Intro to Apple identity services
Apple provides your organisation with various identity services to help you manage passwords and usernames securely — both across your workplace and in the cloud. Apple uses security measures like authentication, authorisation and identity federation, so that individual users can access their favourite apps and other resources without, for example, the additional hardship of setting up usernames and passwords for each one.
Below is an overview of the key identity service methods — authentication, authorisation and identity federation — along with examples of how Apple uses them in identity services.
Authentication and associated Apple services
The first step in a security process is authentication. Authentication verifies the identity of the user to make sure it’s legitimate.
Apple uses many methods of authentication. With single sign-on and Apple services such as a personal Apple Account, Managed Apple Account, iCloud, iMessage and FaceTime, users communicate securely, create documents online and back up their personal data — all without compromising their organisation’s data. Each service uses its own security architecture. In this way, Apple ensures secure handling of data (whether it’s on an Apple device or in transit over a wireless network), protects users’ personal information, and defends against malicious or unauthorised access to information and services. In addition, Apple has a built-in mobile device management (MDM) solution framework that supports MDM solutions to restrict and manage access to specific services on Apple devices.
Authorisation and associated Apple services
Whereas authentication proves who you are, authorisation defines what users are allowed to do. For authorisation to work, you provide a user’s name and password to an identity provider (IdP). In conceptual terms, the IdP is the “authority”, the user name and password is the “assertion” (because that person “asserts” their identity), and the data a user receives after successfully signing in is the “token”.
Apple employs many types of tokens and many types of assertions. Some assertions that can be used include certificates, smart cards and other multi-factor devices.
Identity federation
Identity federation is the process of establishing trust between IdPs across security domains, so users can then move freely between systems while maintaining security. For identity federation to work, administrators must set up domains that trust each other and they must agree on a single method to identify users.
A common example of identity federation is using your enterprise account to sign in to an IdP. For example, to help streamline the creation of Managed Apple Accounts for an organisation, Apple has enabled federation between an identity provider (IdP), Google Workspace and Microsoft Entra ID, and Apple School Manager, Apple Business Manager or Apple Business Essentials. Users can then use their existing identity provider (IdP), Google Workspace or Microsoft Entra ID accounts to sign in to iCloud or to sign in on Apple devices associated with Apple School Manager, Apple Business Manager or Apple Business Essentials. If a user isn’t challenged to assert their identity again, then federation is performed using single sign-on or a Kerberos Single Sign-on extension.