Apple School Manager

Welcome
- What is Apple School Manager?
- - Program requirements
  - Device eligibility
- Enrol in Apple School Manager
- Updated terms and conditions
- Keyboard shortcuts
Get support
How to search
View activity
Edit organisation settings
- Link to new domains
- Verify existing domains
- About domain conflicts
- Disconnect federation from a domain
- - Integrate your SIS
  - View and edit SIS information
- Intro to federated authentication
- Enable and test federated authentication
- Resolve Apple ID conflicts
- View username conflicts
- Change user’s domain information
- Transferring Apple services when federating
- What are Managed Apple IDs?
- Create Managed Apple IDs
- Edit Managed Apple ID formats
Configure locations
- Role management
- Role privileges
- Assign roles
- Intro to user accounts
- User account status
- Inspect a user account
- Manage student progress
- About temporary passwords
- Password policy scenarios
- Set password policies
- Create a new sign-in
- Reset passwords
- Sign in on Shared iPad
- Create Shared iPad passcodes
- Reset a Shared iPad passcode
- Sign out of devices
- About verification codes
- Send verification codes
- Add verification phone numbers
- Reset a verification phone number
Manually create a class
- Intro to device management
- Manage device suppliers
- View reseller and carrier device order messages
- How to buy content
- Add Content Managers to locations
- Add payment information
- Plan for content distribution
- Learn about custom apps
- Select and buy content
- Download a content token
- Acquire productivity and creativity apps
- Buy required content for initial deployment
- Plan for migration to Apps and Books
- View purchase history
- Invite VPP purchasers
- Transfer licences
- What are log files?
- Log errors
- Read a log file
Export Skyward data
Document revision history

Review SCIM requirements for Apple School Manager

You can use the System for Cross-domain Identity Management (SCIM) to import users into Apple School Manager. Using this system, you merge Apple School Manager properties (such as classes and roles) over account data imported from Microsoft Azure Active Directory (Azure AD). When you use SCIM to import users, the account information is added as read-only in Apple School Manager until you disconnect from SCIM. At that time, the accounts become manual accounts and the attributes for these accounts can then be edited. The initial sync to Apple School Manager takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running. See provisioning tips in the Microsoft Support article Configure SCIM provisioning for Microsoft Azure Active Directory.

The Apple School Manager window, with Settings selected in the sidebar. The Data Source pane shows an active SCIM connection.

Azure AD privileges

The following roles in Azure AD can use SCIM to sync accounts to Apple School Manager:

Application Administrator
Cloud Application Administrator
Application Owner
Global Administrator

See the Microsoft Support article Administrator role permissions in Azure Active Directory.

Multiple organisations

Apple School Manager doesn’t support multiple organisations using the same Azure AD tenant for SCIM. If you want to use SCIM for your organisation, contact your Azure AD administrator to ensure no other Apple School Manager organisation is using your Azure AD tenant for SCIM.

Azure AD groups

In Azure AD, both sync methods use the word Groups. Apple School Manager has no concept of groups. Only user accounts are synced. You can add Azure AD groups to the Apple School Manager Azure AD app. For example, if you have groups in Azure AD named Staff, Instructors and Students, you can add those three groups to the Apple School Manager Azure AD app. When you connect using SCIM, only accounts in those groups are synced to Apple School Manager.

Note: Subgroups aren’t supported in the Apple School Manager Azure AD app.

Provisioning scope

There are two ways you can sync accounts from Azure AD to Apple School Manager. When you sync users (regardless of method), any accounts that have a User Principal Name (UPN) identical to accounts that have a role of Administrator or Site Manager won’t sync. For those accounts, the source won’t change to SCIM.

Sync only assigned users and groups: This option syncs only the accounts that appear in the Apple School Manager Azure AD app to Apple School Manager. When using this method to sync, Azure AD accounts must have the role of user to sync to Apple School Manager.

Sync all users and groups: This option syncs all accounts (syncing groups isn’t supported) that appear in the Azure AD User tab to Apple School Manager and creates Managed Apple IDs for all federated Azure AD accounts, even if you intend to use only a specific number of accounts.

See the Microsoft Support articles Automate user provisioning and deprovisioning to applications with Azure AD and Attribute-based application provisioning with scoping filters.

Provisioning notifications

When you configure provisioning, you should use the email address of an Apple School Manager administrator, Site Manager or People Manager so they can receive notifications from Azure AD.

SCIM and federated authentication

If federation is already turned on when Azure AD accounts are sent to Apple School Manager, you won’t see an activity but accounts will still sync from the federated domain.

Azure AD is the Identity Provider (IdP) that authenticates the user for Apple School Manager and issues authentication tokens. Because Apple School Manager supports Azure AD, other IdPs that connect to Azure AD like Active Directory Federated Services (ADFS) will also work with Apple School Manager. Federated authentication uses Security Assertion Markup Language (SAML) to connect Apple School Manager to Azure AD.

Azure AD accounts and Apple School Manager roles

When an account is copied from Azure AD using SCIM to Apple School Manager, the default role is Student. After the sync is complete, the following user attributes can be edited:

Roles
Year level
Student Information System (SIS) username

These attributes are stored with the account in Apple School Manager and aren’t written back to Azure AD.

SCIM user attribute mapping

When an account is copied from Azure AD using SCIM to Apple School Manager, the following user attributes are stored as read-only. The table also denotes whether the user attribute is required.

Important: Adding attributes not listed in the table breaks the SCIM connection.

Azure AD user attribute	Apple School Manager user attribute	Required
First Name	First Name	Yes
Last Name	Last Name	Yes
User Principal Name	Managed Apple IDand email address	Yes
Object ID	(Not shown in Apple School Manager. This attribute is used to identify conflicting accounts.)	Yes
Department	Department	No
Employee ID	Person Number	No
Custom Attribute (must be created in the Apple School Manager Azure AD app)	Cost Centre	No
Custom Attribute (must be created in the Apple School Manager Azure AD app)	Division	No

When an Azure AD account is synced to Apple School Manager, a Person ID is created for the Apple School Manager account. Person ID and Object ID are used to identify conflicting accounts. See How a Person ID is used.

Recommendations

You should use only the Apple School Manager Azure AD app when connecting with SCIM.
If you have a verified domain but haven’t turned on federated authentication, you should wait to turn on federation until after you’ve verified that the Azure AD accounts have been sent to Apple School Manager. Do this by reviewing the Azure AD provisioning logs. After verifying that the Azure AD accounts have been sent to Apple School Manager, when you turn on federation, you’ll be notified by an activity when Azure AD accounts are provisioned in Apple School Manager.
If you have a group configured in Azure AD, you can add that group to the Apple School Manager Azure AD app instead of adding each user.

Important: Don’t reuse a username for 120 days in the Apple School Manager Azure AD app.

Before you begin

Before you begin, you must do the following:

Disconnect from your Student Integration System (SIS) or stop uploads using SFTP.
Configure and verify the domain you want to use. See Link to new domains.
Configure (but don’t turn on) federated authentication. See Turn on and test federated authentication.
Note: If federated authentication is already turned on, you can still proceed. See the recommendations in the previous section.
Determine the type of syncing in Azure AD, and if necessary, create groups for syncing only assigned accounts to the Apple School Manager Azure AD app:
- Sync only assigned users.
- Sync all users.
Have an Azure AD administrator with permissions to edit enterprise applications standing by. When both of you are ready, see Use SCIM to import users.

Important: You have only four (4) calendar days to complete the token transfer to Azure AD and successfully establish a connection, or you must begin the process again.

Helpful?

Apple School Manager User Guide