iCloud for Apple platform deployments
Depending on your organization’s deployment model, users of your managed devices might use their personal Apple Account, a Managed Apple Account, both, or neither.
For users working on devices your organization owns, consider providing them with a Managed Apple Account. Because the account is owned by your organization, you can then manage not only the services they can access but also the devices they can sign in to.
iCloud services
With iCloud services available to a Managed Apple Account, users can store content such as contacts, calendars, documents, and notes—and keep them up to date across multiple Apple devices. iCloud secures content by encrypting it when it’s sent over the internet, storing it in an encrypted format, and using secure tokens for authentication. For more information on iCloud security see, iCloud security overview in Apple Platform Security.
Note: Some iCloud features require a Wi-Fi connection, some features aren’t available in all countries or regions, and access to some services is limited to 10 devices with the same Apple Account account.
iCloud Drive
Users can store their documents and files on iCloud Drive and access them from iPhone, iPad, and Mac devices, and from Windows computers that are set up with iCloud. Documents are kept up to date on all devices, and changes made to a file when the user is offline are automatically updated when the device comes online.
Users can also configure their macOS Desktop and Documents folders to be stored in iCloud Drive automatically, allowing the contents to be available on all the user’s devices.
Users can even collaborate on documents stored in iCloud Drive provided that they’re created with Pages, Numbers, Keynote, and other apps that support CloudKit. For Managed Apple Accounts, organizations can define whether collaboration is possible only with internal users or also with external users.
iCloud Keychain
iCloud Keychain keeps Wi-Fi network passwords and website passwords used in Safari up to date on all your iPhone, iPad, and Mac devices set up with iCloud. It also stores internet account sign-in and configuration information, and passwords for other apps that support iCloud. iCloud Keychain can also store credit card information users save in Safari, so Safari can automatically fill in the information.
iCloud Keychain consists of two services:
Keeping Keychain up to date on all devices
Keychain recovery
To securely exchange keychain items, a circle of trust is established and used among approved devices of a user. New devices joining the circle need to be approved either by an existing iCloud Keychain device or by using iCloud Keychain recovery. Each item that’s synced is encrypted so that it can be decrypted only by a device within the user’s circle of trust; it can’t be decrypted by any other devices or by Apple.
iCloud Keychain escrows users’ keychain data with Apple without allowing Apple to read the passwords and other data it contains. Even if the user has only a single device, keychain recovery provides a safety net against data loss. This is particularly important when Safari is used to generate random, strong passwords for web accounts, because the only record of those passwords is in the keychain.
Part of keychain recovery is secondary authentication and a secure escrow service, created by Apple specifically to support this feature. The user’s keychain is encrypted under a strong encryption key, and the escrow service provides a copy of that key only if a strict set of conditions are met, and the user enters the passcode of one of their previous devices.
Important: Managed Apple Accounts don’t support iCloud Keychain recovery using a recovery contact.
Access iCloud services
Signing in with a Managed Apple Account during Setup Assistant or using the Apple Account menu item at the top of Settings (iPhone and iPad) or System Settings (Mac) provides access to all services available to the account.
Users can add additional accounts in Settings > Mail > Accounts (iPhone, iPad, Apple Vision Pro) or in System Settings > Internet Accounts (Mac) to access mail (if mail is available for the account), contacts, and calendars stored with another personal Apple Account and contacts, calendars, and reminders of a Managed Apple Account.
Account-driven Device Enrollment and User Enrollment extend the list of services accessible on a device with a Managed Apple Account to contacts, calendars, reminders, notes, iCloud Drive, and iCloud Backup.
Manage iCloud access
You can turn off individual iCloud services available to a Managed Apple Account in Apple School Manager and Apple Business Manager. In addition, you can define which devices users can sign in to, access their Managed Apple Account data, and specify who they can communicate and collaborate with. If the user primarily uses a personal Apple Account, organizations can disable certain iCloud services on managed devices through restrictions. Note that some restrictions require that the device be supervised.