Get fresh insights, pro tips, and thought starters–only the best of posts for you.
Nov 12, 2020
10 min read
In an organization, when you have tens of thousands of Apple devices for work, relying on Apple Business Manager and Managed Apple ID for business is an easy way to integrate, deploy, manage, and secure your endpoints from a central management point. Apple’s latest innovations have already broadened the usability of Managed Apple ID with Apple Business Manager specifically to increase the value of Apple use in a business setting.Use Hexnode with ABM and empower your workforce with Apple devices
There are certain times when Managed Apple ID may be too restrictive to use, but in most cases, they can be a perfect fit for businesses of all sizes. Knowing how to create Managed Apple IDs and deal with them is really important to make an informed decision while opting between Managed Apple IDs and standard Apple IDs. This guide aims to provide you with enough information to create Managed Apple IDs in a simple way possible using Microsoft Azure Active Directory.
Managed Apple IDs are accounts created on behalf of employees/students by organizations/schools through Apple Business Manager and Apple School Manager. They serve the same purpose of saving user settings that can be recognized by Apple devices, tools, and services to prove the owner’s authenticity just as the normal Apple IDs do. Managed Apple IDs have been around Apple School Manager for several years, but the feature came to Apple Business Manager only recently. Managed Apple IDs are designed to fulfill specific organizational needs and role-based administration of corporate assets. The IT administrator of the organization will be managing the Managed Apple IDs, creating unique IDs in bulk, deleting unnecessary IDs, resetting ID passwords, restricting access to ID accounts, updating ID account information, and assigning roles to each of the IDs.
Managed Apple IDs are basically for ABM or ASM portal use and can be used to collaborate with and access several Apple apps and services that are essential for business purposes, including iCloud Drive, iTunes, Notes, Apple Music, iWork, and so on. They are also used for app licensing, personalizing devices, managing iCloud accounts, and providing shared access to enterprise accounts for collaboration purposes. Managed Apple IDs are also a vital part of the User enrollment of iOS, iPadOS, and macOS devices. In such cases, they can be used alongside the standard personal Apple IDs.
As they are devised for enterprise use, to ensure enterprise security Managed Apple IDs automatically disables several features, including:
Gone are the days where users must manually create their own Apple IDs and use the same for business related needs. Managed Apple IDs can be created by the user’s IT team, either manually or automatically:
In Apple Business Manager, admins can manually create unique Managed Apple IDs for each user accounts using already verified domain names following the below steps:
Creating Managed Apple IDs manually at scale can be difficult for businesses at times, but so long as they have Azure Active Directory, that’s no longer going to be an issue. Managed Apple IDs can be created through integration with third-party identity providers like Azure AD.
Apple Business Manager allows organizations to quickly create accounts integrating with the existing environment. IT admins can connect Apple Business Manager with Microsoft Azure Active Directory so that Managed Apple IDs are automatically set up in a more simplified manner as compared to their manual creation. It’s a streamlined process and can be done in a matter of minutes using a domain administrator account. Managed Apple IDs use the same credentials as their existing Azure AD infrastructure. There are two ways to integrate with Microsoft Azure Active Directory to create Managed Apple IDs, either using Just in time (JIT) account creation with federated authentication or using System for Cross-domain Identity Management (SCIM).
Federated authentication provides an easy way to sync the identity management solution with ABM to create Managed Apple IDs. Federated authentication links an instance of Azure AD with ABM to allow users to leverage their existing Azure AD username and passwords as their Managed Apple IDs. Azure AD credentials can be used to sign into a set of Apple services and even to shared devices.
Creating Managed Apple IDs using federated authentication with Azure AD offers many benefits that may seem less obvious. At its core, this method is able to address most of the challenges regarding automated provisioning, single sign-on, and security.
Organizations should meet the following criteria to use federated authentication with ABM:
Azure AD acts as the identity provider when businesses are using federated authentication. To transfer information like login credentials and connect Azure AD with ABM for the Managed Apple ID creation process, federated authentication uses Security Assertion Markup Language (SAML). Managed Apple IDs are automatically created once the integration is done, and the Azure AD users try to login to any Apple service. This process is termed as Just in time (JIT) account creation. If any of the employees already have Apple IDs related to their work emails, an automatic conflict resolution process starts running after a specified period of time. After the integration process, all consumer Apple IDs using the company domain will be notified to change the IDs within 60 days, after which the conflict resolution process is automatically initiated.
System for Cross-domain Identity Management (SCIM) is a feature that allows importing users to Apple Business Manager. SCIM allows merging ABM properties with accounts imported from Azure AD. Only users with Application Administrator, Cloud Application Administrator, Application Owner, or Global Administrator privileges can configure SCIM.
When Azure AD accounts for organizations already using federated authentication are sent to ABM, Azure AD acts as the identity provider for authenticating users to ABM. Organizations can even create Managed Apple IDs for all the federated Azure AD accounts when they are using the “Sync all users and groups” provisioning option with SCIM.
The main difference between SCIM and JIT is that SCIM automates both the provisioning and deprovisioning of accounts while JIT automates only the provisioning process. With SCIM, new accounts will be automatically provisioned as new users are added to your organization, and in a similar manner, once users are removed from your organization, their accounts will be automatically deprovisioned.