- 23 Sep 2022
- 2 Minutes to read
- DarkLight
- PDF
About Managed Apple IDs
- Updated on 23 Sep 2022
- 2 Minutes to read
- DarkLight
- PDF
A Managed Apple IDs allows a mobile device management (MDM) solution to provide a feature called User Enrollment. Introduced in iOS 15 and iPadOS 15, User Enrollment allows a simplified workflow requiring only an organization email address and password. The user's personal device will be under limited control for the privacy of both the organization data as well as the private, personal information of the device owner.
Information for endusers:
Information about User Enrollment for MDM administrators:
Federated authentication and User Enrollment
While managed Apple IDs can be made manually using Apple Business Manager [apple.com] or Apple School Manager [apple.com], most organizations will use a federated authentication method to centrally manage organizational identity.
Federated authentication is currently supported by a link to Azure Active Directory (Azure AD) or Google Identity via a supported Google Workspace domain. Azure AD can be further federated to other identity provider solutions (Okta, OneLogin, etc) thorugh a WS-authentication or SCIM connection. A paid subscription is not required for Azure AD for federation.
See Setup Federated Authentication in ABM to configure managed Apple ID federation with your organization's identity provider.
User Enrollment and managed applications
When a user enrolls a personal device with User Enrollment, iOS and iPadOS create a separate encrypted storage volume for organizational data. This activates a feature called "Managed open in" [apple.com] to allow or prevent data from being opened or copy/pasted into any other application that is not managed. This separate storage volume will also contain:
- Managed Apps
- Notes
- Calendar attachments
- Mail attachments and body of the mail message
- Keychain items
If a user chooses to leave the organization management, the encryption certificate for the volume is immediately revoked, effectively destroying the data in the volume.
Managed applications and MDM configuation
User Enrollment allows an MDM to install applications on a personally owned device using one of three methods:
- Prompt the user to use their personal Apple ID to accept the free application
- Assign a paid application or ebook to a user's Apple ID
- Use the organization volume purchase of apps and books account to assign an app to a device
The volume purchase of apps and books account is part of the Apple Business Manager or Apple School Manager account for the organization. This method of distribution of free and paid apps is the simplest for the organization to manage and requires no interaction from the user beyond an acknowledgement that an app will be installed.
When a managed app is installed, the MDM can send a configuration profile to the device to manage the individual application. This configuration may include settings like pushing email account server information for automated setup or flag the application to enable the per-app VPN settings used by Jamf Private Access to route data securely for the organization.