Glossary

Apple Account

A personal account people use to access Apple services like the App Store, iCloud, iMessage, FaceTime, the Apple Online Store and more. It includes the information necessary to sign in, as well as all the contact, payment and security details that Apple services require. (A personal Apple Account is also known as an unmanaged Apple Account.) See also Managed Apple Account.

Apple Business Manager

Apple Business Manager is a simple, web-based portal for IT administrators that works with your third-party device management service so that you can easily buy content in volume, link to your identity provider (IdP) and add devices, whether your organisation uses iPhone, iPad, Mac, Apple TV, Apple Watch or Apple Vision Pro.

Apple Customer Number

The account number (or numbers) that Apple assigns to your organisation to purchase Apple hardware or software. It’s required to verify your organisation’s eligibility for certain programmes. If you don’t know the numbers, contact your purchasing agent, finance department or Apple account team. This number isn’t the same as your GSX account number.

Apple School Manager

Apple School Manager is a simple, web-based portal for IT administrators that works with your third-party device management service so that you can easily buy content in volume, link to your Student Information System (SIS) and add devices, whether your organisation uses iPhone, iPad, Mac, Apple TV, Apple Watch or Apple Vision Pro.

authentication

Retrieving a credential from an authority after providing an assertion that proves your identity.

authorisation

Retrieving a token from an authority after performing authentication by providing an assertion that proves your identity.

backup

A copy of important data that includes information such as the layout of the Home Screen, app data (such as Safari bookmarks and Calendar events), anything you can set in Settings on the device (including restrictions, certificates and some account types), contacts, and the Camera Roll (but not photo albums). Backups don’t include apps or media that you might usually sync using the Finder (macOS 10.15 or later), using iTunes (macOS 10.14 or earlier), or by storing in iCloud or iCloud Drive. A backup of an unsupervised device is identical to and interchangeable with a Finder or iTunes backup, and you can restore it only to an unsupervised device. Similarly, you can restore the backup of a supervised device only to another supervised device.

Bootstrap token

A device management-based feature that automatically provides a secure token on all mobile accounts. Specifically, a bootstrap token helps with granting a secure token to both mobile accounts and to the optional device enrolment–created administrator account (“managed administrator”). In macOS 11 or later, the bootstrap token can grant a secure token to any user logging in to a Mac computer, including local user accounts.

configuration profile

An XML file (ending in .mobileconfig) that consists of payloads that load settings and authorisation information onto Apple devices. Configuration profiles automate the configuration of settings, accounts, restrictions and credentials. A device management service can create these files, or you can create them manually or with Apple Configurator for Mac.

D-U-N-S Number

A nine-digit identifier that Dun & Bradstreet (D&B) assigns to each business in its database. Apple cross-checks programme enrollees with the D&B database. For more information on how to obtain a D-U-N-S number for your business, see Welcome to D&B Support.

device management service

A service that lets an administrator securely and remotely configure devices by sending configurations, profiles and commands to the device, whether the user owns the device or the organisation owns it. Capabilities include updating software and device settings, monitoring compliance with organisational policies, and remotely wiping or locking devices. Users can enrol their own devices in a device management service, and organisations can automatically enrol organisation-owned devices using Apple School Manager or Apple Business Manager.

duplicates

In device management, two or more identical payloads. For example, a Certificates payload often involves more than one certificate, and a VPN payload may involve more than one VPN setting. Two or more specific payloads can’t be active for a device or user; the payload needs to be single.

enrolment methods

The three main methods of device enrolment in a device management service: User Enrolment, Device Enrolment and Automated Device Enrolment.

eSIM (embedded-SIM)

A software-based SIM in Apple Watch Series 3 or later; in iPhone XR, iPhone XS, iPhone XS Max, or later; and in every iPad released since the third-generation iPad Pro. See also SIM card (Subscriber Identity Module).

federated authentication

The process of using an account’s username and password from one directory system and allowing use of the same username and password in other systems.

identity

You can freely distribute certificates but you need to keep identities secure. You use the freely distributed certificate and its public key for encryption processes that you can only decrypt with the matching private key. The system stores the private key part of an identity in a PKCS12 (.p12) file that it encrypts with another key that requires a passphrase.

Identity federation

The establishment of trust between identity providers across security domains.

local account pairing

A way to enforce smart card authentication for Mac computers on local accounts.

machine-based enforcement (MBE)

An implementation that removes the option for password-based authentication in favour of smart card–only authentication for any account accessible by a Mac. Compare user-based enforcement (UBE).

Managed Apple Account

An account that a business or educational institution creates, owns and manages to allow users to access Apple services. These are separate from unmanaged Apple Accounts users create for themselves. (An unmanaged Apple Account is also known as a personal Apple Account.) See also Apple Account.

operating system and channel

You can use device management payloads on specific operating systems and for Shared iPad and Mac. Because Shared iPad and Mac can have more than one user, you can apply a payload to the device channel (all users) or a user channel (specific users).

Organisation ID

Your unique identifier in Apple School Manager or Apple Business Manager. When you give a participating Apple Authorised Reseller or network provider your Organisation ID and you add that reseller’s Reseller Number to your account profile, you authorise that reseller to submit devices you purchase through them to Apple so their serial numbers can appear in Apple School Manager or Apple Business Manager.

payload

At least one managed setting. Some settings, such as LDAP, can have more than one payload. Use payloads to administer increased network security, user authentication, Wi-Fi authentication, VPN policy settings, mail settings and more. See also settings.

personal identity verification (PIV) card

A type of smart card technology for two-factor authentication, digital signing and encryption. The built-in support for smart cards in macOS is based on the CryptoTokenKit framework.

Reseller Number

A unique identifier for each Apple Authorised Reseller or network provider that participates in Apple School Manager or Apple Business Manager. When you add a participating Apple Authorised Reseller’s or network provider’s Reseller Number to your account profile and you give that reseller your Organisation ID, you authorise that reseller to submit devices you purchase through them to Apple so their serial numbers can appear in Apple School Manager or Apple Business Manager.

secure token

A macOS feature that addresses the implementation of encryption keys, including when the system generates them and how it stores them. Specifically, a secure token is a wrapped version of a key encryption key (KEK) protected by a userʼs password.

settings

In the context of device management, unique identifiers apply to specific apps, features or connectivity functions, such as Exchange, passcodes, VPN, Wi-Fi, proxies and so forth. For example, the name of a Wi-Fi network or information about how to authenticate to an Exchange server might be a setting. After entering settings for a given app, feature or connectivity function, they become a payload. See also payload.

Shared iPad

Use the Shared iPad feature to let multiple students use the same iPad in a classroom. In this way, learning experiences can be personal even though the devices are shared. Not only are transitions from class to class greatly simplified, but also save time. It’s easier to pick up where students left off and automatically save student work. When using Shared iPad with Classroom, intelligent caching helps accelerate student sign-ins by returning students to the iPad they were previously using.

SIM card (Subscriber Identity Module)

A universal integrated circuit card (UICC) for identifying and authenticating subscribers on mobile devices. See also eSIM (embedded-SIM).

single sign-on

A process in which a user provides authentication and authorisation information once and receives a ticket to access resources for as long as the ticket is valid (usually 10 hours).

supplier

The entity you purchase eligible devices from. If you purchase the device directly from Apple using a purchase order (PO), you enter your Apple Customer Number as your supplier using the Apple (Direct) option. If you purchase your device through a participating Apple Authorised Reseller or network provider, then you add them as a supplier to your account by entering their Reseller Number, using the Reseller option. You add each supplier to your account only once.

user-approved device management enrolment

In macOS 10.13.2 or later, user-approved device management enrolment allows a device management service’s software additional privileges. As of macOS 11, it’s no longer possible to install profiles using the command line, so the user approves all new enrolments. User-approved device management enrolment is different from User Enrolment.

user-based enforcement (UBE)

An implementation that creates an exception to smart card–only authentication for specific users or groups of users. This option disables all password-based authentication. Compare machine-based enforcement (MBE).