How to easily create Managed Apple ID using Azure AD?

In an organization, when you have tens of thousands of Apple devices for work, relying on Apple Business Manager and Managed Apple ID for business is an easy way to integrate, deploy, manage, and secure your endpoints from a central management point. Apple’s latest innovations have already broadened the usability of Managed Apple ID with Apple Business Manager specifically to increase the value of Apple use in a business setting.

There are certain times when Managed Apple ID may be too restrictive to use, but in most cases, they can be a perfect fit for businesses of all sizes. Knowing how to create Managed Apple IDs and deal with them is really important to make an informed decision while opting between Managed Apple IDs and standard Apple IDs. This guide aims to provide you with enough information to create Managed Apple IDs in a simple way possible using Microsoft Azure Active Directory.

What are Managed Apple IDs?

Managed Apple IDs are accounts created on behalf of employees/students by organizations/schools through Apple Business Manager and Apple School Manager. They serve the same purpose of saving user settings that can be recognized by Apple devices, tools, and services to prove the owner’s authenticity just as the normal Apple IDs do. Managed Apple IDs have been around Apple School Manager for several years, but the feature came to Apple Business Manager only recently. Managed Apple IDs are designed to fulfill specific organizational needs and role-based administration of corporate assets. The IT administrator of the organization will be managing the Managed Apple IDs, creating unique IDs in bulk, deleting unnecessary IDs, resetting ID passwords, restricting access to ID accounts, updating ID account information, and assigning roles to each of the IDs.

Why do businesses use Managed Apple IDs?

Managed Apple IDs are basically for ABM or ASM portal use and can be used to collaborate with and access several Apple apps and services that are essential for business purposes, including iCloud Drive, iTunes, Notes, Apple Music, iWork, and so on. They are also used for app licensing, personalizing devices, managing iCloud accounts, and providing shared access to enterprise accounts for collaboration purposes. Managed Apple IDs are also a vital part of the User enrollment of iOS, iPadOS, and macOS devices. In such cases, they can be used alongside the standard personal Apple IDs.
As they are devised for enterprise use, to ensure enterprise security Managed Apple IDs automatically disables several features, including:

• Apple Pay
• iCloud Mail
• iCloud Family Sharing
• iCloud Keychain
• App Store purchasing
• iTunes purchasing
• Media services like Apple Music, Apple Radio, Apple Fitness+, Apple One, Apple Arcade, Apple News+, and Apple TV+
• Find My services
• Adding HomeKit devices to the Home app
• FaceTime
• iMessage

How are Managed Apple IDs created?

Gone are the days where users must manually create their own Apple IDs and use the same for business related needs. Managed Apple IDs can be created by the user’s IT team, either manually or automatically:

• Directly from Apple Business Manager
• Using federated authentication with Azure AD
• Using SCIM with Azure AD

Creating Managed Apple ID in Apple Business Manager

In Apple Business Manager, admins can manually create unique Managed Apple IDs for each user accounts using already verified domain names following the below steps:

• Sign in to Apple Business Manager using an Administrator or People Manager account.
• Go to Accounts and search for the required account.
• Select the user and click Edit in the Account row.
• Click the Add button and choose how the Managed Apple ID should look like.
• Choose a verified domain name from the list and click Continue.
• Wait until the activity is completed or click Close.
• Click Done once finished.

Creating Managed Apple IDs manually at scale can be difficult for businesses at times, but so long as they have Azure Active Directory, that’s no longer going to be an issue. Managed Apple IDs can be created through integration with third-party identity providers like Azure AD.

Creating Managed Apple ID using Azure AD

Apple Business Manager allows organizations to quickly create accounts integrating with the existing environment. IT admins can connect Apple Business Manager with Microsoft Azure Active Directory so that Managed Apple IDs are automatically set up in a more simplified manner as compared to their manual creation. It’s a streamlined process and can be done in a matter of minutes using a domain administrator account. Managed Apple IDs use the same credentials as their existing Azure AD infrastructure. There are two ways to integrate with Microsoft Azure Active Directory to create Managed Apple IDs, either using Just in time (JIT) account creation with federated authentication or using System for Cross-domain Identity Management (SCIM).

Using federated authentication to create Managed Apple ID

Federated authentication provides an easy way to sync the identity management solution with ABM to create Managed Apple IDs. Federated authentication links an instance of Azure AD with ABM to allow users to leverage their existing Azure AD username and passwords as their Managed Apple IDs. Azure AD credentials can be used to sign into a set of Apple services and even to shared devices.

Benefits

Creating Managed Apple IDs using federated authentication with Azure AD offers many benefits that may seem less obvious. At its core, this method is able to address most of the challenges regarding automated provisioning, single sign-on, and security.

• They provide a great way to create a seamless login experience, streamlined setup, and flexible device enrollment for the users.
• It doesn’t have to spend time on creating everything in advance as Managed Apple IDs are automatically created when the user signs into their device or access any Apple services.
• It provides a single sign on experience for their Apple or Microsoft corporate identity as employees can use their existing Azure AD credentials, and there is no need to juggle with multiple passwords.
• Users get a personalized experience even if they are using a shared device.
• The device management process is also simplified as Managed Apple IDs enable constant communication between ABM and Azure AD. When the organization deactivates an employee’s Azure AD account, the Managed Apple ID turns off as well.

Requirements

Organizations should meet the following criteria to use federated authentication with ABM:

• Should have an on-premises Active Directory.
• Should have Apple devices running iOS 11.3 or later, iPadOS 13.1 or later, and macOS 10.13.4 or later.
• Domain shouldn’t be used by any other organization.
• User Principal Name of the users should match their email addresses.

Procedure

• Sign in to Apple Business Manager using an Administrator or People Manager account. Add the domains to be federated.
• Grand permission for ABM to read user profiles by signing in to Azure AD using a Global administrator or Application administrator account.
• In ABM, sign in to Azure AD using an account having the same domain that is to be federated to verify domain ownership.
• ABM checks whether there are any potential conflicts due to any existing Apple IDs with the same domain set up by any other organization. If any other organization is found to have Apple IDs with the same domain, Apple will carry out an investigation to find who actually owns the domain. If both the organizations are valid to claim the domain, none of them can use it to federate.
• If any other consumer IDs are found, ABM notifies the users to change the email addresses associated with their IDs.
• Businesses are allowed to migrate any existing Managed Apple IDs by changing their associated domain, username, and other details.

Azure AD acts as the identity provider when businesses are using federated authentication. To transfer information like login credentials and connect Azure AD with ABM for the Managed Apple ID creation process, federated authentication uses Security Assertion Markup Language (SAML). Managed Apple IDs are automatically created once the integration is done, and the Azure AD users try to login to any Apple service. This process is termed as Just in time (JIT) account creation. If any of the employees already have Apple IDs related to their work emails, an automatic conflict resolution process starts running after a specified period of time. After the integration process, all consumer Apple IDs using the company domain will be notified to change the IDs within 60 days, after which the conflict resolution process is automatically initiated.

Using SCIM instead of JIT with federated authentication to create Managed Apple ID

System for Cross-domain Identity Management (SCIM) is a feature that allows importing users to Apple Business Manager. SCIM allows merging ABM properties with accounts imported from Azure AD. Only users with Application Administrator, Cloud Application Administrator, Application Owner, or Global Administrator privileges can configure SCIM.

When Azure AD accounts for organizations already using federated authentication are sent to ABM, Azure AD acts as the identity provider for authenticating users to ABM. Organizations can even create Managed Apple IDs for all the federated Azure AD accounts when they are using the “Sync all users and groups” provisioning option with SCIM.

The main difference between SCIM and JIT is that SCIM automates both the provisioning and deprovisioning of accounts while JIT automates only the provisioning process. With SCIM, new accounts will be automatically provisioned as new users are added to your organization, and in a similar manner, once users are removed from your organization, their accounts will be automatically deprovisioned.