Contributor II

If your devices are enrolled in DEP, there is an option to prevent Activation Lock from being enabled in the prestage enrollment settings. Additionally, if they are enrolled in DEP you can always generate a bypass code.

6de4f50a4b394caa84ab9e2c67652b9b
d0730d2244824a4085af84af88769e5d

kcasey
New Contributor II

Thank you for the response. Have you noticed if there are any issues when users sign in with a personal iCloud account? My main concerns would be getting synced content such as unauthorized game apps or Find iPhone, etc.

sshort
Valued Contributor

seraphina
Contributor II

@kcasey

We have only had an issue with activation locks being enabled.
You could restrict app store to VPP apps only and assign them in Jamf. The problem is with Apple, because when an account logs into iCloud, they treat it as their device, even if it is Institutionally owned. You may need to factory reset them (every semester?) until Apple fixes this.

Is Find my iPhone the same as lost mode? If so you can send MDM commands to turn it off.
What we were doing was signing in with our department's iCloud and then restricting removal/changing off account settings and leaving the app store enabled to not require a password for free apps. The problem comes in when somebody checks it out and needs to login to their iCloud to use an app they have already paid for.

What we have done is just assign the essential apps to VPP and disabled activation lock. Anything they do can be bypassed with a wipe (even though its inconvenient) and the next time its on the network it 'reimages' itself.

cpominville
Contributor

There is also the ability to use a profile to prevent them from removing the School Apple ID, and replacing it with their own. In Restrictions Payload, look for "Allow modifying account settings (supervised only)" I believe this is the one. I wish that when you selected a particular restriction, somehow it would be coloured so that when you go back to it 6 months later, you know exactly which one you activated/deactivated.

This works great, as once they sign in to device with the school appleid...they cannot remove it!! That one I left open for Teachers.

I also recently discovered (from a user that knows nothing about iPads, but somehow she did it) that you can have the 'school' appleid in place to take advantage of the 200 gigs for pictures (what a god send when you have to wipe the iPad..no worry about saving pictures) and let them use their personal Apple ID for the Store.

thejenbot
Contributor III

We instruct students to sign in to iCloud with their managed Apple ID so they can get textbooks we push out through jamf, and so they can utilize the 200GB of storage. We don't restrict account settings and have the App Store available for students in grades 10-12. When they sign in to iTunes & App Store with a personal Apple ID and sync with that address, they sometimes (but not often) lose access to their books. We have them switch back to re-download and then they're fine.

Previously I had a smart group set up that would alert me when a student signed in to iCloud with a personal Apple ID (which would enable activation lock) so I could have them correct this, but since we can now prevent them from enabling it in the prestage we kind of let them do what they want. We don't worry any more that we'll have problems with activation lock in the setup assistant, etc. We've only on a few instances had to contact Apple to have them remove association with a standard Apple ID so that a student could sync with their MAID to access content.

kcasey
New Contributor II

@mlizbeth @cpominville @thejenbot Thank you for the great input!
I will proceed with letting students sign into iCloud with Managed Apple ID's or if they choose, their personal Apple ID. All student iPads will now have Activation Lock so shouldn't matter if they login with a personal Apple ID. In fact, since we only allow VPP apps and restrict the app store, logging in with a personal Apple ID wouldn't be that useful.
Also, we wipe iPads annually or if it gets assigned to a new student.

matthew_dwiar
New Contributor

I have tried this method (restrictions applied for 'modify account settings') recently with student-assigned iPads, and it initially worked great. I 'unrestricted' them, got the students to sign in with Managed Apple IDs, ensured the iCloud settings were correct on each device, and then moved them back into scope to turn on the restrictions again. The account was 'greyed out' so it was still signed in, but they couldn't make any changes or sign out. Perfect!

Over time however, the 'link' to the iCloud seemed to drop out, as it required the students to re-authenticate their AppleID. Unfortunately, the dialog box for Microsoft AzureAD password wouldn't appear as the account settings was still restricted.
I have to 'unrestrict' them manually so they can re-establish the AppleID connection, then all is back to normal again.

Another hiccup I found was when students performed the upgrade to iPadOS 13, as this also required re-authentication with AppleID, but this was again restricted. (It also allows them to add passcodes which we don't allow, but this isn't a big issue.)

Not bad, but I expect a few issues need to be ironed out in future to make it fool-proof.

Ideally, it would be great if we could simply have a restriction that prevented 'Sign Out' specifically, so they could still maintain their iCloud accounts and re-authenticate as needed, but couldn't sign out.

deanchristie
New Contributor II

@thejenbot what was your criteria for seeing if a personal appleid was logged in?

thejenbot
Contributor III

@deanchristie in the JSS uder users, click on the token where it says "content assigned" and at the top of the screen under the word Matches, it will say False if they are signed in with a personal Apple ID. If they're signed in correctly it says True.