Not directly Jamf related, but obviously related to Jamf. I am trying to add another user to ABM and he already has an Apple ID. It's telling me I can't add him. How do I add someone to ABM with an existing Apple ID? Apple support is 100% useless. Thanks!
I led a session on this topic at JNUC 2019 which talks about one way you can do this. It was geared for Apple School Manager instead of ABM, but Apple has now brought this capability to ABM as well. Feel free to check it out here. In short, we did it through Azure integration. Fair warning, I'm not the most telegenic or charismatic presenter, but folks did like the session and it answers some questions about the process:
There are couple ways around this. You can ask the user to change their AppleID, then create a new one in ABM with the address you want them to have. Or, you could also add a domain like appleid.mydomain.com then create users under that domain.
We, ok I, decided to just brute force everyone into changing their AppleIDs by claiming the domain in ABM and using Federated authentication w/Azure. Where I've run into trouble here is AppleSeed for IT, the Developer iOS app, and the Apple Developer Account Holder role. AppleSeed does not have the modern authentication option to go out try to authenticate without a password. The Apple iOS Developer App does not allow managed/federated AppleIDs, it tries, but fails; the website works, but not the app, it's weird. Lastly, since there are some roles that require Apple's 2-Factor Authentication turned on, you cannot use a federated account for those roles and the Account Holder in the Developer portal is one of those accounts. I've spoken to Apple Enterprise Support multiple times so far on all of these issues, none have been resolved so far.
Managed Apple IDs (for Apple Business Manager) can not be email addresses already used for existing Apple IDs. Along with the info above you can configure your Apple Business Manager so managed Apple IDs are in the form of firstname.lastname@example.org, and you can set their account so their email is still email@example.com
When you flip the switch for the federation, is the end user immediately notified that you have created an AppleID for them? What, if any, control do you have over how your users are communicated with? I’ve asked Apple, and they keep referring me to KBase articles describing how the process works, but nothing on my actual question which is what this looks like from the end user perspective.
@jpar0 If they have an existing AppleID within the domain you have claimed and set up federation for they are notified immediately. They get 30 days to change it with the ID still working. After 30 days they can no longer use any services associated with it, and if they try to log in they are only able to change the AppleID. After 60 days the account is disabled. They do receive multiple notifications during that 60 day time frame. I will know next Tuesday what happens after the 60 days as far as being able to create a new account with that old name if the account was never changed, but I'm guessing you would hear from the user by that point since they haven't been able to use the account for a while.
@tdclark is almost exactly right. Turning on federation kicks off the process to migrate personal (meaning non-federated, not necessarily personal) accounts off the the claimed domain. I know that people may not have a chance to watch the video from my JNUC presentation above but I’m sure many of you may have questions what to do with certain VIP/tech/service Apple IDs and my presentation covers exactly what we did for those as part of this process. In short, we had zero loss of assets and no downtime.
During that time in the federation window ( unsure of the number of days on ABM...it’s 60 on ASM) progressive warnings to end users with personal Apple IDs get more ardent. At the end of the window, Apple does it for you. The accounts aren’t technically disabled, they just get migrated to a dummy domain they create for that purpose that an unsuspecting end user may not know about. At that point the only real way to create accounts on the main domain is through ABM.
@blackholemac Thank you for the reply. What about new AppleIDs that are created? Is a notification sent to them?
I understand the situation if they have an existing AppleID with the domain you federate, but what about those who don’t?
In this scenario my employee has a personal AppleID firstname.lastname@example.org, and we create an AppleID using our corporate domain and the appleid prefix, making email@example.com. Would Tom receive an email from Apple saying “Your admin has made an AppleID for you. Log in and start using it today”?
Once you have established the federation with Apple and Azure, it will not allow an end user to create an Apple ID on "yourcompany.org" period. Only you as the admin of Apple Business Manager can do that.
As to the scenario: firstname.lastname@example.org's Apple ID (assuming the personal Apple ID was created pre-federation). You decide then to federate and click the switch on. At that point email@example.com receives a notice both on his device and through email that he needs to essentially "go park his stuff (personal Apple ID) somewhere else". He would be prompted to tap on the warning message and change his existing Apple ID to firstname.lastname@example.org or email@example.com or essentially change it to anything he wants.
60 days after he did, you could either you would then be able to create him an Apple ID firstname.lastname@example.org through Apple Business Manager and it is a Managed Apple ID. He would use the same credentials as you assigned him on the Azure side of the house. Unfortunately though, it isn't like some Azure-linked services such as Adobe or OneDrive where you can sign in with an ID and distinguish between whether it's a personal or a work and school controlled account.
Thank you - and when we create these new AppleIDs via the federation, and an end user DOES NOT have an AppleID using the domain we federate, is anything sent to the end user automatically by Apple, or are we in control of how/when employees are notified we have made a new AppleID for them?
I can say this one with zero doubt...employees (or in our case, staff and students) are not notified until we tell them what to do. One of our schools is a non-Apple school and unbeknownst to those staff and students, every one of them have a Managed (and federated) Apple ID. We use a link to our PowerSchool database to populate Apple School Manager. I don't think you have that with ABM, but anyway, you create the account and you control when the user knows about the account that was created on your behalf.
@blackholemac Thanks for all the info (it wasn't directed at me, but was still helpful nonetheless)
We have been creating apple ID's with the standard domain email address for about 5 years "@mydomain.com". This means we have a decent amount of calendar invites, emails, pictures and everything wrapped up in these apple id's. And naturally I will want the same people to then take over that same ID when it becomes federated, do you know if there is a function to migrate without "losing" any of the attached stuff, or having to have everyone in the company undertake a transfer process of all of their stuff and then transfer it back for what seems to be to them, no benefit to them