Intro to federated authentication with Apple School Manager
You can use federated authentication to link Apple School Manager to the following:
Google Workspace
Microsoft Entra ID
Your identity provider (IdP)
As a result, your users can leverage their Google Workspace, Microsoft Entra ID, or IdP user name (generally their email address) and password as a Managed Apple Account. They can then use those credentials to sign in to their assigned iPhone, iPad, Mac, Apple Vision Pro, and to Shared iPad. After they’ve signed in to one of those devices, they can then also sign in to iCloud on the web.
Note: You can link to Google Workspace, Microsoft Entra ID, or your IdP, but only one at a time.
To use federated authentication and syncing, your Apple devices must meet the following minimum operating system requirements:
iOS 15.5
iPadOS 15.5
macOS 12.4
visionOS 1.1
There are specific instances where you might use federated authentication:
Federated authentication only
Note: You must lock and turn on domain capture before you can federate. See Lock a domain.
When Apple School Manager and Google Workspace, Microsoft Entra ID, or your IdP are linked, Managed Apple Accounts are automatically created for users. They can then sign in using their existing user name (generally their email address) and password.
Federated authentication and directory syncing
You can also sync user accounts from Google Workspace, Microsoft Entra ID, or your IdP to Apple School Manager. When you set up a directory sync connection, you can add Apple School Manager properties (such as grade level and roles) to user account data imported from one of those services. The services’ user account information is added as read-only until you turn off syncing. At that time, the accounts become manual accounts, and attributes in these accounts can then be edited. If a user account is removed from one of those services, that user account can be removed from Apple School Manager. See the following:
Federated authentication with users from a Student Information System (SIS) or using files uploaded with SFTP
When you link to Google Workspace, Microsoft Entra ID, or your IdP, users simply sign in with their current email address, and Managed Apple Accounts are automatically created for them.
You then integrate your SIS or upload files with SFTP. All information, such as classes and rosters, are matched against users from Google Workspace, Microsoft Entra ID, or your IdP. If a user account is removed from Google Workspace, Microsoft Entra ID, or your IdP, that user account must be deactivated in Apple School Manager by an account with privileges to change the status of users.
Important: If you’re integrating with a Student Information System (SIS) or importing user accounts with Secure File Transfer Protocol (SFTP), and using federated authentication, the user’s email address in SIS must match their Google Workspace, Microsoft Entra ID, or your IdP user name that they already use to sign in.
Federated authentication and Shared iPad
When you use federated authentication with Shared iPad, the sign-in process varies depending on whether the user account already exists in Apple School Manager. To view the sign-in scenarios, see Sign in to Shared iPad.
The default passcode policy is standard (8 or more letters and numbers) and can be changed. See Password policy scenarios.
If the user forgets their passcode, you must reset the Shared iPad passcode.