Hey everyone, so a couple of months ago something I always wondered about finally happened. A former staff member saw her old school-issued laptop in her device list in her Apple ID and MDM locked it from her iCloud/Find My Mac because she did not recognize the name. In the past, we were not ensuring that staff signed out of their iCloud/App Store/etc. before we imaged the machine. The machine was completely reimaged, but obviously the iCloud control remained. We've honestly been slow to embrace MDM and DEP honestly, but with imaging gone we're onboard now. Nothing like having no choice to stimulate evolution of practices. ;)
My question is, is there any way in Config Profiles and whatnot to stop them from having this ability from the start? I see there are some disallow options for certain aspects of iCloud but am not sure what is tied to what, or if disabling them would impede any of our functionality. I've trained all IT staffers to ensure they log out of iCloud, App Store, and iTunes when they leave the district, but it would be nice if that ability just wasn't there for them.
Yes, via Configuration Profile.
Payload > Restrictions > Preferences > disable selected items: iCloud
Test it out and see if you also need to select internet accounts. If you are using a web based email and not allowing Apple's Mail, you should be okay restricting internet accounts.
I would also recommend have another way tracking lost/stolen Macs via third party software.
Apple has a procedure for removing the Activation lock, check with your Apple Education rep for the details.
@SCADtom Thanks for the reply but I can tell you, at least in a 10.13 environment, that this does not work. We tried it on our student computers, it was done before they received them. It greys out the preference but if they log into FaceTime or Messages(I think, it's hard bribing this information from the students haha), it will log them into iCloud on the machine. We actually had to check it back on so students can get to the preference to log out before turning their laptops back in this week. It's easy enough to just add "check iCloud" to our check-in workflow but it sure would be nice if at least students couldn't do it at all. Just another hole in Apple's management. They're getting there, but still a ways to go.
I know that I'm digging an old topic but if anyone is interrested...
How about locking the iCloud as above + additional policy to restrict apps?
I've just pushed conf profile with: "restrict Messages, Facetime". Seems it's working fine.
Curious about this as well. While restricting access to such apps and panes in System Preferences, we have successfully tested a remote wipe, notifications and having the device show up on personal Apple ID accounts despite the device having a specific payload disabling Find My applied to it (and not having it checked in the Configuration Profile applied to it via Jamf Pro).
Yup, I noticed this week as well that Find My disabling appears to not be functional, at least not on a Big Sur M1 Mac. We're collecting student laptops and I noticed one had it checked, and I was able to toggle it on and off with no resistance. Apple REALLY needs to get on the ball with these much needed controls, and quit breaking the ones they do offer!