How to control employee access to iCloud services

As Apple device use spirals across the enterprise, Apple admins have grown accustomed to maintaining tolerance when it comes to iCloud. But there are some controls they can apply to manage what employees can do with the online service.

Managed or personal Apple ID?

There is a difference between what restrictions can be applied on personal iCloud accounts and Managed Apple IDs. IT has far more control over the latter, but can apply some restrictions to personal devices as well, so long as they are managed by an MDM (Mobile Device Management) system of some kind.

If they are not protected by MDM, then no restrictions can be applied at all.

The big difference is that on personal devices assigned to an enterprise MDM account, IT can use a set of MDM restrictions to reduce access to some iCloud services. Managed Apple IDs have far more power, and can be used alongside personal Apple IDs on employee-owned devices, thanks to Apple’s User Enrollment tools. 

How to control iCloud access with managed devices

Managed Apple IDs cannot access certain iCloud services.  Apple says this is due to “organizational focus and to protect user privacy.” The following services are not available, though in some cases the app might be visible:

• Find My.
• Health.
• Home.
• Journal.
• Wallet (though employee badges in Wallet do function).
• iCloud Mail, iCloud+ and iCloud Family Sharing.

You can also customize access to some other apps using Apple School or Business Manager, Apple Business Essentials, and/or your MDM tools. If your fleet runs the latest operating systems, you might also be able to add further refinements to help lock iCloud access down — for example, whether users can collaborate on Keynote files from within Business Manager. Most MDM services offer similar tools.

The idea is that by preventing people from using these services from within their work-related Managed Apple ID, the natural security of the devices is enhanced. It also means you can deploy your own digital employee experiences on the devices, including use of company email.

Of course, employees with devices that support both personal and managed Apple IDs also have access to all their own personal iCloud services, but not from within your deployed mobile work environment.

What about Personal Apple IDs?

Sensibly, Apple does not let IT restrict use of iCloud on personal devices; someone can access their own iCloud account from any Apple device. 

What Apple does allow is some control of iCloud access from devices enrolled in a company’s MDM system. Using Apple’s provided MDM restriction keys, companies that don’t use Managed Apple IDs can block access to specific iCloud services from a given device. This is a little like using a hammer to crack an egg, but you can block access to the following iCloud services: Address Book, Bookmarks, Calendar, Drive, Keychain, Mail, Notes, Reminders, Photo Library, and Private Relay.

The downside is that by blocking access to these services you effectively limit what your staff can do with a device that is for all intents and purposes their own device, using their own Apple ID. Many workers would likely feel this to be an unwanted intrusion into their personal devices and see such moves as displaying a lack of trust. (IT admins could, of course, argue that they feel forced to deploy such restrictions to prevent exfiltration of valuable corporate or personal data.)

Which approach is best?

For me, if you do need to restrict access to iCloud services across your teams, it feels more appropriate to impose those restrictions via a Managed Apple ID. Doing so provides the maximum benefit — you can control and restrict device use that relates to your business, its services, and data, while also permitting personal use of that device.

The beauty of this approach is that work and personal data on a device is cryptographically separated and stored on different partitions, keeping work data secure and personal data private. While there is no such thing as a guarantee when it comes to device or data security, the combination delivers the best employee experience while enabling close control of any potential data/passcode exfiltration. Apple has also tied this experience up with Focus mode, making it as simple as a tap to switch between the work experience and personal use of the device.

Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.