Last updated July 22, 2019
Managed Apple IDs are a type of Apple ID that is available for use through Apple Business Manager and Apple School Manager. Managed Apple IDs are used to, amongst other things, allow devices to be enrolled in and managed with MDM via the User Enrollment option.
Traditionally, Apple IDs have had to be created individually by users and were designed primarily for personal use. These personal Apple IDs are used for things like app licensing, managing iCloud accounts, accessing iCloud services, etc. These could only be accessed and reset by the user that created the ID. This presented a number of difficulties when used at scale in a business environment.
Managed Apple IDs are a solution to overcome the difficulties associated with personal Apple ID usage while still providing similar functionality. These managed IDs can be created en masse and are controlled by the Apple Business Manager account, rather than a personal account, and can be managed by users that have administrator privileges to Apple Business Manager. Admins, or “Managers”, have the ability to create new IDs, assign roles to the IDs, reset ID account passwords, restrict users’ access to ID accounts, delete IDs, and update account information for IDs.
Apple also supports federation of Managed Apple IDs through Azure Active Directory. Apple Business Manager accounts can be linked to Azure AD so that Managed Apple IDs are created automatically based on identities that exist in Azure AD.
There are multiple uses for Managed Apple IDs. First, Managed Apple IDs can be used for granting users access to the Apple Business Manager portal. This allows admins to delegate ‘roles’, or sets of permissions, relating to what the users can and cannot access within Apple Business Manager.
Second, Managed Apple IDs allow users shared access to company accounts, such as iCloud Drive and iCloud Notes, for collaboration purposes.
Third, Managed Apple IDs are used for VPP app license assignment. When a managed ID is associated with a device, VPP app licenses can be tied to that ID rather than the device. This makes app licenses transferable between devices based on the ID that is signed in on a device.
The final, and possibly most significant, use for Managed Apple IDs relates to User Enrollment. User Enrollment is an addition to the device enrollment options supported by the Apple MDM
spec starting with iOS 13 and macOS 10.15. The User Enrollment method is a solution for organizations that want to support a ‘Bring Your Own Device’ (BYOD) policy. It is a significantly more privacy-focused form of enrollment that gives MDM only limited access to users’ devices while separating personal and corporate data. We have written about the topic of User Enrollment in greater detail here: What is Apple’s “User Enrollment”?
When participating in User Enrollment, a Managed Apple ID is required and must be associated with the device. The user must enter their Managed Apple ID credentials in order to complete the user enrollment process. This ID will be used to allow the installation of the MDM profile, assign app licenses, provide access to shared iCloud accounts, and manage which users have access to these company-owned assets on their personal devices. A single Managed Apple ID can be used on multiple devices and also will not interfere with any standard (personal) Apple IDs that have been configured on devices.
In summary, Managed Apple IDs play a vital role in the User Enrollment option available as of iOS 13 and macOS 10.15 Catalina. They are one aspect of Apple’s attempt to further separate personal data and company data on user-owned devices (BYOD), while also helping to improve management options for device administrators.