Disable iCloud for fun and Security

Anyone who was watching WWDC 2016 and works in a high security environment with macOS probably had the same reaction as me when Craig Federighi stepped on stage and announced that macOS Sierra would offload less used files to your personal iCloud storage and swap them back to the local disk on your Mac when you did need them.

That reaction would have been something like this:

Obviously this is horrifying news for anyone (like myself) with an interest in data leakage.

Thankfully Apple has provided configuration profile options to help alleviate this and thanks to Rich Trouton (who supplied the screen grab), they look like this:

But this only solves half the problem. This is great for a fresh out of the box computer, what if you have many wild devices out there and you need to do something about them? A conversation on Mac Admins Slack today reveals that while this blocks access, it leaves any existing configuration alone meaning any user will no longer be able to turn things off and it’ll run nicely on it’s own.

Thanks to some investigative efforts of myself and Tim Kimpton who’s also been wondering about this, we now have a solution between us. It turns out that iCloud settings live in a plist file located in the home folder of every user on the computer called “~/Library/Preferences/MobileMeAccounts.plist”.

Delete this and it logs the user out of iCloud for that specific user account. Knowing this, it was easy to come up with a script to recursively go through all the user accounts on a computer and remove this file before flushing the plist memory cache. Below is a proof of concept only script to do exactly that.


# Log out all users from iCloud

ls /Users/ | while read USERS ;
if [ -d /Users/$USERS/Library/Preferences/ ];
rm /Users/$USERS/Library/Preferences/MobileMeAccounts.plist

killall cfprefsd

You can find this included as part of the CIS Security Standards section of my GitHub. I should really blog about that someday 😉