
Customize user access to certain apps and services using Apple Business Manager
You may want users who sign in with a Managed Apple Account to access many Apple apps and services. With Apple Business Manager, you can choose what devices users can sign in to and which apps and services are available to them. For example, you can turn on access to specific iCloud features, specify which app data they can store in the cloud, and turn off access to FaceTime and iMessage.
Requirements
Some features require the following:
- iOS 17, iPadOS 17, macOS 14, visionOS 2, or later. 
- Support from your external device management service. Consult your device management service developer’s documentation to see whether they support these features. 
Important: In case requirements for the management state of a device are changed, a Managed Apple Account is automatically signed out of a device if the device state doesn’t meet the new requirements.
Access to services using Managed Apple Accounts
Access to specific services may vary when using Managed Apple Accounts. See Service access with Managed Apple Accounts.
Choose what devices users can sign in to
You can choose what devices users can sign in to with their Managed Apple Account or their unmanaged (personal) Apple Account.
- In Apple Business Manager  , sign in with a user who has the role of Administrator or People Manager. , sign in with a user who has the role of Administrator or People Manager.
- Select Access Management  in the sidebar, then select Apple Services in the sidebar, then select Apple Services . .
- Next to “Allow Managed Apple Account on,” select one of the following: - Option - Description - Any device (default) - The user can sign in on any device. - Managed devices only - The user can sign in on a device that is managed by a device management service that supports the - Get Tokenendpoint.- Supervised devices only - The user can sign in on a device that is supervised (and managed) by a device management service that supports the - Get Tokenendpoint.
Choose which users can sign into devices
You can choose which users can sign into organization-owned devices. This feature requires iOS 17, iPadOS 17, macOS 14, visionOS 2, or later.
- In Apple Business Manager  , sign in with a user who has the role of Administrator or People Manager. , sign in with a user who has the role of Administrator or People Manager.
- Select Access Management  in the sidebar, then select Apple Services in the sidebar, then select Apple Services . .
- Next to “Apple Account on Organization Devices,” select one of the following: - Option - Description - Any Apple Account - The user can sign in on any organization-owned device with their unmanaged (personal) Apple Account or their Managed Apple Account. - Managed Apple Account - The user can sign in on any organization-owned device with only their Managed Apple Account. 
- Read the confirmation dialog, then confirm or cancel your selection. 
Manage iCloud features and app access
You can customize any of the features below to meet the needs of your organization. This includes deciding what devices a user can sign in with their Managed Apple Account.
Note: This feature requires iOS 17, iPadOS 17, macOS 14, or later, and support from your device management service.
- In Apple Business Manager  , sign in with a user who has the role of Administrator or People Manager. , sign in with a user who has the role of Administrator or People Manager.
- Select Access Management  in the sidebar, then select Apple Services in the sidebar, then select Apple Services . .
- Select iCloud, then select what devices users can sign in to with their Managed Apple Account: - Option - Description - Off - The user can’t store their data in iCloud. - Any device - The user can access their iCloud data on any device. - Managed devices only - The user can sign in on a device that is managed by a device management service that supports the - Get Tokenendpoint.- Supervised devices only - The user can sign in on a device that is supervised (and managed) by a device management service that supports the - Get Tokenendpoint.
- Select Collaboration, then turn on the ability for users to collaborate on files created using Keynote, Numbers, and Pages, and whether to allow those files to be accepted automatically. - Option - Description - Anyone (default) - Users can collaborate with any other users using an Apple Account. - Organization only - Users can collaborate with any other users using an Apple Account from the same Apple Business Manager organization. - Off - Users can’t share Keynote, Numbers, or Pages documents. - Auto Accept Files - Users can automatically accept invitations to collaborate on a shared document. - Shared by anyone 
- Off 
 
- Select iCloud from the top, then turn off access to the following iCloud features: - Option - Description - iCloud Drive - Users can store data in iCloud Drive. - (Requires iOS 17 and iPadOS 17) - Passcodes and Keychain - Users can store their passwords and passkeys in iCloud Keychain. - Access iCloud data on the web - Users can sign in to www.icloud.com from a Mac to access their data. - iCloud Backup - Users can use iCloud Backup to back up their devices. 
- Turn on access to allow storing app data in iCloud for the apps listed in the iCloud services table. 
Manage user access to FaceTime and iMessage
By default, users who sign in with a Managed Apple Account can access FaceTime and iMessage. You can modify that access.
| Option | Description | 
|---|---|
| FaceTime | FaceTime (both audio only and video) can be turned on, allowed with only other users in your organization, or anyone inside and outside of your organization. | 
| iMessage | iMessage can be turned on, allowed with only other users in your organization, or allowed with anyone inside and outside of your organization. Note: If iMessage is turned off, users can still send and receive SMS/MMS messages. | 
- In Apple Business Manager  , sign in with a user who has the role of Administrator or People Manager. , sign in with a user who has the role of Administrator or People Manager.
- Select Access Management  in the sidebar, then select Apple Services in the sidebar, then select Apple Services . .
- Select FaceTime, turn it off or on. If you turn it on, select one of the following: - Anyone (default) 
- Organization only 
 
- Select Apple Services from the top, select Messages, turn it off or on. If you turn it on, select one of the following: - Anyone (default) 
- Organization only 
 
Turn on user access to Apple Wallet
By default, users who sign in with a Managed Apple Account can’t access Apple Wallet. You can turn on their access so they can add employee badges, if allowed by their organization.
- In Apple Business Manager  , sign in with a user who has the role of Administrator or People Manager. , sign in with a user who has the role of Administrator or People Manager.
- Select Access Management  in the sidebar, then select Apple Services in the sidebar, then select Apple Services . .
- Select Wallet, then turn on access to use Apple Wallet. 
Turn on user access to Apple Developer content
- In Apple Business Manager  , sign in with a user who has the role of Administrator or People Manager. , sign in with a user who has the role of Administrator or People Manager.
- Select Access Management  in the sidebar, then select Apple Services in the sidebar, then select Apple Services . .
- Select Developer, then do any of the following: - Turn on access to Apple Developer Program. 
- Turn on access to Xcode Cloud. 
- Turn on access to the MFi portal. 
 
Turn on user access to AppleSeed for IT
AppleSeed for IT is designed specifically for enterprise and education customers committed to testing each new version of Apple beta software in their organizations. Organizations using Apple Business Manager can designate which account roles in their organization may participate. Participants then use their Managed Apple Account to access the program, and their feedback is associated with their organization.
By default, users who sign in with a Managed Apple Account can’t access AppleSeed for IT. You can modify that access.
- In Apple Business Manager  , sign in with a user who has the role of Administrator or People Manager. , sign in with a user who has the role of Administrator or People Manager.
- Select Access Management  in the sidebar, then select Apple Services in the sidebar, then select Apple Services . .
- Select AppleSeed for IT, then turn on user access to the website. 
See Roles: Basic privileges and the AppleSeed for IT website.
Turn on user access to specific privacy and security features
You can turn on access to specific privacy and security features.
- In Apple Business Manager  , sign in with a user who has the role of Administrator or People Manager. , sign in with a user who has the role of Administrator or People Manager.
- Select Access Management  in the sidebar, then select Apple Services in the sidebar, then select Apple Services . .
- Select Privacy & Security, then turn on access to any of the following: - Option - Description - Data & Privacy Access - Allow users access to request a copy of their data. - User Account Lookup - Allow users the ability to look up other user’s contact information. See How to use User Account Lookup. - Automatic sign in on Apple Watch - Allow users to pair their Apple Watch with their iPhone without having to enter a password.