This article serves to assist admins who wish to restrict/prevent end-users from being able to sign into their own personal and iCloud/Apple accounts. Note that this will also restrict managed Apple IDs.
How to restrict personal iCloud access for macOS?
It's easy! Simply create an MDM Configuration and a new System Preference configuration.
Depending on your preferences, you may want to hide items or restrict users from being able to interact with certain items. Within this configuration, you can choose to hide/disable different system preferences options.
Once in the configuration window, you will first need to select the OS version range you are looking to block this on. The screenshot below showcases the setting required to disable/hide the Apple ID on macOS 13+ devices.
For devices below 13.x, this is what is required to disable iCloud/Apple ID usage:
As always, please be sure to test these settings out prior to mass deploying to avoid any unwanted/unexpected behavior.
How to restrict personal iCloud access for iPhones and iPads?
Create a "Restrictions" MDM profile to restrict iCloud/Apple ID usage on iOS/iPadOS devices. Therein, you will want to enable the following setting in the "General" section:
It is important to note that this setting will lock account modification on the device, which means if an account is currently logged-in, it will lock that account as signed in and not log them out.
As always, please be sure to test these settings out prior to mass deploying to avoid any unwanted/unexpected behavior.
Useful Related Scripts for macOS
Check whether iCloud is enabled on a device
Result="False"
for user in $(dscl . list /Users UniqueID | awk '$2 >= 500 {print $1}'); do
if [ -e /Users/$user/Library/Mobile\ Documents/com~apple~CloudDocs/ ]; then
Result="True"
fi
done
echo $Result
Check whether "Find My" is enabled on a device
#!/bin/sh
#
# Will reply Set if Find My Mac is set for this Mac
#
fmmToken=$(/usr/sbin/nvram -x -p | /usr/bin/grep fmm-mobileme-token-FMM)
if [ -z "$fmmToken" ];
then
echo "<result>Not Set</result>"
else
echo "<result>Set</result>"
fi
Check which Apple ID is signed in on a device
#!/bin/bash
for user in $(dscl . list /Users UniqueID | awk '$2 >= 500 {print $1}'); do
userHome=$(dscl . read /Users/"$user" NFSHomeDirectory | sed 's/NFSHomeDirectory://' | grep "/" | sed 's/^[ \t]*//')
appleid=$(dscl . readpl "${userHome}" dsAttrTypeNative:LinkedIdentity appleid.apple.com:linked\ identities:0:full\ name 2> /dev/null | awk -F'full name: ' '{print $2}')
if [[ "${appleid}" == "" ]]; then
echo "No AppleID for user:${user}"
else
echo "username:${user} AppleID:${appleid}"
fi
done