iCloud: Is it being used in your environment?

With the introduction of Sierra, Apple has introduced a few new features to iCloud Drive that business environments may want to gather data on in order to remediate. Rich Trouton has documented the inner workings of the Desktop and Documents Folder sync feature on his blog so I will spare you the details on that. The other feature that Apple introduced is the ability to optimize storage which Anandtech covers.

Depending on your environment there may also be other concerns with employees using iCloud accounts on their company equipment. For example, Find My Mac is a service that could allow a person to locate a device and erase/lock the device. Perhaps a disgruntled employee sends the Lock/Erase command to the device or maybe the employee’s account gets compromised because they didn’t have 2 Factor Authentication enabled on their Apple ID. Whatever the reason, only Apple will be able to unlock the device for you after meeting their requirements (which may include proof purchase, identification, etc.) and perhaps you want to remediate against that.

There may be additional iCloud features that you might also want to disable such as “Back to My Mac” which allows a person to remote into their device.

You can draw your own conclusions as to whether these are important in your business environment, but the short of it is that if you have requirements that company data stay on company managed devices or managed cloud services then some of these iCloud features are going to be non-starting propositions in your environment.

And that’s not to even mention, no brand new OS release is without its share of bugs. There have been some few reported issues online that seem to be linked with users upgrading to Sierra while their iCloud accounts are enabled.

With some of the iCloud features that Apple has introduced, I thought it might be prudent to collect some information on computers before we start deploying Sierra so that we can gather information on whether iCloud is being used and if so what features that may matter to a business are enabled.

I currently work in a Casper environment and decided to write extension attributes that would gather this information which would then allow us to create smart groups that make use of this specific criteria (results from those extension attributes). Extension attributes are essentially scripts that run on a computer when inventory on the computer is collected. Therefore, if you work with other inventory/management systems it shouldn’t be too hard to modify these scripts so that it feeds into your management system of choice. I tried to comment as best as possible each script.

Here are the ones that I cared about:

  1. Determine iCloud account status
  2. Determine iCloud account details
  3. Determine iCloud Drive status
  4. Determine iCloud Document Sync status
  5. Determine iCloud Drive optimization status
  6. Determine Find My Mac status
  7. Determine Back to My Mac status

Some of these features feed off each other, but they do not necessarily have to be used all together. For example, you can’t have iCloud Drive enabled without your iCloud account being signed in and therefore none of the Drive Optimization or Document Sync features will be enabled.

I don’t blog often and this blog post actually prompted me to use Github for the first time so let me know if you’ve got any feedback. Hopefully you find this somewhat helpful.

Edit: One thing to note, is that some of these extension attributes do look for the logged in user to pick up the iCloud preferences. So the assumption here is that usually a user will be logged in when recon/inventory is collected from the computer and that there is one single user typically using the computer. It wouldn’t be too far fetched to go further and perhaps create arrays to get respective iCloud values for each user accounts through a loop.