Apple School Manager Microsoft Entra ID Federation
Apple School Manager is the hub for Apple technologies in education, where you manage locations, register devices and buy app licenses. In this article we focus on it’s function to manage people, specifically their Managed Apple ID’s.
What is Apple School Manager?
For more information about Apple School Manager read this article.
What is a Managed Apple ID?
Most of us are familiar with an Apple ID. The identity used to sign in to and personalise Apple devices, purchase apps, receive iMessages, register for Apple Pay etc. A normal Apple ID is owned by the individual (often referred to as a personal Apple ID) and includes services unsuitable for a classroom environment.
A Managed Apple ID for education is owned by the school and has certain services disabled. Those services include App purchasing, iMessage, FaceTime and Find My Friends.
Using mobile device management (MDM) certain users can be allowed to use a personal Apple ID alongside their Managed Apple ID to allow app purchasing.
A Managed Apple ID for education includes 200GB of iCloud storage free of charge. Great for file storage and device backups.
For more information about Managed Apple ID’s read this article.
What is Microsoft Entra ID
Microsoft Entra ID, formerly known as Azure Active Directory, is a cloud-based identity service which is replacing Microsoft servers based on-premise in schools. If you use Microsoft Office 365 you probably already have Entra ID, if not you may still be using Entra ID so check with your Microsoft support provider.
What is ‘Federation’, and why should I do it?
Federation in this context means that Apple School Manager and Microsoft Entra ID are linked together, sharing the same common database of users.
Once the federation link has been established your users sign in to their iPad using a Microsoft username and password. Exactly the same username and password they use to sign in to OneDrive, Office apps or maybe even a PC on the school network.
Your user then has just one identity to sign in to Apple and Microsoft devices (known as single sign-on, or SSO), and that identity is automatically provided with a Managed Apple ID when used on Apple devices.
For more information about Federation read this article.
What should I consider before Federation?
When you start the Federation process in Apple School Manager, anybody with a personal Apple ID using a school email address is given 60 days to resolve that conflict by selecting a different email address to use with their personal Apple ID.
A single domain (e.g. myschool.borough.sch.uk) can only be federated against one Apple School Manager account. Therefore each school must have its own domain (i.e. several schools aren’t sharing mytrust.org.uk), and their own Apple School Manager account (i.e. not a shared with several schools).
To invite legacy VPP accounts in to Apple School Manager (e.g. firstname.lastname@example.org), either do that before you start the federation process or else make sure that you resolve any Apple ID conflicts at appleid.apple.com before you send the invite. More information about inviting legacy VPP account in to Apple School Manager can be found here.
FirstClass Managed Service for Schools
KRCS are experts in Apple School Manager and would relish the opportunity to work with you through this process.