Apple has made a series of changes to Apple Accounts (formerly Apple IDs), including some new and powerful Apple Business Manager (ABM) features for managing them. It's important to understand how your organization's domain(s) play into managing Apple Accounts, as many actions you can take revolve around it - domain locking, domain capture, domain federation, sync, and more.
What is a Personal Apple Account?
Apple Accounts are free accounts you can sign up for in order to take advantage of Apple's software and services. You likely have a Personal Apple Account that you use to download apps from the App Store, or sync your data with iCloud. These accounts are free to set up and are explicitly owned by you. Your Apple Account's login email address could be anything under the sun - a Gmail account, Microsoft account, or even your work email address. But note - if your Personal Apple Account uses your work email address, that account and all its activity is still owned by you, not your organization.
What is a Managed Apple Account?
Managed Apple Accounts are also free, but instead of being owned by an individual, they're tied to an organization. These accounts are created in Apple Business Manager and have some restrictions compared to Personal Apple Accounts - most notably, they can't use Find My or make any kinds of purchases (Apps & Books, iTunes store, etc).
Many organizations have shifted from using Personal Apple Accounts to Managed ones. By doing this, they gain a few benefits:
- Managed Apple Accounts can be created by an administrator, have their MFA and passwords reset if needed, and ensure synced company data stays with the company.
- If you collaborate with other organizations, it builds trust in your brand if your clients and partners know that any Apple ID with an email address in your organization is legitimately connected to your organization.
- If you use Pages, Numbers, or Keynote collaboration, you can ensure that shared documents are being worked on through organization-owned Apple Accounts rather than Personal Apple Accounts.
How do we create Managed Apple Accounts?
An Apple Business Manager account is a prerequisite for Apple Support with Ntiva. Once your account is up and running, you can create Managed Apple Accounts at your convenience straight in ABM. However, those accounts will be using a placeholder domain as their login email addresses - something like janedoe@acmecom.appleaccount.com. If you want to use your organization's domain in your Managed Apple Account names, you'll need to Verify your domain to prove you own it.
Verifying your domain
Verifying your domain allows you to create Managed Apple Accounts using your organization's domain.
Through ABM, you can add a domain you own to begin creating Apple Accounts using your organization name (janedoe@acme.com). When you add a domain to ABM, you'll be asked to add a TXT record to your domain's DNS settings to prove you own and administer that domain. Once completed, you'll now be able to create Apple Accounts ending in @yourdomain.com.
Locking your domain
Locking your domain prevents others from creating Personal Apple Accounts using your organization's domain.
Now that you have a verified domain, you can begin creating new Managed Apple Accounts using your organization's domain. But your existing and previous employees can also create Personal Apple Accounts using your domain. To prevent anyone from creating Personal Apple Accounts using your organization's domain, you can now lock your verified domains in Apple Business Manager.
Lock a domain in Apple Business Manager
Domain Capture
Domain Capture allows you to force any users with Personal Apple Accounts with your organization's domain as their contact email address to change their login email address or migrate their account into your Apple Business Manager account.
By locking your domain, you've made sure no one creates new Personal Apple Accounts using your organization's domain. But what about any existing Personal Apple Accounts? You can go through the process of Domain Capture to claim ownership of all email addresses inside your domain used in Personal Apple IDs. When you begin this process, emails will automatically be sent to all Personal Apple Accounts using your organization's domain. Those users can either change their login email to something outside of your domain (Gmail, AOL, Yahoo, Microsoft, etc) or they can elect to convert their Personal Apple Account into a Managed one (if they were only using it for work purposes). Should the user elect to convert the Personal Apple Account to a Managed one, they should read Apple's support article carefully to know what will be retained in their account and what may be lost during the conversion. Most notably, while Apps and user data are retained, iTunes purchases (movies, music, TV shows) are not.
About account transfers in Apple Business Manager
If you are asked to transfer your Apple Account or keep it as a personal account
Sign in with your Identity Provider
Enabling this feature allows your Managed Apple Account users to sign in using their Identity Provider credentials instead of having to create, maintain, and remember a separate Apple password.
If you plan on many users at your organization all using Managed Apple Accounts, it could be exhausting to create them all by hand. This is where the "Sign in with your Identity Provider" feature comes into play. When a user tries to sign into the Settings app for iPhone/iPad, or System Settings on a Mac using their organization email address, they'll be prompted to sign in with their Identity Provider (Microsoft, Google, Okta) using their work email address. Upon authenticating successfully, a brand new Managed Apple Account will be created for them. Please note that this first sign-in must be done in a Settings app on an Apple device, not on an Apple website.
This feature is incredibly helpful for larger organizations where you want your users to be able to create accounts at the point of need. It also ensures that when you've offboarded an employee, so long as you shut down their work email account, they can no longer access their Managed Apple Account either.
Sync with your Identity Provider
Directory Sync allows Apple Business Manager to automatically create and delete Managed Apple Accounts for you. When a new account is detected in your Identity Provider, a new Managed Apple Account will be automatically created.
Using the "Sign in with your Identity Provider" feature is helpful at organizations where certain groups or departments need Managed Apple Accounts - but what if everyone does? Directory Sync may be right for you - when enabled, ABM will look at your Identity Provider's full directory and create Managed Apple Accounts for every active account. If your directory is up-to-date, this option makes the process of creating and removing Managed Apple Accounts as hands-off as possible.
Comments
0 comments
Article is closed for comments.