Remove Messages account via policy or script

nadams
New Contributor III

We had some abuse of the Messages app here and decided to restrict it from running via a software restriction policy. This policy works fine, in that if you try to launch Messages, you just get a notice that it's been disabled. However, the students, enterprising as they are, have found a way around that. If you make a contact (in the standard "contacts" window) with an email address, the option is there to send that contact a message. It opens up a small Messages window which you can use to send a quick message. If you wait too long, the software restriction policy will kick it out, so you have to be quick.

Once the student on the other end receives the message, they get notified that they have a new message, but can't read it because they can't open Messages. This process also generates a ton of notifications about Messages being blocked.

What I'd like to do is remove their iTunes account from the configuration, because if there's no account configured, they can't open Messages to add one, and it won't let them send the message. Obviously they had all set up their accounts prior to the restriction policy being in place. Is there a way for me to "unconfigure" iMessage via a policy or script? I can't just remove the entire app since it's baked in to OS X.

Thanks!

10 REPLIES 10

andrew_nicholas
Valued Contributor

What about changing the rights/ownership on the app, then have an EA for detecting when that changes and reapply the restriction?

bentoms
Honored Contributor III
Honored Contributor III

@andrew.nicholas I'm guessing that SIP might stop that.

@nadams Are they signed into iCloud on the Macs then?

nadams
New Contributor III

@bentoms They're signed in to Messenger, which I believe stores its data in iCloud. However, I don't think you have to have a full iCloud sign-in for it to work. It just prompts you to sign in to Messages when you first open it. On my test machine, I'm signed in to Messages, but when I go to the iCloud settings in System Preferences, it prompts me to sign in as if it's not set up.

elund
New Contributor III

One option is to delete the Messages app of their computer.

nadams
New Contributor III

@elund It's built into the OS... deleting it has the potential to cause a lot of problems.

Just for giggles, I set up a software restriction policy that was set to delete the app after detection, and it didn't work on my test machine.

bentoms
Honored Contributor III
Honored Contributor III

Pretty sure SIP is stopping the wipe.

I was hoping you could block them from iCloud to resolve this, but doesn't sound like it will.

Also, as this is some of the messages API'a being accessed via Mail.. this is why the blocks aren't working.

Hmm.. I wonder if they is something in the mail.app that could disable this functionality.

elund
New Contributor III

@nadams Yes, that could lead to problems. I had one student machine that I deleted it from last year without any ill effects reported.

nadams
New Contributor III

@bentoms Could I possibly do something with editing the keychain? Disabling and enabling the account in Messages results in 3 keychain entries being modified:

ids: message-protection-public-data-registered
com.apple.facetime: registrationV1
ids: personal-public-key-cache

All 3 have a type of "Application password"

EDIT - deleting com.apple.facetime: registrationV1 resulted in the account being broken within Messages (oddly enough, it continues to work for Facetime). If you try to send a message through the contacts, it says that it failed to send and gives you the option to open the Messages app to fix it (which obviously doesn't work due to the software restriction). It doesn't seem to completely remove the account... it just forgets the password.

bentoms
Honored Contributor III
Honored Contributor III

@nadams Apple are locking down the KeyChain more & more from a remote changing perspective.

So I'd probably not go down that route.

Is messages using Bonjour to see whom is around? Perhaps disabling bonjor will stop this too.

nadams
New Contributor III

@bentoms Crap, I was hoping that the keychain would be an easy fix. I can see why they wouldn't want it edited remotely, though.

I don't think it cares to see who is around. I can put any email address in and it will try to send the message whether they're nearby or not.

I might see if my Jamf guy has any thoughts on it... Just wish I would've restricted the stupid thing from the start.