Intro to roles and permissions in Apple Business
Overview
Roles in Apple Business allow users to perform certain tasks or use certain features and every Apple Business user needs to be assigned at least one role. These roles have permissions that are either pre-defined or that you can edit and are separated into two categories:
Default roles: Organization Administrator, IT Administrator, Marketing Administrator, Staff
After an organization is verified, any user whose role has permissions to view, edit, and delete roles can change specific permissions on all default roles. See Default roles and permissions.
Custom roles: People Manager, Device Enrollment Manager, Content Manager, roles that you create
Any user whose role has permissions to view, edit, and delete roles can configure custom roles with very granular permissions.
Certain roles can manage other roles. For example, a user with the role of Organization Administrator can manage a user with the role of IT Administrator, Marketing Administrator, or Staff.
Important: Users with the role of Organization Administrator or any custom role that has permissions to set up and configure federation and connect to an identity provider (IdP) can’t sign in using federated authentication; they can only manage the federation process.
What permissions do roles assigned to additional organizational units have?
When you sign up for Apple Business, Apple creates an initial organization for you based on the information you provided and Apple verified. The initial user is assigned the role of Organization Administrator and there can be only 10 total users with that role. Users with that role have permissions to manage any features of any additional organizational units.
When additional organizational units are created, users can be assigned a role for that organizational unit. Any user assigned a role to any additional organizational units have permissions only for that specific organizational unit and they’re unable to make changes to the initial organization.
Can users have more than one role assigned?
Users can be assigned more than one role in more than one organizational unit. For example, you can have a user whose role has the following permissions:
View apps and books
Get licenses for apps and books
Assign licenses for apps and books
If that role is assigned to the initial organization, those permissions can be used for all organizational units.
If that role is assigned to two organizational units (neither of which are the initial organization), those permissions can be used only for those two organizational units.
What default roles can manage other roles?
Role | Can manage the following other roles |
|---|---|
Organization Administrator | Other Organization Administrators IT Administrator Marketing Administrator Staff All custom roles |
IT Administrator | Other IT Administrators Staff All custom roles |
Marketing Administrator | None |
Staff | None |
What are custom roles?
There are three predefined custom roles:
People Manager: Users assigned this role are responsible for specific organizational units. They can be assigned to any organizational unit, and by default, manage individuals and content.
Content Manager: Users assigned this role are responsible for volume purchasing at specific organizational units. They can be assigned to any organizational unit, and by default, manage licenses for apps and books.
Device Enrollment Manager: Users assigned this role helps Organization Administrators and IT Administrators in Apple Business. By default, they manage devices and device management services.
Device API Manager: This custom role appears only when an Apple Business Manager or Apple Business Essentials organization moves to Apple Business with existing API accounts. See Create an API account.
Brand Manager: This custom role appears only when an Apple Business Connect organization moves to Apple Business with existing Brand Manager accounts.
Default role permissions
When you change permissions on a default role, all users who are assigned that role now have their default permissions updated. For example, if you remove the ability to use FaceTime and iMessage from the IT Administrator role, all users assigned that role will now be unable to use their Managed Apple Account with FaceTime and iMessage.
Custom role permissions example
When you edit a current custom role or create a new custom role, you can select from many different permissions in five different categories. For example, you could create a custom role with the name Device Configuration Manager that has only the following permissions:
Permissions category | Example permission |
|---|---|
Organization | Edit access to Apple services for Managed Apple Accounts and allowed apps for Sign in with Apple |
People | Reset Managed Apple Account passwords |
Devices | View device management services, manage default platform assignment, and add devices with Apple Configurator View device configurations Create, edit, and delete device configurations View Blueprints Manage Blueprints |
Apps & Services | View Apps and Books Assign licenses for Apps and Books |
Brands | No permissions |
Staff permissions
Users with the role of Staff have the following permissions on by default:
Download beta software, view program resources, and submit feedback
Use FaceTime
Use iMessage
Permission lists
To view tables of roles and their default permissions select any of the following: