Managed Apple IDs for Apple devices
Like any Apple ID, Managed Apple IDs can be used on dedicated or shared devices to access specific Apple services — including Shared iPad, iCloud and collaboration with iWork and Notes — and to access and use Apple School Manager, Apple Business Manager and Apple Business Essentials. Managed Apple IDs don’t support Family Sharing.
In Apple School Manager, Managed Apple IDs are owned and managed by the educational institution and are designed to meet the needs of education organisations — including password resets, limitations on communications and role-based administration. Apple School Manager makes it easy to create a unique Managed Apple ID for each person in bulk.
In Apple Business Manager and Apple Business Essentials, Managed Apple IDs are owned and managed by the organisation — including password resets and role-based administration. Apple Business Manager and Apple Business Essentials make it easy to create a unique Managed Apple ID for each person in bulk.
To view the certifications Apple maintains in compliance with the ISO 27001 and 27018 standards for Managed Apple IDs, see Apple internet services security certifications in Apple Platform Certifications.
How Managed Apple IDs are created
Managed Apple IDs are created after you:
Apple School Manager only: Import accounts from your Student Information System (SIS)
Apple School Manager only: Import .csv files using the Secure File Transfer Protocol (SFTP)
Import users from Google Workspace
Use federated authentication with an identity provider (IdP), Google Workspace or Microsoft Entra ID
Use Open ID Connect (OIDC) to import users from an IdP
Use the System for Cross-domain Identity Management (SCIM) to import users from an IdP or Microsoft Entra ID
Create accounts manually
Important: Keep in mind that every Managed Apple ID must be unique. It also can’t conflict with other Apple IDs that other users may already have.
Sign in with Apple at Work & School
Sign in with Apple at Work & School is a feature that adds support for Managed Apple IDs to sign in with Apple. Employees, instructors and students can sign in with their Managed Apple IDs to access apps and websites that support Sign in with Apple. Administrators, Site Managers (Apple School Manager only) and People Managers can control which apps can be used with Sign in with Apple. To use Sign in with Apple at Work & School, Apple devices must be using iOS 16, iPadOS 16.1 or macOS 13, or later.
To learn more, see the WWDC22 video Discover Sign in with Apple at Work & School.
Passkeys with Managed Apple IDs
Passkeys are designed to provide a passwordless sign-in experience that is both convenient and secure. They are a standard-based technology that can resist phishing, are always strong and have no shared secrets.
With iCloud Keychain support for Managed Apple IDs, organisations can deploy passkeys to allow employees to access corporate resources and make sure passkeys securely sync to all their iPhone, iPad and Mac devices. Using access management functionality, they can also define the required management state of a device to allow access to the managed passkeys.
A declarative passkey attestation configuration allows a managed device to provide an attestation when a passkey gets provisioned for an organisational service. The attestation is provided when a user registers a passkey for a website or app using a domain specified in the configuration. After the device has securely generated a passkey, it uses the certificate identity defined in the configuration to perform a WebAuthn
attestation with the accessed service. This allows the service to verify that the passkey was created on a device managed by the organisation before provisioning access.
The generated passkeys get automatically stored in the iCloud Keychain associated with the Managed Apple ID. When no Managed Apple ID is present, the passkey can’t be created.
To provide a simple sign-in flow to the user, app developers can make use of associated domains to establish a secure association between domains and their app (and optionally allow a configuration of associated domains via MDM). If this is available, iOS, iPadOS and macOS can automatically select and provide the correct passkey for a seamless sign-in experience. If authentication is being performed by a third-party service, ASWebAuthenticationSession
can be used instead.
For more information, see Passkey Attestation declarative configuration.