Managed Apple IDs and Identity Provider (IdP) Federation
With Apple devices continuing to gain prevalence within both educational institutions and businesses of all sizes, it’s becoming increasingly important for organisations to manage not only their devices but also the Apple ID that the user signs-in with.
This is where Managed Apple IDs come in.
While you can restrict the ability to sign-in to an Apple ID using an MDM solution (or our team can do this for members of our own managed service offerings), in doing so you are denying users key functionality and features, such as iWork collaboration and iCloudBackup. This article aims to highlight these benefits and discuss how to leverage your organisation’s existing Microsoft 365 accounts as Managed Apple IDs to give your users one fewer log-in to remember.
That said, it should be pointed out that it remains best practice to disable signing-in to any Apple ID on devices that aren’t permanently assigned to an individual user and Shared iPad isn’t being used. This is most common in smaller school settings, where there may not be the network infrastructure to support Shared iPad nor the budget available for a 1:1 deployment. In those cases, Apple Classroom can still be used with generic MDM-only users and this is the method our experts use to support many of our FirstClass managed service educational customers.
What is a Managed Apple ID?
A Managed Apple ID is simply an Apple ID that is owned and managed by an organisation rather than the end-user, and can only be created within an Apple School Manager (ASM) or Apple Business Manager (ABM) account.
They are similar to personal Apple IDs but with a few limitations, such as:
- They cannot be used to purchase apps or be added to Family Sharing.
- They cannot use iCloud Mail.
- They cannot be used for Find My.
- They cannot use Pay.
- They cannot use Apple services, such as Music, Arcade, One or TV+.
Just as you create organisational email accounts for your users rather than allowing their personal ones to be used, Managed Apple IDs allow for uniform naming styles and a focus on work use.
Key Features of Managed Apple IDs
- Password resets are easily done by a designated admin within ASM/ABM.
- Complimentary 200GB of iCloud storage (Apple School Manager only).
- Enables collaboration within Pages, Numbers and Keynote apps so users can work on files together.
- Enables digital books purchased via VPP to be distributed.
- Enables iCloud Backups, iCloud Drive files and other iCloud data to be stored away from personal Apple IDs, increasing data security.
- Accounts and their associated data can be deactivated or deleted when users leave an organisation, again giving you much greater control over your organisational data.
- Continuity features including Handoff, Sidecar Universal Clipboard and Universal Control are supported on devices running macOS 14.1 or later, or iOS/iPadOS 17.1 or later
- Controls are available for ABM/ASM admins to restrict Managed Apple ID sign-in on devices, apps, app features and services
- 'Sign-in with Apple' is supported, and automatically uses the Managed Apple ID for managed apps and the personal Apple ID for non-managed apps.
IdP Account Federation and SCIM
If you use Microsoft 365 or Google Workspace accounts within your organisation, you can setup account federation in ASM or ABM to allow your users to simply sign-in to their Apple devices with those existing credentials and a Managed Apple ID will be automatically created for them. In these cases, there’s no need to remember yet another password as the Managed Apple ID password will stay in sync with the Microsoft account password as it changes. Apple may well add support for additional IdPs in future, enabling more customers to benefit from account federation.
SCIM is a similar process, except the user’s name and other details will also be updated in their Managed Apple ID if they’re changed within Azure AD. This can be handy if a user changes their name due to a marriage, for instance.
Account-Driven User Enrolment (for BYOD)
Apple’s Account-Driven User Enrolment feature allows personally-owned devices to be lightly managed by an MDM and separates the user’s personal Apple ID data from their Managed Apple ID data, even while both accounts are being used simultaneously. This ensures protection for critical work data stored in their Managed Apple ID while still allowing the user to have access to their personal iCloud data. Should a user leave the organisation, all work data (including their Managed Apple ID) is securely removed from the device but their personal data remains untouched.
Account-Driven Device Enrolment
With macOS Sonoma, iOS 17 and iPadOS 17, Apple built upon this feature to also enable organisationally-owned devices to be enrolled after setup, using the same workflow as Account-Driven User Enrolment. This enrols the device into the organisation’s MDM and provides the same full management capabilities as a zero-touch Automated Device Enrolment, which the user is clearly made aware of on-device prior to commencing the enrolment.
Organisations can only have one type of account-driven enrolment type in place at once, so it’s important to consider which is most advantageous to their way of working.