Managed Apple IDs: Right for Your Business?

What are Managed Apple IDs?

As you likely know, an Apple ID is created by a person and used to authenticate and log into a device. It stores user settings that the device will recognize when that ID is used. These IDs are primarily created for personal use, but until recently they were also used on company-owned devices. Managed Apple IDs are a type of Apple ID that are unique to your company and separate from the Apple IDs employees create themselves.

Apple Business Manager (ABM) creates Managed Apple IDs that whoever manages your ABM account (often your IT administrator) would then manage. Managed Apple IDs can be used to manage the Apple services your ID can access. Similar to Apple IDs, this ID is created to personalize a device and, with ABM, administrators can easily create a Managed Apple ID for each employee using their existing company credentials. This option provides companies an easier way to create and distribute these managed IDs, allowing users to collaborate with Apple apps and services. Since this feature caters to business purposes, managed IDs automatically disable specific features to protect organizations. We will get into these restricted features a little later.

Since Apple rolled out Managed Apple IDs, we have started to see the development of integrations with third-party identity and access management (IAM) solutions. Currently you can take advantage of federated authentication with either Google Workspace or Microsoft Azure Active Directory (Azure AD), allowing employees to leverage their credentials for those systems to sign in to their Managed Apple IDs.

Why would a business use Managed Apple IDs?

When it comes to managing Apple IDs in a business setting, there are many perks to using Managed Apple IDs. It becomes of matter of weighing the pros and cons to decide if it is a fit for your company.

The first pro to consider is the shift in responsibility from employees to IT, or whoever manages your Apple devices. Your IT team creates Managed Apple IDs in Apple Business Manager and manages them from that ABM portal. This means your employees won’t have to worry about creating their own Apple IDs, managing those Apple IDs or downloading the tools and software they need. All of this will come from IT, Apple’s free programs for app purchasing and device enrollment and will be deployed through your MDM; this results in more control over devices as well as a smoother onboarding process.

In addition to the perks of onboarding and associated responsibilities, this control can offer a heightened level of security. Because Managed Apple IDs mean that all apps and tools are pushed by IT and Apple Business Manager, each app can be properly vetted before deploying to devices. This allows you to verify that every tool is secure, prevent employees downloading unsecure or rogue applications and ensure that all company and client data is only backed up and saved in places you approve.

The third perk falls in line with ease of troubleshooting and device turnover. Everyone enjoys devices when they are working as planned, but what about when things go wrong? One of the pitfalls of device management that is often forgotten about until the occasion arises is troubleshooting. After all, part of the reason you invest in MDM is to prepare and plan for when things get tricky. Since Managed Apple IDs are managed by IT, troubleshooting is easier as you won’t rely on your employees to remember their Apple ID credentials. Additionally, if an employee should ever leave your organization, you won’t run the risk of being unable to access the device because you don’t know those credentials.

You may have noticed that most of these benefits really seem angled toward benefiting the IT team or the person that manages your devices and MDM platform.

It’s true. Most of the benefits of using Managed Apple IDs benefit IT, but there are also benefits to the user. We already mentioned users not having to feel responsible for managing their credentials and day-to-day management, but Managed Apple IDs also offer enhanced collaboration. Managed IDs allow users to look up others in your ABM organization to collaborate across apps. It goes without saying that ease of collaboration assists in getting more done on time and more effectively to help you achieve your business goals.

What is the downside of using Managed Apple IDs?

You may be reading the above section and thinking to yourself, “All of that is perfect, why wouldn’t everyone be using these?” It’s a fair question to ask, and to summarize an answer for you, Apple stresses that because Managed Apple IDs help protect your business, there are services that are automatically disabled.

These disabled services include:

  • App Store purchasing
  • iTunes Store purchasing
  • Book Store purchasing
  • HomeKit connected devices
  • Apple Pay
  • Find My iPhone
  • Find My Mac
  • Find My Friends
  • iCloud Mail
  • iCloud Keychain (however, keychain items are saved and restored on Shared iPad devices)
  • iCloud Family Sharing
  • FaceTime (this is off by default, but your institution can turn it on)
  • Messages (this is off by default, but your institution can turn it on)

There are two aspects in this list that someone should pay the most attention to: restrictions to purchasing and Find My app. In our experience, these tend to be the two points that people get hung up on and that prevent them from using Managed Apple IDs — and for good reason.

We will start with the restrictions to the Find My app because those are actually easy to overcome using Jamf Pro and Jamf Now as your MDM provider. A lot of people fear that they won’t be able to locate a device should something happen with the Find My app disabled. However, restricting the Find My app does not disable location services. A Jamf user is still able to remotely put a device into Lost Mode to lock it down and turn on its location to help find it. Hopefully, knowing this lets you rest a little easier.

The main potential downside of Managed Apple IDs? They can restrict enabling and empowering your employees. For many people, the goal of using Apple and Jamf to manage devices is to enable and empower your employees to maximize their effectiveness by using devices as their tool for success. By disabling the App Store, iBook Store and iTunes Store, you are requiring that all the content from these stores be pushed through Apple Business Manager by your IT team. You are denying your employees the ability to personalize their devices and arm themselves with the tools they find valuable — even free apps.

This is, of course, a con to some people and a pro to others. It’s why earlier in this article we talked about this same aspect being viewed as a security benefit. However, there is no denying it can feel like a double-edged sword. Some people want to offer the ability for employees to find their own apps since they may not have strict security restrictions, while others are seeking that level of device control. This is when the decision becomes yours to make.

It should be noted that if you use standard Apple IDs with Jamf Pro or Jamf Now as your MDM provider, you would have the ability to restrict access to these individual stores while offering yourself flexibility to change that over time. For example, you could disable Book Store purchasing and iTunes Store access while enabling employees to use the App Store, but if you select Managed Apple IDs, those restrictions are baked in. Currently, there is nothing any MDM can do to change those settings.

Managed Apple IDs are a great addition to Apple’s work in business settings, but they are not a good fit for everyone. Recognizing what you hope to achieve is the first step, and we hope the information above can guide you to identifying whether these are right for you and what your team and organization needs to succeed.