Raising Your IQ on Apple Intelligence
Apple Intelligence is finally here now that iOS 18.1 and macOS 15.1 has shipped. However, many people and organizations want to know how they can block it.
Apple Intelligence is an Opt-In service from Apple, so unless you Opt-In, there’s no concerns about AI, on or off device.
Officially, Apple has provided the following configuration profile keys for the X.1 OSes for the preference domain com.apple.applicationaccess.
- allowWritingTools
- allowMailSummary
- allowGenmoji
- allowImagePlayground
- allowImageWand
And DDM management of Math Notes.
There’s also the key allowAssistant to disable Siri, which has become more intelligent with Apple Intelligence.
Currently in the X.1 OSes, these are the features which are available and able to be restricted: Siri, Writing Tools and Mail Summary, even though there are controls for the other features not yet implemented.
This will allow you to fully block those features. But is that it? …the answer is …No. So even if you implement all the Apple supplied restrictions, there’s still features of Apple Intelligence that are not manageable.
This link https://support.apple.com/en-us/121115 states the features available in X.1 OS release at the bottom.
- Writing Tools
- Clean Up in Photos
- Create a Memory movie in Photos (iOS/iPadOS only)
- Natural language search in Photos
- Notification summaries
- Reduce Interruptions Focus
- Intelligent Breakthrough & Silencing in Focus
- Priority messages in Mail
- Smart Reply in Mail and Messages
- Summaries in Mail and Messages
- Siri enhancements, including product knowledge, more resilient request handling, new look and feel, more natural voice, the ability to type to Siri, and more
There’s features that are coming and already in testing with macOS 15.2 and iOS 15.2, but this is about the currently shipping OS, not the betas.
To be fair, most people and organizations may not mind Apple Intelligence if it never leaves the device, however, there’s no guarantee about that.
Private Cloud Compute (PCC) is Apple’s Apple Intelligence AI server infrastructure and in my opinion, the security and privacy around it is crazy good. Here are a couple links from Apple, be warned, it’s not for the faint of heart.
https://security.apple.com/blog/private-cloud-compute/
https://security.apple.com/blog/pcc-security-research/
https://security.apple.com/documentation/private-cloud-compute
Reviewing the details in these links SHOULD soothe any concerns. However, these documents do not address any compliance requirements of highly regulated industries such as ISO, FedRamp, FIPS validations of the encryption, etc.
But MAYBE, if for some reason all your concerns are not soothed and you want to only allow on device, but not off device, Apple Intelligence Apple has a great link Use Apple Device On Enterprise Networks. About 3/4th of the way down, there’s a section “Apple Intelligence, Siri, and Search” which lists the 4 server addresses for Apple’s PCC:
- apple-relay.cloudflare.com — port 443
- apple-relay.fastly-edge.com — port 443
- cp4.cloudflare.com — port 443
- apple-relay.apple.com — port 443
You could block these at a network level from a enterprise firewall or you can use the /etc/hosts file on your Mac to do just that.
##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
##
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost
And just add to the bottom of that file
127.0.0.1 apple-relay.cloudflare.com
127.0.0.1 apple-relay.fastly-edge.com
127.0.0.1 cp4.cloudflare.com
127.0.0.1 apple-relay.apple.com
Now Apple Intelligence can no longer reach out to the PCC servers. You may get odd errors and results in certain applications when trying to use a feature that tries to access PCC. This file can be difficult to manage since you can’t do it via MDM easily. I’m not sure what apple-relay.apple.com does exactly because it’s listed as “Apple Intelligence Extensions” and not “Private Cloud Compute”.
What else can be done to outsmart Apple Intelligence?
Turns out there’s a User level preference in /Users/USERNAME/Library/Preferences/com.apple.CloudSubscriptionFeatures.optIn.plist and when you enable Apple Intelligence it has a key that’s a boolean. But there’s a catch...if you login to an Apple Account on the Mac, the key is the same as the AccountDSID in MobileMeAccounts.plist
<?xml version=”1.0" encoding=”UTF-8"?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version=”1.0">
<dict>
<key>16512166894</key>
<true/>
</dict>
</plist>
This makes it impossible to use a configuration profile because this would be different for every machine that has an Apple Account signed in.
Here is an example of a script that could be used.
#!/bin/bash
AccountDSID=$(/usr/libexec/PlistBuddy -c "print Accounts:0:AccountDSID" /Users/$USERNAME/Library/Preferences/MobileMeAccounts.plist)
/usr/bin/defaults write /Users/$USERNAME/Library/Preferences/com.apple.CloudSubscriptionFeatures.optIn $AccountDSID -bool falseIf nobody has signed into an Apple Account, it becomes much, much, much easier.
This file /Users/USERNAME/Library/Preferences/com.apple.CloudSubscriptionFeatures.optIn.plist
<?xml version=”1.0" encoding=”UTF-8"?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version=”1.0">
<dict>
<key>device</key>
<true/>
</dict>
</plist>
Now looks like this. And this can easily become a configuration profile.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadIdentifier</key>
<string>ad55b7f3-1d05-4ad1-ae9d-72e4aa623ef7</string>
<key>PayloadUUID</key>
<string>ad55b7f3-1d05-4ad1-ae9d-72e4aa623ef7</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadType</key>
<string>com.apple.CloudSubscriptionFeatures.optIn</string>
<key>device</key>
<false/>
</dict>
</array>
<key>PayloadDescription</key>
<string>Lock Apple Intelligence</string>
<key>PayloadDisplayName</key>
<string>[com.apple.CloudSubscriptionFeatures.optIn]</string>
<key>PayloadIdentifier</key>
<string>com.apple.CloudSubscriptionFeatures.optIn</string>
<key>PayloadOrganization</key>
<string>My Org</string>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>65bb5a49-a6c5-4b2a-b717-f0539e1bb6e5</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>If a user is NOT logged into an Apple Account, this profile will disable the ability to enable Apple Intelligence completely, unless an Apple Account is signed into. If a user signs into an Apple Account, Apple Intelligence will no longer be blocked from being enabled.
We now can report on the status of Apple Intelligence and disable it if it’s been enabled, but there’s an easier way.
Remember Apple Intelligence is an Opt-In feature. So if you block the ability to even reach and opt-in, you don’t have to worry about any of this. You can block the System Setting Pane and prevent users from even being able to reach the switch to enable Apple Intelligence.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadIdentifier</key>
<string>40f103be-43e9-46aa-9913-a15fce2b81bf</string>
<key>PayloadUUID</key>
<string>40f103be-43e9-46aa-9913-a15fce2b81bf</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadType</key>
<string>com.apple.systempreferences</string>
<key>DisabledSystemSettings</key>
<array>
<string>com.apple.Siri-Settings.extension</string>
</array>
</dict>
</array>
<key>PayloadDescription</key>
<string>Profile to Block Apple Intelligence and Siri Pane</string>
<key>PayloadDisplayName</key>
<string>[AI] com.apple.systempreferences settings</string>
<key>PayloadIdentifier</key>
<string>com.apple.systempreferences.AI</string>
<key>PayloadOrganization</key>
<string>Your Org</string>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>5f944221-2e23-45da-8470-ef83f33a93a0</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>Don’t forget to skip the Setup Assistant Apple Intelligence panel as well. Otherwise, when a device updates to iOS 18.2 or macOS 15.2, they’ll be prompted to enable it and on macOS new user’s to the system will get prompted to enable Apple Intelligence unless it is skipped.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadIdentifier</key>
<string>com.apple.SetupAssistant.managedAI.49f103be-43e9-46bb-9914-a15fce2b23ja</string>
<key>PayloadUUID</key>
<string>49f103be-43e9-46bb-9914-a15fce2b23ja</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadType</key>
<string>com.apple.SetupAssistant.managed</string>
<key>SkipSetupItems</key>
<array>
<string>Intelligence</string>
</array>
</dict>
</array>
<key>PayloadDescription</key>
<string>Profile to Block Apple Intelligence Setup Assistant Panel</string>
<key>PayloadDisplayName</key>
<string>[AI] com.apple.SetupAssistant.managed settings</string>
<key>PayloadIdentifier</key>
<string>com.apple.SetupAssistant.managed.AI</string>
<key>PayloadOrganization</key>
<string>Your Org</string>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>5f945221-2e32-45da-8471-ef83f34a94a4</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>With all of these potential strategies, you can now outsmart Apple Intelligence and keep it under control in your organization.
As more develops with Apple Intelligence and updates to the systems ship, there may be a part 2 or even part 3 as things are discovered.
UPDATE: Apple Intelligence attempted to outsmart the Mac Admin community. It turns out the System Settings Pane for Apple Intelligence & Siri will block the first time launched after the profile is installed, but not after that. While this has been deprecated since macOS 13.0, this has been a critical tool for Mac Admins to restrict access to certain settings for over a decade or more. This in fact still works fine for other System Settings panels, just not Apple Intelligence & Siri. HOWEVER, System Settings Panes are individual binaries that can be blocked. Restricting the exact process SiriPreferenceExtension using something like Restricted Software in Jamf or Application Blocking in Kandji will block it.
UPDATE 2: Turns out if you’re fully signed into an Apple Account, the domain and payload in a configuration profile to block the System Settings Pane works.
If you enjoyed this, check out Part 2 “From Smart to Smarter: Elevating Apple IQ Even More”.
These views are my own and not the views of my employer. If you have any questions or want more information on this, feel free to contact me on the MacAdmins Slack(boberito), Linkedin(linkedin.com/in/bob-gendler-8702014), GitHub(http://github.com/boberito/) or email(bobgendler@gmail.com).
