Intro to roles and privileges in Apple Business Manager
Every Apple Business Manager user has one or more roles that define what the user can do. Certain roles can manage other roles. For example, a user with the role of Administrator can manage a user that has the role of any Manager or Staff.
Users with the role of Administrator or People Manager cannot sign in using federated authentication; they can only manage the federation process.
In addition, each role consists of a set of privileges, which affect all users that have that role. Staff roles have very limited privileges, Manager roles have more, and users with the role of Administrator have the most.
role | Can manage the following other roles |
---|---|
Administrator | Other Administrators People Manager Device Enrolment Manager Content Manager Staff |
People Manager | Other People Managers Device Enrolment Manager Content Manager Staff |
Device Enrolment Manager | None |
Content Manager | None |
Staff | None |
Edit a role’s privileges
In Apple Business Manager , sign in as a user that has the role of Administrator.
Select Access Management in the sidebar, then select Roles .
Select a role, select Edit, then do one of the following:
To remove a privilege from a role, deselect its checkbox, then select Save.
To add a privilege, select its checkbox, then select Save.
Basic privileges
Manage basic privileges as shown in the table below.
Basic privilege | Administrator | People Manager | Device Enrolment Manager | Content Manager |
---|---|---|---|---|
Accept terms and conditions | Always on | Always off | Always off | Always off |
Edit role privileges | Always on | Always on | Always off | Always off |
Add Apple Customer Numbers and Reseller Numbers | Always on | Always off | Always off | Always off |
Set tax status information | Always on | Always off | Always off | Always off |
Configure federated authentication | Always on | Always on | Always off | Always off |
Create, edit and delete locations | Always on | Always on | Always off | Always off |
Set default Managed Apple Account user name formats | Always on | Always on | Always off | Always off |
Administer AppleSeed for IT | On by default | Off by default | Always off | Always off |
Participate in AppleSeed for IT | On by default | On by default | On by default | On by default |
Use managed devices | Always on | Always on | Always on | Always on |
Sign in to iCloud.com with a Managed Apple Account | Always on | Always on | Always on | Always on |
Use managed apps and books | Always on | Always on | Always on | Always on |
For more information on AppleSeed for IT, see the AppleSeed for IT website.
People privileges
Manage people privileges as shown in the table below.
People privilege | Administrator | People Manager | Device Enrolment Manager | Content Manager |
---|---|---|---|---|
Create, edit and delete Managed Apple Accounts | Always on | Always on | Always off | Always off |
Assign roles to users | Always on | Always on | Always off | Always off |
Change account status of users | Always on | Always on | Always off | Always off |
Reset passwords for users | Always on | Always on | Always off | Always off |
Create, edit and delete user groups | Always on | Always on | Always off | Always off |
Use FaceTime | Off by default | Off by default | Off by default | Off by default |
Use iMessage | Off by default | Off by default | Off by default | Off by default |
Device privileges
Manage device privileges, as shown in the table below.
Device privilege | Administrator | People Manager | Device Enrolment Manager | Content Manager |
---|---|---|---|---|
Manage MDM servers | Always on | Always off | Always on | Always off |
Add, assign and unassign devices to MDM servers | Always on | Always off | Always on | Always off |
Assign devices to organisation | Always on | Always off | Always on | Always off |
Turn off Activation Lock | Always on | Always off | On by default | Always off |
Release devices | Always on | Always off | On by default | Always off |
Content privileges
Configure content settings, as shown in the table below.
Note: Any role that can buy apps and books can view payment information.
Content privilege | Administrator | People Manager | Device Enrolment Manager | Content Manager |
---|---|---|---|---|
View Apps and Books | Always on | Always off | Always off | Always on |
Buy apps and books | Always on | Always off | Always off | Always on |
Reassign licences for apps | Always on | Always off | Always off | Always on |
Hold unassigned licences for apps and books | Always on | Always off | Always off | Always on |
Staff privileges
Configure staff privileges, as shown in the table below.
Staff privilege | Access | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Use managed devices | Always on | ||||||||||
Sign in to iCloud.com with a Managed Apple Account | Always on | ||||||||||
Use managed apps and books | Always on | ||||||||||
Participate in AppleSeed for IT | On by default | ||||||||||
Use FaceTime | Off by default | ||||||||||
Use iMessage | Off by default |