Remote Authentication for iCloud Login

[dark knight]

(sorry for the quite random question)

Setting up MDM / Jamf is quite a lot to get into for just a few devices and users. And really the only feature needed is to be able to remotely enter an iCloud password, if macOS or IOS ever asks for it, without those details being known more generally.

It is possible that screensharing on macOS could work, though, I don’t think IOS allows remote control. And also, security and authentication events may be disallowed via screensharing.

App-specific passwords would at least allow for login to iCloud Mail without the account password, which seems helpful.

Is there something quite simple? Some kind of super light version of device management? Thank you so much

 

[TriBruin]

(sorry for the quite random question)

Setting up MDM / Jamf is quite a lot to get into for just a few devices and users. And really the only feature needed is to be able to remotely enter an iCloud password, if macOS or IOS ever asks for it, without those details being known more generally.

It is possible that screensharing on macOS could work, though, I don’t think IOS allows remote control. And also, security and authentication events may be disallowed via screensharing.

App-specific passwords would at least allow for login to iCloud Mail without the account password, which seems helpful.

Is there something quite simple? Some kind of super light version of device management? Thank you so much

Can we take a step back and ask what are you trying to accomplish here?

Apple considers AppleIDs and iCloud accounts to be personal accounts. Even Managed AppleIDs are still issued to the end user and tied to a corporate identity provider. Any data is considered private.

To answer you basic question, no there is no automated way to do this. You would need either physical access to the device or remote access. However, remote access on a Mac generally requires a third party (unless all you computers are on the same network) and iOS has limited options. Even then, the end user would still need to grant approval and would know what you are doing.

But, if you can describe why you think you need a user logged in to an iCloud account without the user knowing the iCloud password, maybe we can offer some other solutions.

 

[dark knight]

Thank you for your replies,

Above a certain number of people/devices, MDM+Jamf are the obvious solution for managing devices. And they do bring many additional features.

Though, with just a handful of people/devices, those bring quite considerable setup procedures and caveats. And there are many instances where you only need really basic admin features.

It would be amazing if Apple considered some kind of tiny business scenario, just as they consider 'this phone belongs to my child' and MDM for large organisations.

Actually, 'this phone belongs to my child' is half way there, maybe 'this iPhone/Mac belongs to an colleague/employee'. I don't think you can prevent a user from signing out of iCloud on a Mac?

So, without this, I just wondered if a Jamf-light kind of service existed. A device can be generally set-up and locked down, with really basic remote admin features, so that others can use it but just not admin. It seems not but I thought I would ask.

 

[TriBruin]

Thank you for your replies,

Above a certain number of people/devices, MDM+Jamf are the obvious solution for managing devices. And they do bring many additional features.

Though, with just a handful of people/devices, those bring quite considerable setup procedures and caveats. And there are many instances where you only need really basic admin features.

It would be amazing if Apple considered some kind of tiny business scenario, just as they consider 'this phone belongs to my child' and MDM for large organisations.

Actually, 'this phone belongs to my child' is half way there, maybe 'this iPhone/Mac belongs to an colleague/employee'. I don't think you can prevent a user from signing out of iCloud on a Mac?

So, without this, I just wondered if a Jamf-light kind of service existed. A device can be generally set-up and locked down, with really basic remote admin features, so that others can use it but just not admin. It seems not but I thought I would ask.

There are some really good, lower cost solutions for SMB. Honestly, it doesn't take too many devices to make having an MDM worth it. I would say 5 devices is worth it.

For small numbers of devices, I would look at Jamf Now (not Jamf Pro) and Mosyle. Apple also offer their own MDM solution Apple Business Essentials. It is designed and built for SMB with a really low cost of entry ($3/mo with additional paid options.) If I only wanted to manage a few devices, I would probably try this first.

Most of these low cost solution have free trials. Give a few of them a try.

I would offer a word of advise from someone that manages thousands of devices. Avoid the temptation to over manage your users. I have this fight all the time with my organization. Start with defining your goals for administration of the devices. Then start small. Roll out one or two restrictions, like Passcode required, minimum of six characters. Make sure your users get used the management and understand why you are doing it. It is about keeping the users and the organization safe and secure.

 

[dark knight]

Thank you for your helpful advice 🙏

Luckily, the most basic account management would be enough. Just to keep devices signed in and secure, while leaving account management greyed out. Though, it does kind of seem like fairly fully featured MDM is the only way to achieve this.

As you suggest, I just revisited the Jamf Now setup video. I can see that you are right and that MDM would be super helpful. It is just fairly involved for the most basic use cases. I will also take a look at Mosyle. Apple Business Essentials was being rolled out when I last checked so I should also now go back and take a look at that too.

Honestly, if iOS had remote screen-control like macOS, I think that would work. Just like calling into the company IT desk for them to approve non-standard (non Jamf self service portal) software installs with admin details.

Mmm 🤔 Thank you again for your advice.