Jamf Nation Community

I agree with @AJPinto on this one.  Feedback to Apple is your best bet.  Don't assume that this request has already been made by someone else.  Use the FeedBack assistant app while signed in using the Managed Apple ID from your organization.  This tells Apple a couple of things... you are reporting this issue from an institution using Apple devices, and how many devices you have managed by your organization.  This feedback is likely more valuable than a random bug report from an individual.

Apple uses "Supervision" to establish that a device is an institutional owned device and managed by that institution's MDM.  Apple has verified that these devices are owned by the institution and has also required that the institution verifies ownership of any domains used for Managed Apple IDs.  It seems like a reasonable request to limit sign in on a "Supervised" device to Managed Apple IDs using domains verified by the same organization.

Just my $0.02.

I could not have said it better myself. I also realized I had not submitted feedback for this, and I thought I had in the past. 

I just drafted together a feedback template for anyone interested and just wants to copy paste with a few mark ups needed. Technically it's not unexpected behavior, but it is really dumb that Apple does not have a control for this already.

TITLE:
Limit domain of AppleID's able to log in to Supervised Apple devices with MDM

WHICH ARE ARE YOU SEEING ISSUES WITH?
Mobile Device Management (MDM)

WHAT TYPE OF ISSUE ARE YOU REPORTING
Inconrrect/Unexpected Behavior

INTRO:
This feedback is about a change in default behavior for macOS Sequoia that prevents our organization from using Managed Apple ID's.
SCOPE OF IMPACT:
* _____ Macs eligible (or likely) to upgrade to Sequoia;
* _____ Macs refreshed annually;
* _____ Macs across the entire organization;
* _____ computers across all operating systems.
PROBLEM: In its current implementation, there is no way to limit what Apple ID's users utilize to log in. Apple has put much effort in recent years to ensure data owned by Managed Apple ID's is manageable and accessible by the organization that manages the Apple ID. However, apple has stopped short of allowing MDM's to limit what domains are allowed when a user logs in with an AppleID or to limit users to only being able to log in with Managed Apple ID's.
 
ISSUES & CONCERNS:
1. Users are able to log in to Managed and Supervised devices with personal Apple ID's.
2. Users are able to sync organizational data to their personal Apple ID's iCloud account, using Apple services to bypass DLP controls if allowed.
3. The only "work around" is to totally prevent a user from logging in to an Apple ID.

WHY THIS MATTERS:
{some blurb about your company}. In addition to our duty to ensure organizational data is handled correctly and stored in secure locations we also have many federal regulations involving data management. As there is no way to allow Apple ID's and prevent the use of personal Apple ID's we cannot allow Apple ID's at all which limits many Apple services to our end users and offers them a diminished "Apple experience".
### Further details on why this matters###
 
Dependent Applications
1. MacOS System Settings
2. Apple Internet Accounts
3. iWork (Numbers, Pages, Keynote)
4. Messages
5. Freeform
6. BetaSeed (with macOS 13 and macOS 14)
7. Feedback.app
8. Etc.
 
REQUESTS &/OR SUGGESTIONS:
Provide a new MDM payload that facilitates management & control of Apple ID's:

- The ability to limit Personal Apple ID's from logging in to Supervised Macs.
- The ability to limit the domain of a Managed Apple ID on what is allowed to be used (ie only allowing @MyCompany.com in addition to being a Managed AppleID for the organizations that have not federated their emails yet)
- A single setting that can be configured to disable Apple ID's globally (currently you have to disable system settings > Apple ID and then restrict all the apps a user can use to log in with in addition).
-Offer MDM functionality to log an Apple ID out of one is somehow logged in.

Make sure you close and reopen system preferences, the changes don't apply until after the app closes. If it's still being slow run a sudo Jamf manage to kick jamfs framework. 

You cannot prevent someone's ability to log out of an AppleID. You either block the pane all together or not at all. You could make a smart group looking for devices with AppleID's logged in, and if one is use that as a target for a configuration profile disable the AppleID pane. Its a bit around the world but would be the closest thing I could think of to accomplish that.