Using the Applications & Custom Settings payload in Jamf Pro to manage the ChatGPT integration with Apple Intelligence

Now that macOS 15.2 and iOS 18.2 are out the door, organizations may be finding themselves in a position to limit the use of ChatGPT in conjunction with Apple Intelligence. Arguably the simplest way to achieve this with Jamf Pro is to use the Applications & Custom Settings payload for macOS configuration profiles and add the organizationally-defined controls that way.

First, you'll want to create a smart group with the criteria of your choosing that, at bare minimum, looks for computers running macOS 15.2 or later.

Then, create a new macOS configuration profile for the com.apple.applicationaccess domain that includes the provided keys for managing the external intelligence integration settings.

domain: com.apple.applicationaccess

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>allowExternalIntelligenceIntegrations</key>
        <false/>
        <key>allowExternalIntelligenceIntegrationsSignIn</key>
        <false/>
</dict>
</plist>

(Please be mindful of your copy/paste here! Here is a gist you can copy from if needed.)

Once deployed (I'd suggest using a test scope before you use your targeted OS version scope) the settings will be greyed out in System Settings and any prompts asking to help configure ChatGPT will alert that the option is restricted.

A few notes on these restriction payloads, from the Apple Github repo for device management:

• allowExternalIntelligenceIntegrations (link)
• content: If false, disables the use of external, cloud-based intelligence services with Siri. On iOS, this restriction is temporarily allowed on unsupervised and user enrollments. In a future release, this restriction will require supervision and will be ignored on non-supervised devices.
• allowExternalIntelligenceIntegrationsSignIn (link)
• content: If false, forces external intelligence providers into anonymous mode. If a user is already signed in to an external intelligence provider, applying this restriction will cause them to be signed out when the next ChatGPT request is attempted.

While it may be the case that there is a hierarchy of settings (e.g., a restriction for allowExternalIntelligenceIntegrations implying a restriction for allowExternalIntelligenceIntegrationsSignIn as well) we don't have clear documentation of the being the case. As a result, deploying both is likely the safest bet to ensure that if someone had signed in previously that they will be signed out on next prompt attempt once the restriction is in place.

As long as I'm here, let's look at iOS as well. This approach isn't quite as artisanal as the macOS profile above. As of Jamf Pro 11.12.0 (see notes section below) admins have the ability to deploy a restriction payload for External intelligence integrations.

Note that the implementation in Jamf Pro does seem to imply a hierarchy of settings. You can't deploy a login restriction in addition to an overall feature restriction. Interesting, but undocumented by Apple as far as I can tell. I'd recommend filing feedback with Jamf and Apple for clarity around that.

On the managed device this setting will remove interactivity with the configuration in Apple Intelligence & Siri settings on Apple Intelligence eligible devices.

It's also kind of cute that it says "Your parent or guardian has turned off ChatGPT integration features on this iPhone." I suppose an organization's mobile device management is kind of like a guardian of sorts?

The keys for iOS and macOS are the same, so it would be possible to sign and upload a profile with comparable keys. It would likely look something like this (gist link). Please test that on test devices before any wider deployment, as I have not tested it myself.

A few things to note:

1. Jamf Pro 11.12.0 may not be available to some customers at this time. Check in with your Jamf account team for more information. In the meantime you can review what's included in that release on learn.jamf.com.
2. For additional restriction options for features of Apple Intelligence beyond the "external intelligence integrations" see the Apple Platform Deployment guide.
3. For more information on the security updates relating to this release cycle see Apple's Security Releases page.
4. To learn more about Apple Private Cloud Compute see the Apple Security Research portal.
5. To ensure you are ahead of new MDM controls and features available for Apple platforms make sure to sign up for AppleSeed for IT (and for Jamf customers, the Jamf beta program via Jamf Account).
6. To learn more about Screen Time controls for Apple Intelligence & Siri see this guide from Apple.
7. You can review Apple's privacy policy for Apple Intelligence & Siri on their website.
8. Star the device-management repo from Apple on Github to see updates to available device management client schema as they develop.

☮️❤️👩🏻‍💻