Apple is still currently testing 10.12.4 Beta 7 as of the time of this post, but they apparently have introduced a new payload preference that can be managed through a configuration profile. You can read more about this preference key publicly through their documentation (no login required). The new preference key is
allowCloudDesktopAndDocuments which accepts a boolean value. If set to
false, disallows macOS cloud desktop and document services. Defaults to
true. Available only in macOS 10.12.4 and later. For enterprises, this is a rather important preference that should have probably been released when 10.12 first released, but better late than never.
There’s a couple of problems with the iCloud Desktop and Document sync feature that was introduced with macOS 10.12. Some more to think about: everything on your Desktop and Documents gets synced to iCloud which means if you have a lot of documents (anything over 5GB) you will need to pay extra for iCloud storage. Perhaps not an immediate concern for a business, but something to consider as a consumer. The more pressing issue for organizations is that they may not want their users to use iCloud Drive at all. There is a Restrictions payload option to block iCloud Drive altogether which you can make use of. But some organizations may be a bit more laid back and don’t necessarily mind the use of iCloud Drive, but certainly don’t want everything on the Desktop and Documents synced to iCloud. With the new Restrictions payload preference, you can now disable this specific feature while still allowing iCloud Drive to be used.
I was curious to find out what would happen if I applied the profile with this new payload preference enforced while logged into iCloud. Here are some findings that may be of use if you plan on making use of this new payload preference:
In 10.12.4, if you are logged into iCloud Drive with Desktop/Doc Sync enabled AND THEN apply the configuration profile with this restriction, it will completely log you out of iCloud Drive even if you haven’t disabled iCloud Drive through a config profile. You may even get some warnings about potentially losing your data that hasn’t been synced if you try to install this configuration profile manually.
In 10.12.3, if you are logged into iCloud Drive with Doc Sync enabled AND THEN apply the config profile with this restriction, it will NOT log you out of iCloud Drive. And needless to say, Doc sync will remain enabled since this new payload option does not effect anything older than 10.12.4. The caveat here is that once the computer has upgraded to 10.12.4 your computer will completely log you out of iCloud Drive even if you haven’t disabled iCloud Drive through a config profile.
This can come as a big surprise to users so it may be prudent to send out communication if you decide to make use of this profile option explaining what to expect once 10.12.4 comes out and they are updated. You may also want to test this out yourself just to validate my findings.
EDIT 3/27/17: Rich Trouton has a blog post laying out the payload with a configuration profile you can download.