Apple now requires administrators to verify any domains associated with their Apple Business Manager account. In this quick article, we’re going to talk about what this new domain verification requirement is, why verification is now required, and how you can verify domains associated with your Managed Apple IDs.
What Changes with the Domain Verification Requirement?
With the new domain verification requirement put in place, whenever you create a Managed Apple ID using a domain, you have to prove that the domain is owned by your company. This is accomplished by adding a specific TXT record to your domain name service’s (DNS) zone file. We’ll break down how this is done later.
Domain verification is also required for federated domains — so if you have federated authentication configured, you’ll want to verify the associated domains right away.
Why do I Have to Verify My Domain?
Before this new requirement, anyone could add a domain to their Apple Business Manager account and create Managed Apple IDs using this domain — even if they didn’t own it. This could occasionally lead to ownership conflicts and security concerns. However, now that Apple is requiring everyone to verify their Managed Apple ID domain names, you can rest assured that your organization is the only one that can modify DNS records for your domain.
If you still have questions about how your company can meet this new requirement, here are a few things to know:
- If I used the domain before the mandatory verification requirement, is it automatically verified? No. Even if your Managed Apple ID domain name was in use well before the new verification requirement, it isn’t “grandfathered” in. You still need to go through the verification process.
- What if more than one organization is using the domain? If your Managed Apple ID domain name is used by multiple organizations, this shouldn’t present any ownership conflicts — each organization can independently verify the domain. However, only one organization can federate the domain. In this case, Apple says other organizations will have to move and rename their Managed Apple IDs to another verified domain. Otherwise, they may receive error messages such as, “Managed Apple ID ending with this domain name is not allowed.”
- How soon do I have to verify the domain? According to Apple, you need verify your Managed Apple ID domain name within 14 calendar days of clicking the “Verify” button in Apple Business Manager.
Why did I get an email asking me to verify ownership of my domain? According to Apple’s support documentation, if you get an email asking you to verify your domain, then another organization has claimed a domain that’s currently used by your Managed Apple IDs. You’ll have to verify your ownership of the domain within 14 days of receiving this email.
- What if I can’t or don’t want to verify the domain? In this case, Apple advises that you move the Managed Apple IDs that you aren’t verifying over to a reserved domain or a different verified domain — otherwise, you may receive error messages such as, “Managed Apple ID ending with this domain name is not allowed.” By reserved domain, Apple is referring to the default domain that shows up under Accounts. It’s the name of the domain that your organization enrolled in Apple Business Manager, plus a number. For instance, “Kandji1.appleid.com”.
Now that we have a better understanding of Apple’s new domain verification requirement, let’s see how verifying domains works.
How to Verify Domains Associated with Your Organization's Managed Apple IDs
In this section, we’re going to walk you through the verification process. To verify domains associated with your organization's Apple Business Manager account, you’ll have to access the Apple Business Manager account that’s tied to the domain and your domain host website.
Here’s what you need to do:
1. In Apple Business Manager, go to Settings and select Accounts.
2. You’ll see a list of domains with a “Verify” button next to them. Click “Verify.”
3. This will open a TXT record field. Click “Copy” next to it — you can paste the record somewhere for safekeeping. We’ll need it next.
4. Log into your domain host and add the TXT record to the DNS zone file. The steps here will vary depending on which domain host you’re using, but essentially you’re going to use the TXT record that we just copied to create a DNS TXT record at your domain host.
5. Once you start the process, you’ll receive an ownership verification email in the email associated with your Apple Business Manager account reminding you to finish the verification process. Click “Verify Ownership” after creating the required DNS TXT record.
6. In Apple Business Manager, go back to the domain sections and click “Check Now” by the TXT record you copied. If the DNS record was correctly entered into the DNS zone, the “Copy” button should change to “Verified Ownership.”
With time-saving features like one-click security compliance, zero-touch deployment, and more, Kandji is everything you need to get the most out of your Apple fleet.