Block iCloud or Apple ID sign-in on iPads managed with HexnodeSolved

For app installation without requiring an Apple Account on the device, you can use Apple Business with Apps and Books, commonly referred to as VPP. Once the app licenses are acquired in Apple Business and the VPP token is configured and synced in Hexnode, apps can be deployed remotely from Hexnode without requiring users to sign in to the App Store.

For blocking Apple Account or iCloud sign-in, the relevant restriction is to prevent account modification. In Hexnode, this is configured through the iOS Advanced restrictions policy by disabling ‘Modify an account’. However, Apple requires the iPad to be supervised for this restriction to take effect.

If the iPad is not supervised, users may still be able to add an Apple Account even if the restriction is configured in the policy.

That explains part of it. I synced the app licenses from Apple Business and the Hexnode app installed successfully after that. But the iPads still allow Apple ID sign-in. These devices are not currently listed in Apple Business. Does that mean the restriction will not work at all?

Is there any workaround using a configuration profile from another tool, like creating a custom profile and pushing it to the iPad?

No reliable workaround is available for unsupervised iPads.

This is an Apple enforcement requirement, not a Hexnode-specific limitation. A configuration profile can include the account modification restriction, but iOS will only enforce that restriction on supervised devices. To block Apple Account sign-in and keep the iPads managed without personal Apple accounts, the devices must first be supervised through Apple Business or Apple Configurator. Once supervised, you can combine the account modification restriction with VPP-based app deployment so apps install silently without requiring an Apple Account on the device.