We would like to open up use of iCloud on our iPadOS devices, but only want to allow users to log in with their managed iCloud account. Is there a way in Jamf Pro to either pre populate the domain and/or user and lock the user into only signing in with their managed AppleID?
@astrugatch There is no mechanism in Apple's current MDM specification that allows you to restrict the domain used for iCloud/AppleID. That would be required before Jamf could add support for it. If your organization has a support account with Apple (guessing that since you're using Managed AppleIDs the odds are good you do) I'd suggest you open a case asking for the ability to restrict iCloud/AppleID to specific domains.
The way you could get around it is to make sure you have the option "Apple ID and iCloud" unchecked in your PreStage Enrollment. This will prompt the user to enter their credentials when setting up the iPad. Then have a config profile push down to restrict account changes to iCloud accounts.
You can't unless you are either watching them or trusting them!
The way we 'report' on this, is that we manage all applications either through forced install or via self-service, but they are all managed. If you create a search or smart group of any device that has 'unmanaged' applications, these will be the users that have signed in with an unmanaged Apple ID.
Yes I hear you!
We basically create a step by step guide that classroom staff followed in order to provision devices, i.e which wifi to connect to, log in here, log in there with your school credentials, and then reported on anyone that didn't do it properly. But the most important thing we stated was that deployment is not an IT responsibility, it is the school responsibility, so here are the instructions!
Deployment is definitely on them, but when kids have stuff their not supposed to they DO come calling. (Though we are armed to put it back on them). We deployed quickly offsite during the height of the pandemic BEFORE we were able to get managed IDs and Federation set up, so this wasn't even part of the workflow at the time. We skipped aIDs entirely until now. Now I'm in the rough spot of opening the doors, but only allowing them in with an "approved" account.