Managed Apple IDs are a type of Apple ID that is available for use through Apple Business Manager and Apple School Manager. Managed Apple IDs allow devices to be enrolled in and managed with MDM via the User Enrollment option.
Traditionally, individual users create Apple IDs designed primarily for personal use. They are used for activities such as app licensing, managing iCloud accounts, accessing iCloud services, etc. Once created, the original user is the only user to access the ID. This presents a number of difficulties when used at scale in a business environment.
Managed Apple IDs is Apple’s latest solution to overcoming these difficulties while still providing similar functionality. The benefits include:
No more personal accounts for work – Apple Business Manager controls the Managed Apple IDs
Eliminates redundancy and creates IDs en masse
Users that have Apple Business Manager administrator privileges can also manage accounts. Admins, or “Managers”, have the ability to:
Create new IDs
Assign roles to the IDs
Reset ID account passwords
Restrict users’ access to ID accounts
Update account information for IDs
Additionally, Apple also supports federation of Managed Apple IDs through Azure Active Directory. In this scenario, an Apple Business Manager account links to Azure AD. Then, Managed Apple IDs create automatically based on identities that exist in Azure AD.
There are multiple uses for Managed Apple IDs:
Granting users access to the Apple Business Manager portal – this allows admins to delegate ‘roles’, or sets of permissions, relating to what the users can and cannot access within Apple Business Manager
Allow users shared access to company accounts, such as iCloud Drive and iCloud Notes, for collaboration purposes
VPP app license assignment – VPP app licenses are tied to a Managed ID rather than the device, allowing for licenses to transfer between devices
The last use case is one of the most significant, so let’s expand here.
Apple User Enrollment is an addition to the device enrollment options supported by the Apple MDM spec starting with iOS 13 and macOS 10.15. Geared for organizations that want to support a ‘Bring Your Own Device’ (BYOD) policy. It is a significantly more privacy-focused form of enrollment. It gives MDM only limited access to users’ devices while separating personal and corporate data.
User Enrollment requires a Managed Apple ID and must be associated with the device. The user must enter their Managed Apple ID credentials in order to complete the enrollment process. This ID is used to allow the installation of the MDM profile, assign app licenses, provide access to shared iCloud accounts, and manage which users have access to these company-owned assets on their personal devices. A single Managed Apple ID may be used on multiple devices and also will not interfere with any standard (personal) Apple IDs that have been configured on devices.
In summary, Managed Apple IDs play a vital role in the User Enrollment option available as of iOS 13 and macOS 10.15 Catalina. They are one aspect of Apple’s attempt to further separate personal data and company data on user-owned devices (BYOD), while also helping to improve management options for device administrators.
SimpleMDM is a mobile device management solution that helps IT teams securely update, monitor, and license Apple devices in a matter of minutes — all while staying on top of Apple updates automatically.