Preventing iCloud Wipes and Account Modification

koolmike
Here to help

Preventing iCloud Wipes and Account Modification

I searched around so I don't think this has been posted before.

 

Our end goal is to prevent users from being able to wipe their IOS devices using iCloud. We're preventing that by using DEP, supervising the device, and preventing "Account Modification". However, we've noticed some problems doing so. For one thing, Exchange users won't be able to update their passwords. Our workaround for that has been to push out the Outlook and OWA apps instead.

 

But the problem that seems to have no workaround is that users can't purchase any items from the iTunes store. Since account modification prevents adding accounts, we've preloaded their accounts onto the phones before locking down account modification. However, in IOS 11 devices, trying to purchase anything that isn't free just times out. It seems that the setting to "not require a passcode for free items" allows users to download Apps. But if the item costs money and they need to punch in their password, nothing happens. The app just doesn't download. I've removed the setting to prevent account modification and then it works just fine.

 

So what I'm hoping for is:

 

1. Is there a way to prevent iCloud wipes without using the "Prevent Account Modifiy" setting?

 or

2. Is there a workaround to allow users to download Apps in spite of that setting?

 

Any help would be appreciated.

6 Replies 6
RyanB
Meraki Employee
Meraki Employee

Appreciate the level of detail in the question.

What would be the usefulness of preventing them from wiping the device if they really wanted to?

If the device is a DEP enrolled device, they wouldn't be able to get around having the profile automatically re-installed once they go through the device setup process. 

That's the exact argument I've been tossing my manager too 🙂  But anyway, there was an incident with a disgruntled employee who wiped their phone after they were terminated using iCloud removing very important text messages (I don't know the nature of those messages). And yes, I realize there's no way to fully prevent an employee from deleting things individually if they're really determined.

 

So yes, while I personally think it's an overreaction to an isolated incident, I've been tasked with disabling iCloud because of that. I'm hoping there's a way to get around these inconveniences that come from disabling account modifications.

RyanB
Meraki Employee
Meraki Employee

Ah makes perfect sense.

I'm assuming you've tried to disable the "Allow Erase All Content and Settings (iOS 8+)" setting on a supervised device, and tested that the iCloud wipe of a device still gets enforced?

 

Short of that unfortunately, I believe our hands are tied. For better or worse we are at the mercy of Apple for these restrictions, and since they give us no way to prevent that action I'm not sure there would be other options that we have.

 

Yea, I have that restriction enabled as well. Unfortunately, the phone still wipes if initiated from iCloud.

 

It does stink that Apple prevents us from restricting this stuff. Maybe it's time we moved to Android instead, we've been able to prevent remote wipes very easily on that platform using Meraki.

 

Thanks for your time Ryan.

jared_f
Kind of a big deal

We have also run into this hurtle a few times. I have a policy that searches to see if users are installing VPN apps to get around corporate filters. As soon as they get put into the group the device basically comes un-usable. Even though I restrict erase all content and settings, they still just go to iCloud and remote wipe the device and go through DEP enrollment which causes the restrictions to become removed (because they re considered complaint with the device). Our hands are tied with Apple and not even Meraki can do anything.

 
Find this helpful? Click the kudos button. Thanks!

Hello Everyone,

I hope someone can help me.

We have about 48 iPads across our company and there is one option that I hope it can be removed or altered. 

We have a Trusted Phone Number to verify the identity when sign in or recover the account in case of forgotten password. I want to remove or restrict the ability of an employee to EDIT this number with his own and verify him/her self.

Last night we had an employee that EDIT the trusted phone number with his own and changed the entire iCloud password. 

Can we restrict or do something to prevent this happening again?

Thank you

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels