Apple ID management empowers sysadmins to personalize system preferences, distribute apps, change passwords, lock Apple accounts, and more. Most often, the process involves leveraging Managed Apple IDs assigned through Apple Business Manager (ABM) or Apple School Manager (ASM). While many businesses employ this approach to device administration, it isn’t ideal in every setting. We’ll break down your options for managing Apple IDs or managing devices without IDs, balancing the potential pros and cons.
What is Apple ID management?
Simply put, Apple ID management refers to any strategy a company uses to oversee work-related Apple IDs. Since the Apple ecosystem is ever evolving, the management process has changed a lot over the years.
In the early days of Apple device management, organizations were forced to rely on personal Apple ID accounts to distribute licenses. For convenience, some companies would create just one shared Apple ID for business purposes, which multiple users would rely on. Needless to say, this approach presented a whole host of problems. For one thing, it violated Apple policy, which could result in ID suspension. Additionally, if one user decided to change the shared password, you had to let all the users know.
Even if you kept things on the up and up with just one user per Apple ID, maintaining long lists of IDs and their associated passwords was a tedious chore.
Then, Apple introduced Apple Volume Purchase Program (VPP), which allowed organizations to distribute app licenses without Apple IDs. The progress was delightful. (This same functionality is now incorporated in ABM.)
But then Apple made things confusing with a new option: Managed Apple IDs. These accounts are intended specifically for businesses. They offer features like automatic account creation, assignable roles and privileges, and collaboration tools. Plus, with federated authentication, Managed Apple IDs use the same credentials as existing infrastructure so that you don’t need to keep long lists of passwords.
However, while Managed Apple IDs provide some distinct benefits, they’re not always essential. You can accomplish many tasks directly through ABM without any form of Apple ID. In many cases, ID-free Apple device management via ABM is the easiest option.
What is a Managed Apple ID?
Managed Apple IDs are available through Apple Business Manager and Apple School Manager. This type of Apple ID allows you to enroll and manage devices with an MDM solution via the User Enrollment option. The benefits include the following:
Simplified onboarding and troubleshooting
Reduced redundancy
ID creation at scale
Enhanced security
Improved collaboration
Users that have Apple Business Manager administrator privileges can also manage accounts. Admins can perform the following tasks:
Create new IDs
Assign roles to the IDs
Reset ID account passwords
Restrict user access to ID accounts
Delete IDs
Update account information for IDs
Additionally, Apple supports the federation of Managed Apple IDs through Microsoft Azure Active Directory and Google Workspace. That means an Apple Business Manager account can link to Microsoft Azure AD or Google Workspace. Then, ABM creates Managed Apple IDs automatically based on existing identities in the linked platform.
How to use a Managed Apple ID
Managed Apple IDs serve several purposes:
Grant access to the Apple Business Manager portal: Admins can delegate roles relating to what the user can and cannot access within Apple Business Manager.
Allow shared access: To support collaboration, users can access company accounts for Apple services, such as iCloud Drive and iCloud Notes.
Facilitate license assignment: Managed App licenses can be tied to a Managed Apple ID rather than the device, allowing for license transfer between devices.
Enable Activation Lock: Admins can lock devices if they’re lost or stolen and restore access if they’re retrieved.
Share devices: The Shared iPad feature allows users with separate Managed Apple IDs to log in to the same Shared iPad device. This allows for a personalized experience on a communal machine.
Permit User Enrollment: Designed for bring your own device (BYOD), User Enrollment allows a Managed Apple ID to be used alongside an existing Apple ID. We’ll expand on this in the next section.
Managed Apple ID users don’t have access to every Apple service. Apple Pay, Apple Music, Apple TV+, and some other features are disabled to protect the business. Users can also browse the App Store, but they cannot make purchases.
What is User Enrollment?
Apple User Enrollment is an addition to the device enrollment options supported by the Apple MDM spec starting with iOS 13 and macOS Catalina 10.15. Geared for organizations that want to support a BYOD policy, it is a significantly more privacy-focused form of enrollment. It gives the MDM only limited access to users’ devices while separating personal and corporate data.
User Enrollment requires a Managed Apple ID and must be associated with the device. The user needs to enter their Managed Apple ID credentials in order to complete the enrollment process. This ID is used to install the MDM profile, assign app licenses, provide access to shared iCloud accounts, and manage which users have access to these company-owned assets on their personal devices. A single Managed Apple ID may be used on multiple devices and does not interfere with a standard personal Apple ID configured on the device.
Weighing the approaches
Businesses have three main options related to Apple IDs: manage personal IDs, manage Managed IDs, or avoid Apple IDs altogether. Each of these options has potential use cases as well as clear drawbacks, so the best choice ultimately depends on your environment and goals.
Personal IDs
When to use them
You need to distribute apps, and ABM is not available in your country
You want to allow employees to install work-related apps themselves
Pros
Continued access to Apple services
Self-installation of apps
Cons
Administrative burden of maintaining each Apple ID and Apple ID password
Risk of violating Apple policy by sharing an ID across iOS devices
Lack of administrative features
Managed IDs
When to use them
You plan to use shared iCloud resources
You plan to use Apple ID-based iMessage and/or FaceTime for work
You plan to use Shared iPad
You want to distribute books through ABM
Pros
Streamlined account creation options
Federated authentication
Assignable roles and privileges
Separation of personal and company resources on BYOD devices
Cons
Select services are disabled (Apple Music, Apple Fitness+, Apple News+, Apple TV+, iCloud mail, etc.)
Users can’t manually install apps from the Apple Store
No IDs
When to use them
You want to distribute app licenses without managing the device
You want to allow employees to install work-related apps themselves
Pros
Simple and streamlined
Self-installation and company distribution of apps
Cons
Greater reliance on an MDM solution
User Enrollment is unavailable
Apple ID management in a BYOD environment
Two paths work well for managing devices in a BYOD environment: Managed IDs or ID-less administration.
User Enrollment creates new Managed Apple IDs through federated authentication with Azure AD or Google Workspace. This Managed Apple ID can live alongside an individual Apple ID on an employee-owned device for a clear separation of corporate and personal resources. With multiple Apple IDs on the same device, users can keep their existing Apple ID for their personal usage while switching to the Managed ID to access corporate resources. This allows the company control over relevant apps and data — but without providing any actual device management capabilities. If you’d rather avoid using Managed Apple IDs in your BYOD environment, many essential administrative features remain available through ABM:
Associate devices with your ABM account via Automated Device Enrollment
Let users sign up their own devices via link or Apple Configurator 2
Install corporate apps based on the device rather than the Apple ID
Restrict access to company apps and data
Require secure passwords
Assign, revoke, and reassign app licenses with device-based assignment
Enable device-based Activation Lock if a device is lost or stolen
While we generally wouldn’t recommend managing personal Apple IDs in a BYOD environment, it’s also theoretically possible. However, most businesses will elect to either rely on Managed Apple IDs or avoid ID management altogether.
Why might a business avoid Apple ID management?
Businesses often avoid Apple ID management to save time and effort. ABM allows you to maintain oversight of company-owned app licenses without Apple IDs. It also allows more granular device control via supervised mode. Using ABM in lieu of Apple ID management carries several potential advantages:
Avoid the administrative burden of maintaining Apple IDs and passwords
Maintain user access to the App Store, Apple Pay, Apple Music, Apple TV+, Find My, and other features
Provide users with a sense of independence
Since ABM coupled with an MDM solution gives most businesses all the features they need, there’s just no reason to bother with Apple ID management.
Whether you use Managed Apple IDs or prefer an alternative approach, SimpleMDM can help you streamline your Apple device monitoring, updating, and licensing. Try out SimpleMDM with a free 30-day trial to see for yourself!
