Managed Apple Accounts for Apple devices
Managed Apple Accounts are a great way to increase the productivity of employees and provide the services users may need. These accounts are designed specifically for organizations and separate from personal Apple Accounts users create for themselves. This helps to keep organizational data separate from personal data with robust management controls.
Like any Apple Account, Managed Apple Accounts can be used on dedicated or shared devices to access specific Apple services—including Shared iPad, iCloud and collaboration with iWork and Notes—and to access and use Apple School Manager and Apple Business Manager.
In Apple School Manager, Managed Apple Accounts are owned and managed by the educational institution and are designed to meet the needs of education organizations—including password resets, limitations on communications, and role-based administration. Apple School Manager makes it easy to create a unique Managed Apple Account for each person in bulk.
In Apple School Manager and Apple Business Manager, Managed Apple Accounts are owned and managed by the organization—including password resets, managing service access, and role-based administration. Apple School Manager and Apple Business Manager make it easy to create a unique Managed Apple Account for each person in bulk.
To view the certifications Apple maintains in compliance with the ISO 27001 and 27018 standards for Managed Apple Accounts, see Apple internet services security certifications in Apple Platform Certifications.
How Managed Apple Accounts are created
Managed Apple Accounts are created after you:
Use federated authentication with Google Workspace, Microsoft Entra ID, or an identity provider (IdP)
Import users from Google Workspace, Microsoft Entra ID, or an IdP
Apple School Manager only: Import accounts from your Student Information System (SIS)
Apple School Manager only: Import .csv files using the Secure File Transfer Protocol (SFTP)
Create accounts manually
Domain capture and account transfer
In Apple School Manager and Apple Business Manager, if an organization wants to manage and own all personal Apple Accounts using their verified domain, they can use the domain capture process to claim ownership of their domain and all associated personal Apple Accounts.
For more information, see:
Apple School Manager User Guide: Manage domain ownership
Apple Business Manager User Guide: Manage domain ownership
Sign in with Apple at Work & School
Sign in with Apple at Work & School is a feature that adds support for Managed Apple Accounts to sign in with Apple. Employees, instructors, and students can sign in with their Managed Apple Accounts to access apps and websites that support Sign in with Apple. Administrators, Site Managers (Apple School Manager only), and People Managers can control which apps can be used with Sign in with Apple. To use Sign in with Apple at Work & School, devices must have iOS 16, iPadOS 16.1, macOS 13, or later.
To learn more, see the WWDC22 video Discover Sign in with Apple at Work & School.
Passkeys with Managed Apple Accounts
Passkeys are designed to provide a passwordless sign-in experience that is both convenient and secure. They are a standard-based technology that can resist phishing, are always strong, and have no shared secrets.
With iCloud Keychain support for Managed Apple Accounts, organizations can deploy passkeys to allow employees to access corporate resources and make sure passkeys securely sync to all their iPhone, iPad, and Mac devices. Using access management functionality, they can also define the required management state of a device to allow access to the managed passkeys.
A declarative passkey attestation configuration allows a managed device to provide an attestation when a passkey gets provisioned for an organizational service. The attestation is provided when a user registers a passkey for a website or app using a domain specified in the configuration. After the device has securely generated a passkey, it uses the certificate identity defined in the configuration to perform a WebAuthn
attestation with the accessed service. This allows the service to verify that the passkey was created on a device managed by the organization before provisioning access.
The generated passkeys get automatically stored in the iCloud Keychain associated with the Managed Apple Account. When no Managed Apple Account is present, the passkey can’t be created.
To provide a simple sign-in flow to the user, app developers can make use of associated domains to establish a secure association between domains and their app (and optionally allow a configuration of associated domains via MDM). If this is available, iOS, iPadOS, and macOS can automatically select and provide the correct passkey for a seamless sign-in experience. If authentication is being performed by a third-party service, ASWebAuthenticationSession
can be used instead.
For more information, see Passkey Attestation declarative configuration.