Updated January 14, 2019 to include information on using federated authentication to create Managed Apple IDs.
For any organization that relies on Apple devices, understanding how to use a Managed Apple ID for business is essential. As of macOS Catalina 10.15 and iOS 13, Apple has broadened the usability of Managed Apple IDs and made enrollment practices more supportive of “bring your own device” (BYOD) policies.
As we’ll cover throughout this guide, Managed Apple IDs aren’t just for Apple Business Manager admins anymore. Now, they can be assigned to any employee who uses an Apple device for business purposes.
In this guide, we’ll explain how using a Managed Apple ID for business is achieved and what advantages it gives administrators and employees. These are the four topics we’ll focus on:
- What are Managed Apple IDs?
- How are they used?
- How are they created?
- How are they edited?
Let’s start with an overview of what Managed Apple IDs are before discussing how they function within Apple Business Manager.
What is a Managed Apple ID?
In brief, Managed Apple IDs can now be assigned to any employee who uses an Apple device for business purposes. Administrators use Managed Apple IDs in Apple Business Manager to do things like:
- Manage and enroll devices in an MDM via Apple Business Manager.
- Assign App licenses to employees.
- Manage roles and privileges of Apple Business Manager users.
Managed Apple IDs are also at the heart of Apple’s new User Enrollment feature, which makes BYOD (bring your own device) practices possible while keeping your employees’ personal and work data separate.
We’ll provide a more in-depth discussion about what Managed Apple IDs are and how they can be used for business over the next few sections, but first, let’s contrast Managed Apple IDs with personal Apple IDs.
Managed Apple IDs vs. Apple IDs
As we mentioned earlier, new Apple updates have changed the way Managed Apple IDs can be used. Before these updates, Managed Apple IDs were only assigned to people who used Apple Business Manager to do things like buy apps in bulk or manage devices. Meanwhile, employees had to use their personal Apple IDs on any devices that they used for work.
This caused a few problems. Using personal IDs in a business setting makes it difficult for IT administrators to manage company devices, licenses, and data. While Managed Apple IDs are often created in large quantities and managed by someone with administrative privileges to Apple Business Manager, personal Apple IDs are created by individuals and are intended for personal use.
The new Apple updates have addressed this. Now, Managed Apple IDs can be assigned to any employee who uses an Apple device for business purposes – not just those who use Apple Business Manager.
A Brief Overview of Apple Business Manager
You can think of Apple Business Manager as a portal that lets IT administrators do things like create a Managed Apple ID, manage devices, assign licensed Apps and Books, and delegate admin privileges. In short, it makes managing a fleet of Apple devices simpler by keeping everything in one place.
That said, it’s important to note that Apple Business Manager is not an MDM solution, like Kandji. It works with your MDM of choice, but it doesn’t replace it.
Once Apple devices are associated with Apple Business Manager, you can interact with them using your third-party MDM. For an in-depth look at MDMs and other management solutions, you can read our guide to MDM, EMM, and UEM.
How to Use a Managed Apple ID for Business
Managed Apple IDs can be created from Apple Business Manager and assigned to any employee who uses an Apple device for work. Now that Apple lets all employees use these IDs, IT administrators don’t have to assign App and Book licenses to personal Apple IDs anymore – they can simply send them to an employee’s Managed Apple ID.
Having employees use a Managed Apple ID for business gives IT administrators more control over employee accounts. This makes it easier to access and edit account information, such as usernames, ID numbers, and passwords, as well as add or deactivate accounts.
Apple’s User Enrollment feature also heavily depends on Managed Apple IDs. As we mentioned earlier, User Enrollment was released to support BYOD practices while protecting employee privacy. This is accomplished by separating data, which gives IT administrators limited control over personal data stored on User Enrolled devices. Meanwhile, company data is stored separately and can be automatically wiped without affecting the personal data on the same device.
Now that we have a working definition of what Managed Apple IDs are and how they are used in a business setting, we can learn how to create them.
How to Create a Managed Apple ID for Business
Before creating a Managed Apple ID, it’s important to understand the ID structure that Apple recommends using.
What Should a Managed Apple ID for Business Look Like?
Apple recommends using a specific structure while creating a Managed Apple ID for business. Following these steps will help organizations avoid confusion and communication conflicts.
The structure consists of the following parts:
- Username: This refers to everything before the “@” sign. It will typically be some variation of the employee’s name.
- For example, johnsmith@
- For example, johnsmith@appleid
- For example, firstname.lastname@example.org
How to Create a Managed Apple ID
Keeping this structure in mind, you can create a Managed Apple ID by following these steps:
- Open Apple Business Manager and click “Settings,” located at the bottom of the sidebar.
- Once you’re on the settings page, click Managed Apple IDs. It should appear right below Organization Settings.
- Domain: This refers to everything to the right of the “@appleid” component. By default, Apple Business manager makes this your organization’s business domain. If your organization uses a different domain for email, then an IT administrator can change it to the proper email domain.
- “appleid”: This adds “appleid” before the domain name. Doing this can prevent potential communication conflicts if the same username and domain appear in other addresses.
As of macOS 10.15 and iOS 13, administrators have more freedom over how they create and assign Managed Apple IDs. Though these IDs can be created manually through Apple Business Manager, administrators can also link Apple Business Manager accounts to Azure Active Directory (Azure AD). This allows Managed Apple IDs to be automatically created for the identities that already appear in Azure AD.
Managed Apple IDs can also be created from existing email addresses. For this to work, each employee must have an email address that they have not used in the Device Enrollment Program, the Volume Purchase Program, or any personal iTunes or iCloud accounts.
It’s important to note that this method requires employees to remember two passwords: one for their original email address and the other for their Managed Apple ID.
Using Federated Authentication to Create Managed Apple IDs
Essentially, federated authentication lets your employees use their Microsoft Azure Active Directory (AD) usernames and passwords as Managed Apple IDs.
This is a great feature for anyone who wants to simplify the login process for their employees since they will only have to remember one set of login credentials. It also seamlessly integrates into the device setup process, so users don’t have to manually create an account or login multiple times.
Whether your business uses User Enrollment or Device Enrollment (for a breakdown of these, see our device enrollment guide), you can use federated authentication. Apple has made it compatible with both traditional and BYOD enrollment methods.
Now that we’ve covered the basics, let’s break down how federated authentication works. There are four major things to know:
- When you use federated authentication, Azure AD plays the part of the Identity Provider – the entity that controls authentication to a service provider.
- Federated authentication uses Security Assertion Markup Language (SAML) to pass long information (i.e. login credentials) from Azure AD to Apple Business Manager in order to create managed Apple IDs.
- Once the integration is configured, Managed Apple IDs are created for Azure users as they attempt to login to an Apple service. This is known as JIT (Just in Time) account creation. In order for employees to sign into their Managed Apple IDs, they are directed to the Azure sign in page – and that authorization is passed back to Apple.
- Federation requires that you confirm ownership of your Azure AD domain – this will normally happen automatically while connecting to Azure. Once enabled, any existing consumer Apple IDs that use your company's domain will be notified that they must change their Apple ID within 60 days of the Apple Business Manager administrator initiating the conflict resolution process.
Before moving on, it’s important to mention that there are a few restrictions that can prevent you from using federated authentication, such as:
- If a domain has already been used by another organization.
- If your users’ UserPrincipalNames don’t match their email addresses.
- If your Apple devices don't use the following operating systems or later: iOS 11.3, iPadOS 13.1, macOS 10.13.4.
How to Edit a Managed Apple ID
Changes in an organization might require updating an existing Managed Apple ID structure. For instance, if an organization changes its domain, this information will have to be revised for the Managed Apple ID to continue functioning. Editing the ID may also be required if a user needs to update his or her username.
In either case, an IT administrator with “create, edit, and delete” privileges on Apple Business Manager can edit the structure of all new and existing Managed Apple IDs with the following method:
- Open Apple Business Manager and click on “Accounts” in the sidebar.
- Use the “Search Accounts” field to identify and select the accounts to be edited.
- Change the username structure of the selected Managed Apple IDs.
- Change the domain name structure.
It’s important to note that users will not receive any notification if their Managed Apple IDs are changed, so you will have to let them know. They can use their existing passwords to log into their accounts associated with the updated Apple ID.
Using Apple Business Manager and a Managed Apple ID for business is a great way to implement a BYOD policy via User Enrollment and to keep tabs on employee account information and App and Book licensing. That said, it’s important to remember that Apple Business Manager is just a starting point – it’s designed to complement an MDM solution, like Kandji.
From deployment to retirement, Kandji keeps your Apple devices safe and secure with a suite of features such as pre-built security settings, zero-touch deployment, one-click compliance, and much more. Start managing your devices like your business depends on it.