all the cool kids are doing it

OS X 10.7.2 introduced iCloud, and with it came an automatic setup prompt on first user login.  Given all the legal compliance we have regarding data security we wanted to discourage faculty and staff from storing university data on iCloud (we have local servers for that). However, since we don’t directly manage client machines or have any control over what clients should or should not do with their computer (even if it is university-owned), I needed to find a way to discourage use of iCloud but not disable it completely.  The compromise was to suppress the setup prompt pop-up but still allow manual setup of iCloud if desired.

The MacAdmin community rallied and supplied a documented method for disabling the pop-up, however this method only seems to work in managed environments and is negated when Setup Assistant runs on first boot.  DeployStudio included a method of disabling the iCloud pop-up with build 1.0rc130, but only as part of their ds_finalize script on post-deployment reboot, which we bypass as part of our thin imaging method.

After several false starts and failed experiments, I devised this combination of a couple of launchdaemons — one to rename the iCloudPref.prefPane file (preventing Setup Assistant from launching it) and one to rename it back to its original file name — and a launchagent to trigger the second daemon after first login.  The daemons, agent, script files and any custom directories used are installed via package as part of a DeployStudio workflow.

Here’s the first launchdaemon to kick it all off, located in the /Library/LaunchDaemons directory. In this example the script it calls is located in /private/var here but you could put it anywhere root can access:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Label</key>
	<string>edu.uvm.iCloudSuppress-daemon</string>
	<key>ProgramArguments</key>
	<array>
		<string>/bin/sh</string>
		<string>/private/var/iCloudSuppress-daemon.sh</string>
	</array>
	<key>RunAtLoad</key>
	<true/>
</dict>
</plist>

The called script renames the iCloud.prefPane file, deletes the daemon, then self-destructs. At first I tried to include an unload of the daemon in here too, but unloading the daemon seemed to halt the script prematurely before it could self-destuct and was therefore left out:

#!/bin/sh
PATH=/bin:/usr/bin:/sbin:/usr/sbin export PATH

# rename iCloud PrefPane
mv "/System/Library/PreferencePanes/iCloudPref.prefPane" "/System/Library/PreferencePanes/iCloudPref.uvm_backup"

# remove daemon
rm -f "/Library/LaunchDaemons/edu.uvm.iCloudSuppress-daemon.plist"

# script self-destruct
srm $0

The second launchdaemon (also installed to /Library/LaunchDaemons) loads but waits for a signal from the post-login launchagent before running its script. In this example it watches for changes in the /Users/Shared/UVM-Setup directory but you could have it watch any directory that is writable by any local account and is not subject to change by other processes. As above, the script it calls is located in /private/var here but you could put it anywhere root can access:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Label</key>
	<string>edu.uvm.postassistant-daemon</string>
	<key>OnDemand</key>
	<true/>
	<key>ProgramArguments</key>
	<array>
		<string>/bin/sh</string>
		<string>/private/var/postassistant-daemon.sh</string>
	</array>
	<key>RunAtLoad</key>
	<false/>
	<key>WatchPaths</key>
	<array>
		<string>/Users/Shared/UVM-Setup/</string>
	</array>
</dict>
</plist>

The launchagent is installed to /Library/LaunchAgents and loads on first login. In this example the agent script is located in the /Users/Shared/UVM-Setup directory, same as the watched directory of our second launchdaemon. Again, you could put the script anywhere the user has read/write access to but since we’ll be recursively removing the /Users/Shared/UVM-Setup directory completely anyway it’s one less thing to remember to remove later:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Label</key>
	<string>edu.uvm.postassistant-agent</string>
	<key>ProgramArguments</key>
	<array>
		<string>/bin/sh</string>
		<string>/Users/Shared/UVM-Setup/postassistant-agent.sh</string>
	</array>
	<key>RunAtLoad</key>
	<true/>
</dict>
</plist>

The launchagent script touches the directory watched by the second daemon (thereby initiating its script, as root) and self-destructs:

#!/bin/sh
PATH=/bin:/usr/bin:/sbin:/usr/sbin export PATH

# make a change to /Users/Shared/UVM-Setup to trigger launchd that can run as root
touch "/Users/Shared/UVM-Setup/runthatbaby"

# script self-destruct
srm $0

Lastly, the second launchdaemon script restores the iCloudPref.prefPane file name, deletes the remaining launchagent and launchdaemon files and the OnDemand trigger directory, then self-destructs:

#!/bin/sh
PATH=/bin:/usr/bin:/sbin:/usr/sbin export PATH

# restore iCloud PrefPane
mv "/System/Library/PreferencePanes/iCloudPref.uvm_backup" "/System/Library/PreferencePanes/iCloudPref.prefPane"

# remove agent
rm -f "/Library/LaunchAgents/edu.uvm.postassistant-agent.plist"

# remove daemon
rm -f "/Library/LaunchDaemons/edu.uvm.postassistant-daemon.plist"

# delete watch directory
rm -rf "/Users/Shared/UVM-Setup"

# script self-destruct
srm $0

When all is said and done, clients should finish Setup Assistant with no subsequent iCloud pop-up but can still manually open System Preferences and set up iCloud later if desired.