Get fresh insights, pro tips, and thought starters–only the best of posts for you.
Jan 3, 2020
6 min read
WWDC’19 dropped a huge bomb with the announcement of User Enrollment and along with it emphasized the significance of Managed Apple IDs in User Enrollment. But what are these Managed Apples IDs?
Surely, it’s not something new. Managed Apple IDs have been around for a while now in Apple Education. It was later included in Apple Business Manager as well. Yet associating it with User Enrollment brings up a lot of questions. How do these Managed Apple IDs work? How are they different from normal Apple IDs? And is it the same as my corporate email?
Apple ID is an authentication method used by Apple to provide access to various Apple services like iTunes, iCloud, Apple store etc. Apple IDs are used to store personal user information and settings. When an Apple ID is used to log in to a device, the settings associated with the account gets applied to the device automatically.
There are two definitions for Managed Apple IDs provided by Apple. Let’s start with that.
Apple defines Managed Apple IDs as “special school-created and school-owned accounts that provide access to Apple services”
As I mentioned before, Managed Apple IDs were first introduced in Apple School Manager. Several services available through standard Apple IDs were disabled through Managed Apple IDs to ensure a focus on learning. These include purchasing apps, Apple Pay, FaceTime, iCloud Keychain etc. Since purchases were disabled, only administrator assigned content could be accessed in the device. Managed Apple IDs even looked different from a standard Apple ID.
“ firstname.lastname@example.org” is an example of a Managed Apple ID. On the other hand, a normal Apple ID will look like “email@example.com”.
Another definition provided by Apple is,
“Managed Apple IDs are created for employees who sign in and manage functions of Apple Business Manager. They are also used to access Apple services — including iCloud and collaboration with iWork and Notes.”
Managed Apple IDs were introduced in Apple Business Manager to enable collaboration through iWork and Notes. These IDs were only to be used by employees who directly accessed and controlled ABM functions.
It’s safe to say that Managed Apple IDs are synonymous with Managed Google Play Accounts. They are elements that support the concept of BYOD.
Corporates are no longer encouraging the mix up of work and personal data. Neither are they employees. A decade back people carried separate devices for work and personal usage. But over the years, the concepts of BYOD and COPE have been recognised and been put into action. Apple’s User Enrollment takes a huge leap into the BYOD scene and Managed Apple IDs are an essential part of it. Before we discuss more about the importance of Managed Apple IDs in User Enrollment, lets see how to create one.
Before you start creating Managed Apple IDs, ensure you have the following ready with you:
Follow the step by step guide to create a Managed Apple ID
In the case of federated accounts, Managed Apple IDs are created automatically as the user logs in. We will have a more detailed blog on federation soon. Stay tuned for that.
The Cupertino folks made it clear at WWDC that Managed Apple IDs are a necessity for User Enrollment. But how exactly does that work? Sure, we got a great demo on how User Enrollment is done but the scope of Managed Apple IDs remains undiscussed.
The use of Managed Apple IDs to configure User Enrollment was symbolized as a multi-persona system. Which begs the question – If Managed Apple IDs represent my work personality, are they the same as my corporate email? Managed Apple IDs are merely a representation tag. As in the case of standard Apple IDs, Managed Apple IDs are also linked to an email address. This email address can be the same as your corporate email as long as you don’t have an existing Apple ID linked to it. However, Apple had explicitly mentioned that Managed Apple IDs should be different from corporate emails to avoid conflicts with existing Apple ID. This is only because things can get quite complicated when it comes to federation. Now, when you use your Managed Apple ID to enroll devices through the User Enrollment program, a separate APFS volume gets created. This ensures strict separation between work data and personal data. When the device is unenrolled this volume is deleted, and the device is restored to its original state before enrollment.
For those of you who lost me at federation, a federated identity in information technology is the means of linking a person’s electronic identity and attributes that are stored across multiple distinct identity management systems. In simple words, Apple enables you to link ASM/ABM with your Azure AD through federated authentication. As users log in using their AD credentials, distinct Managed Apple IDs get created automatically.
For a device enrolled via User Enrollment, all third-party apps will have to be either associated with the Managed Apple ID or the personal Apple ID. They cannot work on both modes. The user will have access to a personal iCloud account and the managed iCloud account as well.
Is the air still cloudy? Stay tuned for more updates that will help clear the air. Meanwhile, brace for an era of change as Managed Apple IDs along with User Enrollment change the scope of iOS device management.