The Evolution of Managed Apple IDs
Anyone who manages Apple devices has had at least some contact with Managed Apple IDs. Like personal Apple IDs, the managed kind can be used to access Apple devices and services. But unlike personal IDs, Managed Apple IDs are owned and controlled by the organization, rather than the end user.
Since introducing them in 2016, Apple has steadily evolved Managed Apple IDs, giving them greater functionality every year. With Apple’s most recent round of announcements at WWDC 2023, that evolution has continued. To understand where that evolution is headed, you need to understand where Managed Apple IDs have been.
What Are Managed Apple IDs?
It helps to start with Apple’s definition:
“A Managed Apple ID is owned and managed by your organization—including password resets and role-based administration. It also provides access to iCloud for collaboration with iWork and backup on iPhone and iPad devices.”
There’s a lot to unpack there, but functionally the gist is that there’s not much difference between a Managed Apple ID and the credentials managed in Entra ID (formerly Azure Active Directory), Google Workspace, or any other identity system: The organization owns and manages the ID, then uses it to manage access to services. It’s just that Managed Apple IDs are used exclusively to control access to Apple devices and services.
(It’s important to note that Managed Apple IDs are not available worldwide, only in countries where Apple Business Manager (or Apple School Manager) is. So while they are great, they are not accessible to everyone.)
For users, a Managed Apple ID might be used to access an account on an organization-owned Mac, iPhone, or iPad. It might also be used to access Apple services such as iCloud. In general, accounts attached to Managed Apple IDs will be more restricted—in terms of apps allowed, data transfers, and more—than personal ones. And if a user leaves the organization, admins can shut off access to the things that ID unlocked.
For admins, Managed Apple IDs are more critical. They’re required for access to Apple Business Manager, for example, where they can be assigned to different roles—Administrator, People Manager, Device Enrollment Manager, and so on.
But as we said above, the functionality of Managed Apple IDs has evolved over time. To understand where they are now and where they might be headed, it helps to take a look back.
A Brief History of Managed Apple IDs
Managed Apple IDs were an answer to an old problem: How does a company manage access to its Apple ecosystem without requiring everyone in the org to use their own personal Apple ID?
Prior to Managed Apple IDs, individual users were commonly asked to create their own special Apple IDs for use on company-controlled devices and services. Though these “work” IDs might have been set up on company-controlled domains, they were still personal; organizations did not actually have control over them. This frequently led to situations where devices were locked with the IDs of people who had left the organization.
2016
In response to that situation, Apple introduced Managed Apple IDs with Apple School Manager in 2016. School IT teams could then create an Apple ID for each student, who could use it to access shared hardware and managed applications. It was a good solution for the education market because the IDs that schools assigned a student when they first arrived could stay with them for the duration of their time there.
2018
In 2018, Apple introduced Apple Business Manager—essentially a business-side implementation of Apple School Manager. Like Apple School Manager, Apple Business Manager came with multiple programs, including the Volume Purchase Program (now known as Apps and Books) and the Device Enrollment Program (now known as Automated Device Enrollment) that helped businesses centrally manage content and devices.
2019
A year later, Apple released its integration between Apple Business Manager and Entra ID (formerly Azure Active Directory) as an identity provider. This meant that companies could federate the two systems, which in turn meant that users’ Entra ID logins served as Managed Apple IDs. This gave users one login for everything and gave admins a single source of identity truth.
2021
With macOS Monterey, Apple migrated the idea of data separation from iOS and iPadOS to macOS. Corporate data (associated with a Managed Apple ID) and personal data (associated with a personal one) were kept in separate storage volumes. This didn’t look any different to the user—apps were still in /Applications—but if the Mac was unenrolled from an MDM solution, the corporate apps were uninstalled and corporate data removed. Managed Apple IDs made that separation possible.
2022
Apple added Google Workspace federation and more ways to use Managed Apple IDs in individual apps for authentication and configuration.
They also added support for OAuth2, giving greater flexibility for identity management, and improved single sign-on.
2022 also saw the addition of using Managed Apple IDs to services that supported Sign in with Apple—so, for example, when someone used a Managed Apple ID to sign into the Slack instance at work, their personal info (name, email, and so on) would already be filled out, and whatever channels they followed would already be set.
Managed Apple IDs and Federation
We’ve mentioned federation a couple of times, and it’s clearly become a key piece of how Managed Apple IDs can help IT, so it merits a brief recap.
At the most basic level, federation allows different domains—such as Entra ID, Google Workspace, and Apple Business Manager—to access the same resources. You can federate Apple Business Manager with Entra ID, Google Workspace, or (as of WWDC 2023) any IdP that supports OpenID Connect. Federation means you don’t need to maintain separate identity stores to manage access to different resources; you can use one source of truth and share from there.
So, as we described above, if you federate your organization’s Apple Business Manager domain with Entra ID, your users can log into Apple devices using their Entra ID credentials; the same applies to Google Workspace or an OpenID Connect-compliant IdP. Because the two domains are federated, admins don’t need to replicate common user information or maintain multiple password databases in each. The IdP handles all the authentication; federation allows an ID from one of those identity providers to serve as a Managed Apple ID.
From the user’s perspective, they don’t even need to know they’re using a Managed Apple ID; it’s just their ID and it uses the same username, password, and authentication factors as their corporate credentials. They log in, and it all “just works”. Setting up federation isn’t necessarily trivial, but it’s a lot easier and more efficient than trying to maintain parallel records for every user.
Managed Apple IDs Now
At WWDC 2023, Apple announced still more features tied to Managed Apple IDs—in many cases connected with the latest versions of macOS, iOS, and iPadOS.
The most important of these have to do with access management. Apple is adding more controls over which services and features can be accessed with a Managed Apple ID. These controls allow admins to define access based on device state: managed, supervised, or neither.
Other changes announced at WWDC include:
- Support for iCloud Keychain, including syncing and the enhanced security of Passkeys.
- More syncing of app data in general—most notably Messages—via iCloud.
- Wallet support, allowing Managed Apple IDs to add things like corporate credit cards, corporate IDs, and more to their data stores.
- Further enhancements to using personal Apple IDs and Managed Apple IDs on a single device.
- More control for admins over Messages and Facetime, including locking down both apps so they support in-org calls and messages only.
The point is that Apple is continuing to expand what Managed Apple IDs can do—the services they can unlock and their integration with identity-management systems while providing admins more management controls. The big question for admins: Have Managed Apple IDs evolved enough for you to implement them more widely in your organization?
The answer, of course, depends on context, particularly on the size of the organization. But as your organization scales, as you try to synchronize device and identity management, and as you continue to deal with the challenges of remote and hybrid work, you have to at least consider the wider use of Managed Apple IDs to control access to devices and services.
About Kandji
Kandji is the Apple device management and security platform that empowers secure and productive global work. With Kandji, Apple devices transform themselves into enterprise-ready endpoints, with all the right apps, settings, and security systems in place. Through advanced automation and thoughtful experiences, we’re bringing much-needed harmony to the way IT, InfoSec, and Apple device users work today and tomorrow.
See Kandji in Action
Experience Apple device management and security that actually gives you back your time.
See Kandji in Action
Experience Apple device management and security that actually gives you back your time.