Forum Discussion
[iOS] does disabling iCloud backup via app assignment work?
Been trying to find a way to disable iCloud for the Messages app. So far what I've heard/read/been told is that it's not possible to do it as an app config to Messages, because Apple has not exposed an API for it. Still trying to get a grasp on InTune however, so I've continued investigating.. I know that on the App assignment field, when you assign as required or available, a few options populate - one of them being "enable iCloud backup" (or maybe it's disable, idk). Obviously my mind immediately went to adding Messages as a managed application, and disabling it here, then assigning. I had NO idea if this would work, a) because the app is already built-in to devices and b) they're managed devices and everything else is VPP. But I tested on a non-managed test device - it did not work. (i did not get a second Messages install either)
So I'm just wondering if anyone knows how exactly how this setting is supposed to apply, if it's REALLY supposed to work with all managed apps, or any details? Based off this article from Apple, it DOES seem like when you manage an app, you have this functionality. But maybe not for built-in (to device) apps?
Unfortunately, I don't that that method works for your intent. I'm not even sure what it's supposed to do myself. It may only apply to Microsoft's own apps and supporting third-party/Intune-branded apps.
Apple is frustrating because they don't give you an alternative or granular control. It's either disable iCloud all together (which you can do), or have iCloud on.
To disable iCloud altogether: Under the Restrictions Template, go to General --> "Block modification of account settings" and change this to yes. After that, make sure that profile is assigned directly to all devices (use filters if you need to control which ones have that restriction). That stops people from signing into an apple ID if they have not already done that. Disable it and manage all your app deployments through VPP; users might find it annoying, but it saves a lot of headaches with "I forgot my apple id password; can you reset it for me?"
Note for config deployments: If you use groups, it takes too long for a new device to grab those settings, so users can still log in to an apple ID and have iCloud enabled. By speed "All devices" is the fastest, then "All users" is second, and by a significant margin "Groups" is in last place (whether assigned or dynamic).
Thanks for the info. I think we're probably past the point of avoiding headaches, these devices are a mix of Managed Apple ID's and non-managed Apple ID's and BOTH managed/non-managed. Good to know about the grouping delay - when we onboarded, we created groups with the user's Entra IDs, as I couldn't seem to make static groups of their devices until they were paired with a user. Allegedly, this is supposed to be possible, but I figured having the different policies apply as soon as the user logged in was better than waiting until they logged in, then grouping the device
