What are Managed Apple IDs?

Managed Apple IDs are a type of Apple ID that is available for use through Apple Business Manager and Apple School Manager. Managed Apple IDs allow devices to be enrolled in and managed with MDM via the User Enrollment option.

What is a Managed Apple ID?

Traditionally, individual users create Apple IDs designed primarily for personal use. They are used for activities such as app licensing, managing iCloud accounts, accessing iCloud services, etc. Once created, the original user is the only user to access the ID. This presents a number of difficulties when used at scale in a business environment.

Managed Apple IDs is Apple’s latest solution to overcoming these difficulties while still providing similar functionality. The benefits include:

No more personal accounts for work – Apple Business Manager controls the Managed Apple IDs Eliminates redundancy and creates IDs en masse

Users that have Apple Business Manager administrator privileges can also manage accounts. Admins, or “Managers”, have the ability to:

Create new IDs

Assign roles to the IDs

Reset ID account passwords

Restrict users’ access to ID accounts

Delete IDs

Update account information for IDs

Additionally, Apple also supports federation of Managed Apple IDs through Azure Active Directory. In this scenario, an Apple Business Manager account links to Azure AD. Then, Managed Apple IDs create automatically based on identities that exist in Azure AD.

How to use a Managed Apple ID?

There are multiple uses for Managed Apple IDs:

Granting users access to the Apple Business Manager portal – this allows admins to delegate ‘roles’, or sets of permissions, relating to what the users can and cannot access within Apple Business Manager Allow users shared access to company accounts, such as iCloud Drive and iCloud Notes, for collaboration purposes VPP app license assignment – VPP app licenses are tied to a Managed ID rather than the device, allowing for licenses to transfer between devices User Enrollment

The last use case is one of the most significant, so let’s expand here.

What is User Enrollment?

User Enrollment is an addition to the device enrollment options supported by the Apple MDM spec starting with iOS 13 and macOS 10.15. Geared for organizations that want to support a ‘Bring Your Own Device’ (BYOD) policy. It is a significantly more privacy-focused form of enrollment. It gives MDM only limited access to users’ devices while separating personal and corporate data. We have written about the topic in greater detail here: What is Apple’s “User Enrollment”?

User Enrollment requires a Managed Apple ID and must be associated with the device. The user must enter their Managed Apple ID credentials in order to complete the enrollment process. This ID is used to allow the installation of the MDM profile, assign app licenses, provide access to shared iCloud accounts, and manage which users have access to these company-owned assets on their personal devices. A single Managed Apple ID may be used on multiple devices and also will not interfere with any standard (personal) Apple IDs that have been configured on devices.

In summary, Managed Apple IDs play a vital role in the User Enrollment option available as of iOS 13 and macOS 10.15 Catalina. They are one aspect of Apple’s attempt to further separate personal data and company data on user-owned devices (BYOD), while also helping to improve management options for device administrators.