Ecco_Luke
Contributor II

With Apple devices continuing to gain major prevalence within both educational institutions and businesses of all sizes, it’s becoming increasingly important for organizations to manage not only their devices but also the Apple ID that the user signs-in with. This is where Managed Apple IDs come in.

While you can restrict the ability to sign-in to an Apple ID using an MDM solution (or our team can do this for members of our own managed service offerings), in doing so you are denying users key functionality and features, such as iWork collaboration and iCloud Backup. This article aims to highlight these benefits and discuss how to leverage your organization’s existing Microsoft 365 accounts as Managed Apple IDs to give your users one fewer log-in to remember.

That said, it should be pointed out that it remains best practice to disable signing-in to any Apple ID on devices that aren’t permanently assigned to an individual user and Shared iPad isn’t being used. This is most common in smaller school settings, where there may not be the network infrastructure to support Shared iPad nor the budget available for a current 1:1 deployment. In those cases, Apple Classroom can still be used with generic MDM-only users and this is the method our experts use to support many of our FirstClass managed service educational customers.

What is a Managed Apple ID?

A Managed Apple ID (MAID) is simply an Apple ID that is owned and managed by an organization rather than the end-user and can only be created within an Apple School Manager (ASM) or Apple Business Manager (ABM) account.

MAIDs are similar to personal Apple IDs but with a few limitations, such as:

  • They cannot be used to purchase apps or be added into Family Sharing
  • They cannot use iCloud Mail
  • They cannot be used for Find My
  • They cannot use Apple Pay
  • They cannot use iCloud Keychain (but Keychain items can be saved on Shared iPad)They cannot use Apple services, such as Apple Music, Apple Arcade, Apple One, or Apple TV+

Just as you create organizational email accounts for your users rather than allowing their personal ones to be used, MAIDs allow for uniform naming styles and a focus on work use.

Key Features of Managed Apple IDs

  • Password resets are easily done by a designated Admin within ASM/ABM
  • Complimentary 200GB of iCloud storage (for Apple School Manager MAIDs only)
  • Enables Collaboration within Pages, Numbers and Keynote apps so users can work on files together
  • Enables for digital books purchased via VPP to be distributed
  • Enables iCloud Backups, iCloud Drive files, and other iCloud data to be stored away from personal Apple IDs, increasing data security
  • Accounts and their associated data can be deactivated or deleted when users leave an organization, again giving you much greater control over your organizational data

IdP Account Federation & SCIM

If you use Microsoft 365 or Google Workspace accounts within your organization, you can setup account federation in ASM or ABM to allow your users to simply sign-in to their Apple devices with those existing credentials and a MAID will be automatically created for them. In these cases, there’s no need to remember yet another password as the MAID password will stay in sync with the Microsoft account password as it changes.

SCIM is a similar process, except the user’s name and other details will also be updated in their MAID if they’re changed within Azure AD. Federation is setting up SSO between ABM and Azure and allowing them to talk to each other. SCIM piggybacks off that connection to create users in ABM from Azure. This can be handy if a user changes their name due to a marriage, for instance. This data sync occurs periodically throughout the day.

BYOD User Enrolment

Apple’s User Enrollment feature allows personally-owned devices to be lightly managed by an MDM and separates the user’s personal Apple ID data from their Managed Apple ID data, even while both accounts are being used simultaneously. This ensures protection for critical work data stored in their MAID while still allowing the user to have access to their personal iCloud data. Should a user leave the organization, all work data (including their MAID) is securely removed from the device, but their personal data remains untouched.

Jamf Pro has supported this type of enrollment since its release, and comprehensive setup instructions can be found here within the Jamf Pro documentation.

1 Comment