Is there a way to prevent employees from setting up icloud accounts?
The issue we have is employees set up an icloud account then leave the business and the phone become a costly paperweight because there is no way to reset the phone due to the icloud account.
If possible it would be nice to disable icloud all together to avoid lockouts and mixing of personal and work data.
Best Answer
This is really two questions, but let's get brief answers and then you can ask a follow on question if one topic needs more details.
MDM profile can only disable saving data from managed apps to iCloud. If your employee buys the app themselves and then adds company data to that app, you have no technological policy recourse and need to handle that with personnel policy, training and HR.
You can contact Apple and provide proof of purchase as the original purchaser to recover any locked device. Going forward, buy all devices from Apple directly as part of the DEP for Business or Education program. https://www.apple.com/business/dep/ That way you can unlock devices yourself and they automatically check in to your MDM. Again, write HR policy to let employees know they are responsible for the cost of the equipment they don't rerun and the cost of recovery efforts if they don't unlock the devices. Now IT has nothing to do other than fill out the paperwork and let HR and legal handle cases where theft and rage quit users don't follow the policies and procedures you educated them about while they were employees.
You can also disable iCloud altogether, but most deployments I've seen have decided to not do that except for pre-teen children and cart deployment use where each device is managed with Apple Configurator and wiped regularly.