Skip to main content
  1. Addigy
  2. FAQ
  3. FAQ

How To Restrict iCloud/Apple ID Usage

Updated:

You can prevent end users from signing into personal iCloud or Apple ID accounts on managed devices using Device Settings in Addigy. This applies to macOS, iOS, and iPadOS devices.

Note: This restriction also applies to managed Apple IDs. Test all settings on a non-production device before deploying broadly.

macOS 14+, iOS, and iPadOS

The correct payload depends on the macOS version running on the target device.

  1. Navigate to Catalog > Device Settings and create a new Device Setting.
  2. Select the Restrictions payload.
  3. In the General section, disable Allow account settings modification.

Note: On macOS 14+, disabling Allow account settings modification will also prevent users from adding accounts to the native Mail app. This payload requires supervision.

macOS 13 and earlier

  1. Navigate to Catalog > Device Settings and create a new Device Setting.
  2. Select the System Preferences payload.
  3. Choose the appropriate OS version tab:
    • System Settings (macOS 13.x) — check Apple ID under the Disabled tab.
    • System Preferences (macOS 10.7–12.6.7) — check both Apple ID and iCloud under the Disabled tab.

Important: This setting locks account modification on the device. If a personal Apple ID is already signed in when the profile is applied, it will remain signed in — it will not be logged out automatically. Ensure devices are in the desired account state before deploying.

Useful Scripts for macOS

Use these scripts to create Custom Facts to audit iCloud and Apple ID status across your fleet before or after applying restrictions.

Check whether iCloud is enabled on a device

Result="False"
for user in $(dscl . list /Users UniqueID | awk '$2 = 500 {print $1}'); do
    if [ -e /Users/$user/Library/Mobile\ Documents/com~apple~CloudDocs/ ]; then
        Result="True"
    fi
done
echo $Result

Check whether Find My is enabled on a device

#!/bin/sh
fmmToken=$(/usr/sbin/nvram -x -p | /usr/bin/grep fmm-mobileme-token-FMM)
if [ -z "$fmmToken" ]; then
    echo "Not Set"
else
    echo "Set"
fi

Check which Apple ID is signed in on a device

#!/bin/bash
for user in $(dscl . list /Users UniqueID | awk '$2 = 500 {print $1}'); do
    userHome=$(dscl . read /Users/"$user" NFSHomeDirectory | sed 's/NFSHomeDirectory: //')
    appleid=$(dscl . readpl "${userHome}" dsAttrTypeNative:LinkedIdentity appleid)
    if [[ "${appleid}" == "" ]]; then
        echo "No AppleID for user: ${user}"
    else
        echo "username: ${user} AppleID: ${appleid}"
    fi
done
Was this article helpful?
7 out of 18 found this helpful
Return to top

Didn’t find what you’re looking for?

Contact our Support Team