This article serves to assist admins who wish to restrict/prevent end-users from being able to sign into their own personal and iCloud/Apple accounts. Note that this will also restrict managed Apple IDs.
How to restrict personal iCloud access for macOS?
It's easy! Simply create an MDM Profile and select the System Preferences or the Restrictions MDM configuration depending on the version of macOS you're running.
For devices running macOS 13 and below:
Depending on your preferences, you may want to hide items or restrict users from being able to interact with certain items. Within the System Preferences configuration, you can choose to hide/disable different system preferences options.
Once in the configuration window, you will first need to select the OS version range you are looking to block this on.
The screenshot below showcases the setting required to disable/hide the Apple ID panel on macOS 13 devices:
For devices below 13.x, this is what is required to disable iCloud/Apple ID usage:
For devices running macOS 14+:
For devices running macOS 14 or newer, Apple deprecated the System Preferences payload, and now requires you to use the "Allow Account Settings Modification" key within the Restrictions MDM Configuration. This is the same key that is used to restrict Apple ID's on iOS as covered below. Here's a screenshot of the configuration located in the "General" section of the payload:
As always, please be sure to test these settings out prior to mass deploying to avoid any unwanted/unexpected behavior.
How to restrict personal iCloud access for iPhones and iPads?
Create a "Restrictions" MDM profile to restrict iCloud/Apple ID usage on iOS/iPadOS devices. Therein, you will want to enable the following setting in the "General" section:
It is important to note that this setting will lock account modification on the device, which means if an account is currently logged-in, it will lock that account as signed in and not log them out.
As always, please be sure to test these settings out prior to mass deploying to avoid any unwanted/unexpected behavior.
Useful Related Scripts for macOS
Check whether iCloud is enabled on a device
Result="False"
for user in $(dscl . list /Users UniqueID | awk '$2 >= 500 {print $1}'); do
if [ -e /Users/$user/Library/Mobile\ Documents/com~apple~CloudDocs/ ]; then
Result="True"
fi
done
echo $Result
Check whether "Find My" is enabled on a device
#!/bin/sh
#
# Will reply Set if Find My Mac is set for this Mac
#
fmmToken=$(/usr/sbin/nvram -x -p | /usr/bin/grep fmm-mobileme-token-FMM)
if [ -z "$fmmToken" ];
then
echo "<result>Not Set</result>"
else
echo "<result>Set</result>"
fi
Check which Apple ID is signed in on a device
#!/bin/bash
for user in $(dscl . list /Users UniqueID | awk '$2 >= 500 {print $1}'); do
userHome=$(dscl . read /Users/"$user" NFSHomeDirectory | sed 's/NFSHomeDirectory://' | grep "/" | sed 's/^[ \t]*//')
appleid=$(dscl . readpl "${userHome}" dsAttrTypeNative:LinkedIdentity appleid.apple.com:linked\ identities:0:full\ name 2> /dev/null | awk -F'full name: ' '{print $2}')
if [[ "${appleid}" == "" ]]; then
echo "No AppleID for user:${user}"
else
echo "username:${user} AppleID:${appleid}"
fi
done