Managed Apple Accounts and Identity Provider (IdP) Federation

What is a Managed Apple Account?

A Managed Apple Account is simply an Apple Account that is owned and managed by an organisation rather than the end-user, and can only be created within an Apple School Manager (ASM) or Apple Business (AB) account.

They are similar to personal Apple Accounts but with a few limitations, such as:

• They cannot be used to purchase apps or be added to Family Sharing.
• They cannot use iCloud Mail.
• They cannot be used for Find My.
• They cannot use Pay.
• They cannot use Apple services, such as Music, Arcade, One or TV+.

Can Managed Apple Accounts be Enforced?

Using Apple Accounts in an education environment is recommended to leverage the great features built in to iPad and Mac, like document collaboration and iCloud storage.

There are two types of Apple Account:

• Personally owned Apple Accounts used by consumers, which belong to the individual and allow no controls for the organisation
• Managed Apple Accounts which are administered via Apple School Manager and belong to the organisation

For data protection and safeguarding reasons, we would always recommend the use of Managed Apple Accounts in an education setting for device sign in over personal Apple Accounts.  You have two options when it comes to enforcing this behaviour:

Option 1 - Global enforcement

This is a setting in your Apple School Manager account which dictates that only Managed Apple Accounts can be used on school owned devices for device sign in (i.e. devices registered with Apple School Manager).  It’s important to note that this setting applies to all devices in Apple School Manager, not just those which are also enrolled in an MDM for management.

• Pros - Stops the ability to use personally owned Apple accounts at all, not just for device sign in
• Cons - This means that (staff) users cannot sign in to other services with a personal Apple Account (e.g. App Store, Messages, FaceTime)

Option 2 - Acceptable Use Policy

If restricting the use of personal Apple Accounts for some services will cause problems, set expectations and policy with staff and students that they must use a Managed Apple Account for device sign in.

• Pros - More flexible and allows staff to access other Apple services with a personal Apple Account
• Cons - Allows users to sign out of their Managed Apple Account and sign back in with a personal Apple Account, iCloud Drive etc. Typically requires restrictions to be deployed to student devices to remove Messages, FaceTime etc

Key Features of Managed Apple Accounts

• Password resets are easily done by a designated admin within ASM/AB.
• Complimentary 200GB of iCloud storage (Apple School Manager only).
• Enables collaboration within Pages, Numbers and Keynote apps so users can work on files together.
• Enables digital books purchased via VPP to be distributed.
• Enables iCloud Backups, iCloud Drive files and other iCloud data to be stored away from personal Apple Accounts, increasing data security.
• Accounts and their associated data can be deactivated or deleted when users leave an organisation, again giving you much greater control over your organisational data
• Enables features including Handoff, Sidecar Universal Clipboard and Universal Control are supported.
• Controls are available for AB/ASM admins to restrict Managed Apple Account sign-in on devices, apps, app features and services.
• 'Sign-in with Apple' is supported, and automatically uses the Managed Apple Account for managed apps and the personal Apple Account for non-managed apps.

IdP Account Federation and SCIM

If you use Microsoft 365 or Google Workspace accounts within your organisation, you can setup account federation in ASM or AB to allow your users to simply sign-in to their Apple devices with those existing credentials and a Managed Apple Account will be automatically created for them. In these cases, there’s no need to remember yet another password as the Managed Apple Account password will stay in sync with the Microsoft account password as it changes. Apple may well add support for additional IdPs in future, enabling more customers to benefit from account federation.

SCIM is a similar process, except the user’s name and other details will also be updated in their Managed Apple Account if they’re changed within Entra ID. This can be handy if a user changes their name due to a marriage, for instance.

Account-Driven User Enrolment (for BYOD)

Apple’s Account-Driven User Enrolment feature allows personally-owned devices to be lightly managed by an MDM and separates the user’s personal Apple Account data from their Managed Apple Account data, even while both accounts are being used simultaneously. This ensures protection for critical work data stored in their Managed Apple Account while still allowing the user to have access to their personal iCloud data. Should a user leave the organisation, all work data (including their Managed Apple Account) is securely removed from the device but their personal data remains untouched.

Account-Driven Device Enrolment

Account-Driven Device Enrolment is a similar approach, but it is designed for organisation-owned devices to be enrolled after setup using the same process as Account-Driven User Enrolment. This enrols the device into the organisation’s MDM and gives it all the same management features as devices registered in ASM/AB for Automated Device Enrolment. The user is also clearly informed about these capabilities on the device before they start the enrolment.

Just a heads-up, organisations can only have one type of account-driven enrolment type active at a time, so it is important to think about which one best suits how they work.