Federation Best Practices
  • 14 Sep 2022
  • 2 Minutes to read
  • Dark
  • PDF

Federation Best Practices

  • Dark
  • PDF

Article Summary

Using an identity provider other than Azure or Google

If you use an identity provider other than Azure or Google, use account federation to link your identity provider to Azure.

If your organization currently uses Office 365 and has integrated with your existing identity provider, this process is probably already complete and requires minimal setup to federate Azure to Apple Business Manager or Apple School Manager.

To learn more about federating a third party identity provider to Azure, visit the links found at https://docs.jamf.com/jamf-security/radar/documentation/IdPs_that_Can_Be_Federated_with_Azure_AD.html.

Account federation flows from your chosen identity provider to Azure to either automated account generation with the first time login to a device that needs a managed Apple ID or through SCIM to create the accounts automatically.

A user would first start with a login to your organization's Azure domain webview. After entering the user email address, the domain of the user's email address is cross checked to determine the source of truth for logins. The user is then redirected to the organization identity provider web page for login. The identity and access tokens are passed back up to Azure.

Federation Workflow

Azure -> Identity Provider -> Access token sent back to Azure -> User account created in Apple Business Manager / Apple School Manager

Reclaiming email addresses for Managed Apple IDs

If a user established a personal Apple ID using the organization's email address before Managed Apple IDs were set up, the Managed Apple ID setup process will enter a 60 day warning period. The personal Apple ID user will receive an email from an apple.com address advising them to migrate their Apple ID email to another email address. Once all personal Apple IDs have been migrated, the 60 day hold is released and the organization once again can create Managed Apple IDs.

Reference: https://support.apple.com/guide/apple-business-manager/get-notified-about-user-name-conflicts-axme685676ac/web [apple.com]

Due to privacy concerns, AppleCare is unable to give the organization a list of personal Apple IDs which need to be migrated. As some organizations may have needs to get Managed Apple IDs faster than 60 days, there are some best practices to speed up the process.

  • Examine email server logs for warning messages. Apple will send a warning message to members of your organization via email. Look for paterns of email messages sent from an apple.com address sent to your users.
  • Examine email server logs for bounced message notifications - if an employee has left the organization, re-establish an email account for this user, visit appleid.apple.com, and initiate a password reset / recovery. Password reset email will go to your organization owned and controlled email address. Once in the account, change the email address for the user.
  • Encourage organization users to move their Apple IDs to personal domains immediately before attempting to set up Managed Apple ID federation.
  • Open a ticket with AppleCare Enterprise Support regarding the issue. While Apple may be unable to tell the exact list of users, they may be able to provide the estimated number of accounts needed to migrate.

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.