What are managed Apple IDs?
Your Apple ID is the key to all of your online services. It’s how you pay for apps, collaborate in Keynote, and even sync your settings across all your devices. But what do you do if you want to use those features for work? Understandably, you don’t want your employer to have access to your private data. Nor do you want to personally pay for the apps you need at work.
This is where managed Apple IDs come into play. Read this article to learn everything you need to know about them. That includes setting them up and even if they’re right for your company to use.
What is a managed Apple ID?
Managed Apple IDs were designed so that IT admins could create and manage accounts for the employees at their organization. These accounts give IT teams the possibility of setting password policies and app licensing management. They’re a great middle ground, unlocking helpful and productive tools for your team and making sure you can still administer them to meet your digital security standards.
Thankfully, Apple has made this a very easy process, and there are no additional apps needed. Accounts are managed through the online portal — Apple Business Manager. Meaning you can view every account in your organization, manage them, or create new ones directly within your browser.
How to create a managed Apple ID for business?
There are actually two methods to create an Apple ID for business. The first method is directly in Apple Business Manager, and the second is letting your company’s Azure Active Directory access Apple Business Manager. There are pros and cons to both methods, so you’ll want to check them both out and see which one works best for you.
1. Creating in Apple Business Manager
When you’re setting up a managed account in Apple Business Manager, you’re given the flexibility to use your corporate email address as the username. However, Apple recommends using this structure: [email protected]. The reason for this is that it can help you quickly identify that as a managed Apple ID versus a personal one that a user might have already set up with their corporate email.
Apple has a very helpful support article for creating managed IDs that covers some of the finer details of this process. But before going in this direction, you should keep in mind that you can only use a domain you’ve already registered and verified in Apple Business Manager.
Note: ABM will make you assign a role to each ID. But the choices are fairly broad, so you can always change them later if you need to.
2. Connecting with Azure Active Directory
The most significant benefit of this method is that whenever you create a new user in Azure AD, their managed Apple ID is automatically created. This, in turn, means your users only have one set of credentials rather than potentially having two. I should note that Apple Business Manager lets you set a password policy. So, in theory, it could mirror the policy you have set up in Azure AD, but there’s nothing stopping your users from setting those to two totally different passwords.
Anyone who’s worked with Active Directory or tried to connect it to an external platform knows this can be a very involved process. And with your entire company’s digital credentials at stake, you don’t want to mess that up. Apple has a great article explaining how all of that works called “Federated Authentication in Apple Business Manager with Azure AD.”
If you created the accounts in Azure AD, you still have to register and verify your domain(s) in Apple Business Manager. But now, each User’s Principal Name has to match their email address, and you must be running minimum macOS 10.13.4, iOS 11.3, and iPadOS 13.1 or later on all devices.
Pros of using a managed Apple ID
Aside from having one more thing to manage, there are a lot of great reasons IT teams should consider using managed Apple IDs.
- Better security
When you and your team are managing Apple IDs, you can have more control over the apps and content that are being put on your organization’s devices. As I mentioned earlier, you can set the password policy, so you get to determine the requirements and frequency they have to be changed.
- Easier to troubleshoot
With a managed Apple ID, you’ll always have access to the user’s account, making it easier for you to get on a device and troubleshoot an issue without needing the user to be right there with you logging in each time. It also makes turnover more efficient because you’ll be able to log into the device and reset it for the next user.
- Takes all responsibility off the user
Managed Apple IDs take all of the onus off of the users. Using a personal account means they’re responsible for setting it up, remembering the credentials, and paying for their own apps. Having an account that’s managed by IT gives you complete control to support the accounts and provide your users with a more seamless experience.
Downsides of managed Apple IDs
Before you jump in, there are some limitations to managed Apple IDs that you need to know about. Apple states its primary concern with these accounts is to protect your business, and to do so, there are some features that are disabled on managed accounts:
- Purchasing on the App Store, iTunes Store, and iBookStore
- HomeKit connected devices
- Apple Pay
- Find My (iPhone, Mac, and Friends)
- iCloud Mail, Keychain, and Family Sharing
The last two services — FaceTime and iMessage — are turned off by default, but as an administrator for your organization, you’ll be able to turn them back on.
A couple of other sticking points for teams are the Find My features and purchasing abilities. Some admins might see that and immediately think it’s a dealbreaker, but there might be some additional solutions.
For instance, many MDMs, or Mobile Device Managers, offer location tracking features. And since Location Services is not disabled on the device, the Apple ID itself is just not able to track it; then, you’ll be able to get a lot of that functionality back.
Some MDMs also let you limit which stores are allowed on your devices. But the downside there is it requires you to let your users use personal Apple IDs instead of a managed one.
Using managed Apple ID on a shared iPad
Another massive benefit to using managed Apple IDs is it enables your company to use shared iPads. What does that mean? Well, typically, iPads are designed for a single-user experience. Meaning one Apple ID is connected to the device. The apps and data belong to that one person. But managed Apple IDs allow you to create more of a profile experience with iPads, much like those on shared Macs.
The way this works is that a user’s data is stored in the cloud until they log in on an iPad. As soon as they log in, that information is downloaded and cached on the device until they log out. After they’re logged out, the data is inaccessible to anyone else until that user signs back in.
All of that means you’ll have to decide how much storage to allocate for each user or limit the number of users that can sign into each iPad.
Because it’s still so new and there are a handful of stipulations required for this feature to work, there are a few minimum requirements:
- Device has 32 GB of storage
- iPadOS 13.4
- iPad mini 4th gen or later
- iPad Air 2 or later
- iPad 5th gen or later
- All iPad Pro models
There are a lot of great reasons to start using managed Apple IDs for your corporate environment. But obviously, it’s not a fit for every organization. And how you choose to roll out will all depend on the platforms you already have in place. Hopefully, this article was able to help you answer some of those questions and get you going in the right direction.