InformationWith macOS 10.12 Apple introduced the capability to have a user's Desktop and Documents folders automatically synchronize to the user's iCloud Drive, provided they have enough room purchased through Apple on their iCloud drive. This capability mirrors what Microsoft is doing with the use of OneDrive and Office 365. There are concerns with using this capability.
The storage space that Apple provides for free is used by users with iCloud mail, all of a user's Photo Library created with the ever larger Multi-Pixel iPhone cameras and all of the iOS Backups. Adding a synchronization capability for users who have files going back a decade or more and storage may be tight without much larger Apple charges than the free 5GB. Users with multiple computers running 10.12 and above with unique content on each will have issues as well.
Enterprise users may not be allowed to store Enterprise information in a third-party public cloud. In previous implementations iCloud Drive or even DropBox the user selected what files were synchronized even if there were no other controls. The new feature synchronizes all files in a folder widely used to put working files.
The automatic synchronization of all files in a user's Desktop and Documents folders should be disabled.
Automated Document synchronization should be planned and controlled to approved storage.
Users will not be able to use iCloud for the automatic sync of the Desktop and Documents folders.
SolutionPerform the following to disable iCloud Desktop and Document syncing:
Open System Preferences
Select Apple ID
Select iCloud Drive
Select Options next to iCloud Drive
Uncheck Desktop & Documents Folders
Create or edit a configuration profile with the PayLoadType of com.apple.applicationaccess
Add the key allowCloudDesktopAndDocuments
Set the key to </false>
Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION
References: 800-53|AC-20(1), 800-53|AC-20(2), 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1
Control ID: d789eb4de874f1aebceff02b516b38fa28b0e48137423f135a7b457b0bacea1d