Managed Apple ID security
Managed Apple IDs function much like an Apple ID but are owned and controlled by enterprise or educational organisations. These organisations can reset passwords and turn off communications such as FaceTime and iMessage, and set up role-based permissions for employees, staff members, teachers and students.
For Managed Apple IDs, some services are disabled (for example, App Store, HomeKit and Find My).
Access management for Managed Apple IDs
Organisations can use access management available in Apple Business Manager, Apple School Manager and Apple Business Essentials to define where Managed Apple IDs can be used and what services are available to them.
With access management, you can define whether users can sign in with a Managed Apple ID on any device, on managed devices only, or on managed and supervised devices only. Also, administrators can configure whether users are allowed to sign in to iCloud on the web. This allows organisations to use the management state of the device as a factor to decide if access to organisational data should be granted.
Additionally, administrators can define what iCloud services are available to their users. This includes defining access to Apple Developer Programmes, and the AppleSeed for IT beta programme, and determining whether users are allowed to access the Apple Privacy portal at privacy.apple.com.
Managed Apple IDs also support collaboration on documents using Keynote, Numbers, Pages, Reminders and Notes, as well as communication using FaceTime and iMessage. For those services, organisations can define whether users can collaborate with anyone or just with accounts created within the same Apple School Manager, Apple Business Manager or Apple Business Essential organisation.
If access management rules change, they are reflected on devices the user is signed in to with their Managed Apple ID. If requirements for the management state of a device are changed, a Managed Apple ID is automatically signed out of a device if the device state doesn’t meet the new requirements.
Inspecting Managed Apple IDs
Managed Apple IDs created in Apple School Manager also support inspection, which allows organisations to comply with legal and privacy regulations. A user with the role of Administrator, Site Manager, People Manager or Instructor can inspect specific Managed Apple ID accounts.
Inspectors can only monitor accounts that are below them in the organisation’s hierarchy. For example, teachers can monitor students, managers can inspect teachers and students, and administrators can inspect managers, teachers and students.
When inspecting credentials are requested using Apple School Manager, a special account is issued that has access to only the Managed Apple ID for which inspecting was requested. The inspector can then read and modify the user’s content stored in iCloud or in CloudKit-enabled apps. Every request for auditing access is logged in Apple School Manager. The logs show who the inspector was, the Managed Apple ID the inspector requested access to, the time of the request and whether the inspection was performed.