close
close

How to control employee access to iCloud services – Computerworld

Posted on by darion

Because Apple devices use spirals across the enterprise, Apple administrators have become accustomed to being tolerant when it comes to iCloud. However, there are certain controls they can put in place to manage what employees can do using the online service.

Managed or personal Apple ID?

There is a difference between the restrictions that can be applied to personal iCloud accounts and managed Apple ID accounts. The IT department has much more control over the latter, but can impose certain restrictions on personal devices as well, as long as they are managed by some type of MDM (Mobile Device Management) system.

If they are not protected by MDM, then no restrictions can be applied.

The big difference is that on personal devices that are assigned to a corporate MDM account, IT can apply a set of MDM restrictions to limit access to certain iCloud services. Managed Apple IDs are much more powerful and can be used alongside personal Apple IDs on employee devices thanks to Apple’s user enrollment tools.

How to control iCloud access with managed devices

Managed Apple IDs don’t have access to some iCloud services. Apple says this is due to “organizational focus and user privacy.” The following services are not available, although in some cases the application may be visible:

  • Find mine.
  • Health.
  • House.
  • Journal.
  • Wallet (although employee IDs in Wallet work).
  • iCloud Mail, iCloud+ and iCloud Family Sharing.

You can also customize access to some other apps using Apple School or Business Manager, Apple Business Essentials and/or MDM tools. If your fleet includes the latest operating systems, you can also add further enhancements to block access to iCloud – such as whether users can collaborate on Keynote files from Business Manager. Most MDM services offer similar tools.

The idea is that by preventing users from using these services with a work-related Managed Apple ID, the inherent security of devices is increased. This also means you can implement your own digital employee experiences on devices, including corporate email.

Of course, employees with devices that support both personal and managed Apple IDs also have access to all of their personal iCloud services, but not from within the deployed mobile work environment.


What about personal Apple IDs?

Smartly, Apple doesn’t let the IT department restrict iCloud use on personal devices; someone can access their own iCloud account from any Apple device.

What an apple does Allow allows you to firmly control access to iCloud from devices registered in your company’s MDM system. By using MDM restriction keys provided by Apple, businesses that don’t use Managed Apple IDs can block access to specific iCloud services from a given device. It’s a bit like breaking an egg with a hammer, but you can block access to the following iCloud services: Address Book, Bookmarks, Calendar, Drive, Keychain, Mail, Notes, Reminders, Photo Library, and Private Relay.

The downside is that by blocking access to these services, you’re effectively limiting what your employees can do with what is for all intents and purposes their own device using their own Apple ID. Many employees would likely consider this an unwanted intrusion into their personal devices and view such moves as a sign of distrust. (IT administrators could, of course, argue that they feel compelled to implement such restrictions to prevent the exfiltration of valuable corporate or personal data.)

Which approach is best?

In my opinion, if you need to restrict access to iCloud services on your teams, it seems more appropriate to impose those restrictions via Managed Apple ID. This gives you maximum benefit – you can control and limit the use of your device in relation to your business, its services and data, while still allowing personal use of the device.

The beauty of this approach is that work and personal data on the device are cryptographically separated and stored on different partitions, keeping work data safe and personal data private. While there is no such thing as a guaranteed device or data security, this combination provides employees with the best user experience while allowing for tight control over potential data/password theft. Apple has also linked this to Focus Mode, making switching between work mode and personal use of the device as simple as a tap.

Please follow me on Mastodon or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.