Glossary
- Apple Business Manager
A simple, web-based portal for IT administrators that provides a fast, streamlined way for you to deploy Apple devices that your organization has purchased directly from Apple or from a participating Apple Authorized Reseller or cellular carrier. You can automatically enroll devices in your mobile device management (MDM) solution without having to physically touch or prepare the devices before users get them.
- Apple Customer Number
The account number (or numbers) assigned to your organization by Apple, used to purchase Apple hardware or software. It’s required in order to verify your organization’s eligibility for certain programs. If you don’t know the numbers, contact your purchasing agent, finance department, or Apple account team. This number isn’t the same as your GSX account number.
- Apple School Manager
A simple, web-based portal for IT administrators that provides a fast, streamlined way for you to deploy Apple devices that your organization has purchased directly from Apple or from a participating Apple Authorized Reseller or cellular carrier. You can automatically enroll devices in your MDM solution without having to physically touch or prepare the devices before users get them.
- authentication
Retrieving a credential from an authority after providing an assertion that proves your identity.
- authorization
Retrieving a token from an authority after authentication is done by providing an assertion that proves your identity.
- backup
A copy of important data that includes information such as the layout of the Home Screen, app data (such as Safari bookmarks and Calendar events), anything you can set in Settings on the device (including restrictions, certificates, and some account types), contacts, and the Camera Roll (but not photo albums). Backups don’t include apps or media that you would normally sync using the Finder (macOS 10.15 or later), using iTunes (macOS 10.14 or earlier), or stored in iCloud or iCloud Drive. A backup of an unsupervised device is identical to and interchangeable with a Finder or iTunes backup, and can be restored only to an unsupervised device. Similarly, a backup of a supervised device can be restored only to another supervised device.
- Bootstrap Token
An MDM-based feature that automatically provides a secure token on all mobile accounts. Specifically, a bootstrap token is used to help with granting a secure token to both mobile accounts and to the optional device enrollment-created administrator account (“managed administrator”). In macOS 11 or later, the bootstrap token can grant a secure token to any user logging in to a Mac computer, including local user accounts.
- configuration profile
An XML file (ending in .mobileconfig) that consists of payloads that load settings and authorization information onto Apple devices. Configuration profiles automate the configuration of settings, accounts, restrictions, and credentials. These files can be created by an MDM solution or Apple Configurator for Mac, or they can be created manually.
- D-U-N-S Number
A nine-digit identifier that’s assigned to each business by Dun & Bradstreet (D&B) and maintained in its database. Apple cross-checks program enrollees with the D&B database. For more information on how to obtain a D-U-N-S number for your business, see Welcome to D&B Support.
- duplicates
In MDM, two or more identical payloads. For example, a Certificates payload often involves more than one certificate, and a VPN payload may involve more than one VPN setting. Two or more specific payloads can’t be active for a device or user, the payload must be single.
- enrollment methods
The three main methods of device enrollment into an MDM solution: User Enrollment, Device Enrollment, and Automated Device Enrollment.
- eSIM (embedded-SIM)
A software-based SIM used in Apple Watch Series 3 or later; in iPhone XR, iPhone XS, iPhone XS Max, or later; and in every iPad released since the 3rd generation iPad Pro. See also SIM card (Subscriber Identity Module).
- federated authentication
The process of using an account’s user name and password from one directory system and allowing the same user name and password to be used in other systems.
- identity
A certificate and its associated private key. Certificates can be freely distributed, but identities must be kept secure. The freely distributed certificate, and especially its public key, are used for encryption that can be decrypted only by the matching private key. The private key part of an identity is stored in a PKCS #12 (.p12) file and encrypted with another key that’s protected by a passphrase.
- Identity federation
The establishment of trust between identity providers across security domains.
- local account pairing
A way to enforce smart card authentication for Mac computers on local accounts.
- machine based enforcement (MBE)
An implementation that removes the option for password-based authentication in favor of smart card–only authentication for any account accessible by a Mac. Compare user based enforcement (UBE).
- mobile device management (MDM)
A service that lets an administrator remotely manage enrolled devices. After a device is enrolled, the user can use the MDM service over the network to configure settings and perform other tasks on the device without user interaction.
- operating system and channel
MDM solution payloads can be used on specific operating systems and for Shared iPad and Mac channels. Because Shared iPad and Mac can have more than one user, a payload can be applied to the device channel (all users) or a user channel (specific users).
- Organization ID
Your unique identifier in Apple School Manager or Apple Business Manager. When you give a participating Apple Authorized Reseller or cellular carrier your Organization ID and you add that reseller’s Reseller Number to your account profile, you authorize that reseller to submit devices you purchased through them to Apple so devices’ serial numbers can appear in Apple School Manager or Apple Business Manager.
- payload
At least one managed setting. Some settings, such as LDAP, can have more than one payload. Use payloads to administer increased network security, user authentication, Wi-Fi authentication, VPN policy settings, mail settings, and more. See also settings.
- personal identity verification (PIV) card
A type of smart card technology used for two-factor authentication, digital signing, and encryption. The built-in support for smart cards in macOS is based on the CryptoTokenKit framework.
- Reseller Number
A unique identifier for each Apple Authorized Reseller or cellular carrier that participates in Apple School Manager or Apple Business Manager. When you add a participating Apple Authorized Reseller’s or cellular carrier’s Reseller Number to your account profile and you give that reseller your Organization ID, you authorize that reseller to submit devices you purchased through them to Apple so devices’ serial numbers can appear in Apple School Manager or Apple Business Manager.
- Secure Token
A macOS feature that addresses the implementation of encryption keys, when theyʼre generated, and how theyʼre stored. Specifically, a secure token is a wrapped version of a key encryption key (KEK) protected by a userʼs password.
- settings
In the context of MDM, unique identifiers that can be applied to specific apps, features, or connectivity functions, such as Exchange, passcodes, VPN, Wi-Fi, proxies, and so forth. For example, the name of a Wi-Fi network or information about how to authenticate to an Exchange server would be a setting. After settings are entered for a given app, feature, or connectivity function, they become a payload. See also payload.
- SIM card (Subscriber Identity Module)
A universal integrated circuit card (UICC) for identifying and authenticating subscribers on mobile devices. See also eSIM (embedded-SIM).
- single sign-on
A process in which a user provides authentication and authorization information once and receives a ticket to access resources for as long as the ticket is valid (usually 10 hours).
- supplier
The entity you purchase eligible devices from. If you purchased the device directly from Apple using a purchase order (PO), then you would enter your Apple Customer Number as your supplier using the Apple (Direct) option. If you purchased your device through a participating Apple Authorized Reseller or cellular carrier, then you would add them as a supplier to your account by entering their Reseller Number using the Reseller option. Each supplier needs to be added only once to your account profile.
- user-approved MDM enrollment
In macOS 10.13.2 or later, user-approved MDM enrollment allows mobile device management (MDM) software additional privileges. As of macOS 11, it’s no longer possible to install profiles using the command line, so all new MDM enrollments are approved by the user. User-approved MDM enrollment is different from User Enrollment.
- user based enforcement (UBE)
An implementation that creates an exception to smart card–only authentication for specific users or groups of users. This option disables all password-based authentication. Compare machine based enforcement (MBE).