Posted on 03-31-2021 08:01 AM
We are considering utilizing Managed Apple ID's for our faculty and staff at our university. Has anyone done this? Has anyone set this up and could tell us what it would take to spin up? Time frames, tasks we need to do, backend protocols, changes in deployment methods, etc.
Just trying to get a head start on this. We use Azure as our main AD service and use ASM as well as Jamf Pro to manage our iPads.
Posted on 03-31-2021 10:57 AM
When we first went with iPads for our 1:1 device we were not using Managed Apple IDs so a lot of staff that got devices early created their own Apple IDs using their school emails. When we started to use Managed Apple IDs those staff members were created with -1 .1 or some form after their name. This has caused some problems with matching usernames with ASM usernames in Jamf.
Since you mention using Azure as your AD service I would look into utilizing the federation feature for ASM. This will create their Managed Apple IDs using their AD credentials without having another password. We do not have Azure so teachers have to remember another complicated password to login and get a two factor code. It causes a lot of problems for us. It will also take ownership of anyone who managed to create a personal Apple ID using your domain.
We sync ASM with our SIS through a plugin provided by Apple. Accounts are created automatically through this method and classes are synced as well. It works pretty well. New students however need their passwords reset manually in order to login because we don't have federation setup. Password resets are the main complaint from me about the Managed Apple IDs, this would be null with a federated setup.
What we recommend teachers do is sign into the iCloud with their Managed Apple ID and then sign into the App Store using a personal Apple ID so they can download apps. Managed Apple IDs cannot be used in Apple Stores.
Posted on 04-05-2021 08:54 AM
I have been using Managed Apple IDs set up with federation through Azure for about three years. It has been a lifesaver for my users as they essentially only have to remember one password now for all of their accounts. It also allows you to take complete ownership over your domain email addresses so that users can't use their enterprise email addresses to create personal Apple IDs. The attached checklist is handy for getting started with this process.