Managing iCloud Access: What You Can (and Can't) Do

Apple IDs have long been integral to the Mac, iPhone, and iPad experience. People are accustomed to using them to sign in to services on their Apple devices—whether those devices are personal or professional.

However, as an IT admin, those IDs and the services they provide access to—most of which rely on iCloud—might give you some pause. It’s not that iCloud itself doesn’t have ample security of its own. It could be more that you’re worried that corporate data will make its way from your organization’s Apple devices to the cloud without your knowledge or supervision. 

Fortunately, Apple has given IT teams several tools for controlling end-user access to iCloud-reliant services. The degree of control you have, and the tools you use to exert it, depend entirely on how your users are accessing iCloud—more specifically, the kind of Apple IDs they’re using.

Here’s how all that works.

Managing iCloud Access: Personal Apple IDs

The concern here is that end users will use their own personal Apple IDs to access iCloud services from work devices.

Unfortunately, as of today, there’s no way to completely restrict iCloud sign-ins using personal IDs; Apple doesn't provide the MDM keys that would be necessary to manage personal iCloud accounts per se. Users can sign in to any Apple ID from any Apple device, and as an admin, there isn’t anything you can do about it.

That said, Apple has provided the MDM restriction keys necessary to block sign-ins to specific iCloud services from a given device, regardless of the kind of Apple ID being used. Those blockable services include:

• iCloud Address Book
• iCloud Bookmarks
• iCloud Calendar
• iCloud Drive
• iCloud Desktop & Documents
• iCloud Keychain
• iCloud Mail
• iCloud Notes
• iCloud Reminders
• iCloud Photo Library
• iCloud Photo Stream
• iCloud Shared Photo Stream
• iCloud Private Relay

In Kandji, for example, you can configure a Restrictions Library Item to block those services (or not). 

Managing iCloud Access: Managed Apple IDs

As you might guess, you get a lot more control over what users can or cannot do with iCloud if they’re using Managed Apple IDs to sign in. 

For starters, certain iCloud services are blocked for all Managed Apple IDs. They include: Find My, Health, Home, Journal, iCloud Family Sharing, iCloud Mail, Private Relay, Hide My Email, or Custom Email Domain. In many cases, the restricted apps might appear on the device, but won’t work.

Apple Business Manager provides additional controls (assuming the devices you’re managing are running iOS/iPadOS 17 or macOS 14, and that your MDM solution supports it).  There, you can define which devices have access to iCloud services: All of them, managed or supervised devices only, or none. That's one way to block access to iCloud—but it works only for users who sign in with Managed Apple IDs.

In Apple Business Manager, you can also control whether or not users can collaborate (via iCloud) on files created using Keynote, Numbers, or Pages. You can turn access to select iCloud services (including iCloud Drive and Keychain) on or off. And you can control whether or not specific apps that rely on iCloud—including Photos, Messages, Contacts, Notes, and Reminders—are available. Finally, you can manage user access to FaceTime and iMessage.

Your MDM solution may provide further controls for supervised devices. For example, in Kandji, you can prevent users from adding, removing, or modifying accounts for email, contacts, and calendaring. 

Managing and Restricting Access to iCloud

So, you’ve got several tools for managing and restricting access to iCloud from your organization’s devices. But there’s a philosophical question here: Should you?

Apple’s general philosophy on such things is that less is more. You should start with allow and then move to deny if and when it’s necessary. They give you the tools, but they don’t necessarily want you to use all of them—only those that your organization’s security, compliance, and operating regimes demand.

Furthermore, iCloud has been built as a secure ecosystem. Among other things, it can leverage two-factor authentication, and data sent to it is encrypted end-to-end. 

It may be that you see blocking iCloud access as a proxy for preventing something else—such as Activation Lock, which users can enable using their personal Apple IDs. But there may be other ways of dealing with that; here’s how you can manage Activation Lock in Kandji, for example,   

So, it’s up to you to do the math to determine what’s truly necessary and what makes sense for your organization. What are you worried about? That your corporate data will end up on iCloud Drive? That data will leak out through iMessaging? Get specific in answering those and similar questions, and you’ll figure out what you need to manage.

As an Apple admin, you have more granular control over iCloud than ever before. Instead of it being an all-or-nothing question, Apple has, over time, given admins greater choice over what’s allowed and what’s restricted. It’s up to you to determine your organization’s actual requirements. Apple has then given you the tools you need to meet them.

About Kandji

Kandji is the Apple device management and security platform that empowers secure and productive global work. With Kandji, Apple devices transform themselves into enterprise-ready endpoints, with all the right apps, settings, and security systems in place. Through advanced automation and thoughtful experiences, we’re bringing much-needed harmony to the way IT, InfoSec, and Apple device users work today and tomorrow.