Guide for Apple IT: Managed Apple IDs

Posted on January 20, 2022

Managed Apple IDs are Apple ID accounts that your organization creates, controls, and assigns to users. Like any Apple ID, Managed Apple IDs can be used to sign in to devices and services.

Unlike personal Apple IDs, though, Managed Apple IDs are owned and managed by the company, not the individual. That means the organization is responsible for things like password resets and role-based administration. With a Managed Apple ID, the account credentials are provided to users and can be changed or deleted at will by an admin.

Here’s an overview of how Managed Apple IDs work, how you set them up, and how you can use them in your business.

What Are Managed Apple IDs?

When Managed Apple IDs first became available, they were designed for IT administrators, who could use them to sign in to Apple Business Manager and, from there, do things like assigning app licenses to employees,  managing and enrolling devices in an MDM solution, and managing roles and privileges of other Apple Business Manager users. 

Because they’re intended for business use, Managed Apple IDs don’t provide access to many services that personal IDs can unlock, such as Apple Pay and Family Sharing. (Apple has a full list of services that managed IDs do not unlock.) 

Managed Apple IDs were also conceived as a way to distribute apps and other content, as an alternative to having employees use their personal Apple IDs to acquire such content for their work devices. Using personal IDs in a business setting made it difficult for IT administrators to manage company devices, licenses, and data. 

In reality these days, managed IDs aren’t used as much to distribute licensed content (because that content can be assigned to devices via MDM instead of to users by ID) as they are to provide admin access to Apple Business Manager and to sign in to shared iPad devices. 

How Do You Create a Managed Apple ID?

While admins have some leeway in the format of managed IDs, Apple recommends the following structure: username@appleid.example.com. The username does not have to be the same as the one used in the user’s corporate email, but it can be. Apple recommends placing appleid directly after the @ sign, to distinguish this ID from an existing email address. The domain at the end must be the domain the organization has registered with Apple Business Manager.

With that structure in mind, there are two ways you can create a Managed Apple ID.

The first is in Apple Business Manager itself. For the details, see Apple’s support article on creating Managed Apple IDs in ABM. Two important points to remember: You’ll be required to choose one of the domains you’ve already registered (and verified) in ABM. And you will need to assign a role—Administrator, People Manager, Device Enrollment Manager, or Content Manager—to the new ID. You can always go back and edit details for a managed ID later.

The second way to create Managed Apple IDs is by federating your organization’s Apple Business Manager account with Azure Active Directory (Azure AD). This second method allows Managed Apple IDs to be automatically created for identities that already appear in Azure AD. In other words, this approach enables employees to use their Microsoft Azure Active Directory (AD) credentials as Managed Apple IDs. For more on how this federation works, see “Federated Authentication in Apple Business Manager with Azure AD.” 

 

Apple Business Manager
Image source: support.apple.com

Among the important points to remember about federation: The domain you’re using must already be verified in Apple Business Manager. Each user’s User Principal Name (UPN) must match their email address. And it works only on devices running macOS 10.13.4, iOS 11.3, and iPadOS 13.1 or later.

Once such federation has been established, Managed Apple IDs are created for Azure users when they attempt to log in to an Apple service. For users to sign into their Managed Apple IDs, they are directed to the Azure sign-in page, and that authorization is then passed back to Apple.

Managed Apple IDs and Shared iPad

There are two specific use cases for Managed Apple IDs that are worth calling out.

The first, as noted above, is to manage access and privileges for administrators in Apple Business Manager. The second is Shared iPad, which allows multiple employees to use a single iPad but still get the personalized experience of having one of their own. 

Originally available only through Apple School Manager, Shared iPad was brought to business users in iPadOS 13.4. Before then, companies that wanted to share devices among their employees had to rely on custom workflows for resetting the devices between uses or third-party programs that worked with an MDM solution to quickly provision a device for a user. Now it could provide the same kind of user experience leveraging Managed Apple IDs. 

When a user signs in to a shared iPad using a Managed Apple ID, iPadOS sets aside a section of the device’s storage space. Apple caches that user’s data (on the device itself, on local Content Caching devices, and in the cloud), so it can be retrieved when the user logs into another device. When the user logs out, their data becomes inaccessible to any other users and will not be recalled until the user enters their managed credentials again. 

 

Shared iPad storage
Image source: support.apple.com

Shared iPad for business is supported on iPad mini (4th generation or later), iPad Air 2 (or later), iPad (5th generation or later), and all iPad Pro models. All devices must have at least 32 GB of storage.

One important administrative detail to deal with when making Shared iPad available: You have to decide how much of that storage to allocate for each user or (inversely) set a maximum number of users. 

In Kandji, you can configure the maximum users or a per-user storage quota in the Automated Device Enrollment library item; that’s also where you enable temporary guest sessions (see below). It’s good to keep the number of users per device as low as possible and give them each as much storage as possible, to minimize iCloud communications and to provide a faster sign-in experience.

Kandji Shared iPad configuration_editIt’s easiest to provide Shared iPad if you’ve federated your Apple Business Manager instance with Azure AD. Users can then just use their regular credentials to sign in to a shared device. Otherwise, if you provision Managed Apple IDs from Apple Business Manager, you’ll have to set up users one at a time.

The iPad devices to be shared must be enrolled via Automated Device Enrollment for this to work. Once enrolled, these iPad devices will restart and Shared iPad will be enabled. The only way to remove a device from Shared iPad is to erase it.

While Shared iPad has traditionally required the use of a Managed Apple ID, Apple recently introduced Temporary Sessions, which also allows multiple users to use a single device. But when one user logs out of that shared iPad, all data from that session—including Safari browsing history, modified settings, and added files—are deleted.

Temporary Sessions might seem convenient, but they may not be ideal in business environments, where devices may be connected to secure networks. Unless those devices are managed closely, Temporary Sessions could leave network resources open to compromise. 

About Kandji

Kandji supports Managed Apple IDs, as well as a host of other tools that can make life better for both you and your users. With a suite of features like zero-touch deployment, one-click compliance, and offline remediation, Kandji is already a great way to enroll, configure, and secure your devices, and we look forward to creating new functionality as the SSO landscape evolves.

This article was substantially updated January 20, 2022. It also replaces the post "Guide for Apple IT: Shared iPad for Business."

Request access to Kandji today.

Share post

The Latest in Apple Enterprise Management