I apologize if this has been asked previously. I did some searching but couldn't find a clear answer and was hoping someone may be able to help.
We plan to deploy a few hundred iPhones and the topic of managed Apple ID's with ABM came up.
We have been told you can deploy apps to devices without the user having a managed Apple ID using ABM auto enrollment (DEP) and technically do not need Managed Apple ID's.
I am trying to weigh the pros and cons of using a managed Apple ID vs not.
I have been told iCloud features (Backup, iMessages etc?) require an Apple ID.
On the other hand the complexity of setting up federation with Azure AD may not be justifiable as we may only gain a few iCloud features we may not use.
Does anyone have experience with this, and are there any pitfalls from going either way?
Thanks in advance
We do not manage iOS devices, so I'm not an expert at this, but I can tell you that one advantage of using Managed Apple IDs is activation lock. If you let your users use their personal iCloud accounts on the devices and they enable Find My services, when they leave if they do not remove that account or wipe the device, you may have to deal with Activation Lock. That means calling Apple and proving ownership of the device before they will unlock.
Now, if the devices are all in DEP you may not have a major issue with proving ownership. But taking the extra time to deploy Managed Apple IDs makes it that much easier.
Just my two pennies.
Within the Jamf Pro PreStage Enrollment you can "Prevent user from enabling Activation Lock". If you choose not to prevent it, you can still remove activation lock when the device is Supervised.
I use ASM and MAIDS on campus and a few things to consider.
Activation Lock...it is always nice to avoid the risk of a personal Apple ID locking a device...JAMF isn't perfect at removing it :(
I have started testing the activation lock...I can't remember where it's at off the top of my head either in ASM or JAMF...maybe both but it enables activation lock on devices before an Apple ID is entered (personal or MAID) using the main ASM id. This is great because at least I always know the credentials needed to unlock it but JAMF seems to always fail when trying remove the lock with a remote command.
Apps...Assigning apps to a device means you don't need an ID at all but if you allow BYOD or have a paid app that a user may need on their personal device as well...I have my VPP invitation set to auto accept on MAIDs and this allows you to still use user assignments when needed. On BYOD or unmanaged devices they just sign in to the app store with their MAID and they can download their "purchased" apps.
The auto accept invite just works and doesn't prompt users and since I do not send invites to normal IDs anymore, I have yet to run into any problems in the past year or so *knocks on wood but, I still rely mostly on device assignments instead of users.
ASM gets 200 gigs of iCloud storage...not sure if that applies to ABM as well but comes in handy if you allow something like iCloud drive and all of the data on a MAID can be locked and audited if needed.