Populate iCloud account on iOS devices. Lock to domain (managed Apple ID)

New Contributor III

We would like to open up use of iCloud on our iPadOS devices, but only want to allow users to log in with their managed iCloud account. Is there a way in Jamf Pro to either pre populate the domain and/or user and lock the user into only signing in with their managed AppleID?


Esteemed Contributor II

@astrugatch There is no mechanism in Apple's current MDM specification that allows you to restrict the domain used for iCloud/AppleID. That would be required before Jamf could add support for it. If your organization has a support account with Apple (guessing that since you're using Managed AppleIDs the odds are good you do) I'd suggest you open a case asking for the ability to restrict iCloud/AppleID to specific domains.


The way you could get around it is to make sure you have the option "Apple ID and iCloud" unchecked in your PreStage Enrollment. This will prompt the user to enter their credentials when setting up the iPad. Then have a config profile push down to restrict account changes to iCloud accounts.

Yes, this is exactly how we do it, prompt for Apple ID during setup process, and then as soon as Jamf self-service is installed, there is a profile that prevents account modification.

How do you ensure they are in the correct account short of watching / trusting them?

You can't unless you are either watching them or trusting them!

The way we 'report' on this, is that we manage all applications either through forced install or via self-service, but they are all managed.  If you create a search or smart group of any device that has 'unmanaged' applications, these will be the users that have signed in with an unmanaged Apple ID.


Thats rough. I definitely can't trust 6000 school children to follow instructions. I can barely trust the adults... My apple rep just gave me hope that this would be manageable in iOS 16, but i'm not putting all my faith in that...

Yes I hear you! 

We basically create a step by step guide that classroom staff followed in order to provision devices, i.e which wifi to connect to, log in here, log in there with your school credentials, and then reported on anyone that didn't do it properly.  But the most important thing we stated was that deployment is not an IT responsibility, it is the school responsibility, so here are the instructions!   

Deployment is definitely on them, but when kids have stuff their not supposed to they DO come calling. (Though we are armed to put it back on them). We deployed quickly offsite during the height of the pandemic BEFORE we were able to get managed IDs and Federation set up, so this wasn't even part of the workflow at the time. We skipped aIDs entirely until now. Now I'm in the rough spot of opening the doors, but only allowing them in with an "approved" account.

That is indeed the option to allow but there's something weird now which I've not seen before. If you uncheck this, during setup you are prompted. But now you NEED to enter iCloud credentials. You can't skip this during setup and enter your account later. I thought this was how it used to be....