09-22-2021 11:13 AM - edited 09-22-2021 11:15 AM
We recently initiated Federated Authentication in our environment and I have noticed a strange thing - if I am trying to add an account via Apple Business Manager and I I want to set it's "Role" to Administrator - it automatically selects Authentication: "Apple". Only if I select Staff it is added as "Federated". Does it mean that Administrator "Role" account on Business Apple Manager can only be authenticated via Apple? As it requires attaching a working phone number in such case... Any insight on this would be great!
Posted on 09-22-2021 03:58 PM
This is the case for a lot of applications behind an identity provider or federated login. It makes sense if you think about it. It's so if there's an issue with federation, your admins can login to fix it. Avoiding all eggs in the federated basket.
Posted on 09-22-2021 04:05 PM
I see your point, the issue is - admin Apple auth account requires attaching a personal phone and what if admin is out of country and there is something urgently needs to be done with admin rights?
Posted on 09-29-2021 11:59 AM
In our org we create a separate admin account for each admin.
Posted on 09-29-2021 05:46 PM
are those accounts using personal AppleIDs with personal cellphone attached?
Posted on 09-29-2021 06:11 PM
You can create Apple IDs in ABM using their work addresses (or add .appleid like Apple recommends). Distribute to all of your desired admins. Each person can use their own phone.
Maybe I’m misunderstanding your situation, but that seems to cover it?
Posted on 09-29-2021 06:55 PM
"or add .appleid like Apple recommends" - could you point me please to the documentation where this is recommended?
Otherwise I think it answers my question: ABM admins can only have non-federated Apple ID accounts with personal phone MFA authentication, am I understanding this correctly?