Intro to roles and privileges in Apple School Manager
Every Apple School Manager user has one or more roles that define what the user can do. Certain roles can manage other roles. For example, a user that has the role of Instructor can act on a user that has the role of Student. In this way, an instructor can change a student’s passcode.
Users with the role of Administrator, Site Manager or People Manager cannot sign in using federated authentication; they can only manage the federation process.
In addition, each role consists of a set of privileges, which affect all users that have that role. Student roles have very limited privileges, Instructor Manager roles have more, and users with the role of Administrator have the most. To edit roles, you need to have the appropriate privileges. You cannot add a privilege that you do not have yourself.
Important: If an account with a role of Administrator, Manager or Instructor is also assigned a Student role, they will be unable to purchase content.
Role | Can act on the following other roles |
|---|---|
| Other Administrators Site Manager People Manager Device Enrolment Manager Content Manager Manager Staff Instructor Student |
| Other Site Managers People Manager Device Enrolment Manager Content Manager Manager Staff Instructor Student |
| Other People Managers Site Manager Device Enrolment Manager Content Manager Manager Staff Instructor Student |
| None |
| None |
| Staff Instructor Student |
| None |
| Student |
| None |
Administrator
Site Manager
People Manager
Device Enrolment Manager
Content Manager
Manager
Staff
Instructor
StudentEdit a role’s privileges
In Apple School Manager
, sign in as a user that has the role of Administrator.Tap Access Management
in the sidebar, then tap Roles 
.Select a role, tap the Edit button
, then do one of the following:To remove a privilege from a role, deselect its tickbox, then tap Save.
To add a privilege, select its tickbox, then tap Save.
Basic privileges
Manage basic privileges as shown in the table below.
Basic privilege | Administrator | Site Manager | People Manager | Device Enrolment Manager | Content Manager | Manager |
|---|---|---|---|---|---|---|
Accept terms and conditions | Always on | Always off | Always off | Always off | Always off | Always off |
Edit privileges for other roles | Always on | Always on | Always on | Always off | Always off | Always off |
Add Apple Customer Numbers and Reseller Numbers | Always on | Always off | Always off | Always off | Always off | Always off |
Set tax status information | Always on | Always off | Always off | Always off | Always off | Always off |
Create, edit and delete locations | Always on | Always on | Always on | Always off | Always off | Always off |
Configure SIS information | Always on | Always on | Always on | Always off | Always off | Always off |
Set the default password policy for new students | Always on | Always on | Always on | Always off | Always off | Always off |
Use managed devices | Always on | Always on | Always on | Always on | Always on | Always on |
Sign in to iCloud.com with a Managed Apple ID | Always on | Always on | Always on | Always on | Always on | Always on |
Use managed apps and books | Always on | Always on | Always on | Always on | Always on | Always on |
Administer AppleSeed for IT | Always on | Off by default | Off by default | Always off | Always off | Always off |
Participate in AppleSeed for IT | Always on | On by default | On by default | On by default | On by default | On by default |
For more information on AppleSeed for IT, see the AppleSeed for IT website.
People privileges
Manage people privileges as shown in the table below.
People privilege | Administrator | Site Manager | People Manager | Device Enrolment Manager | Content Manager | Manager |
|---|---|---|---|---|---|---|
Create, edit and delete Managed Apple IDs | Always on | On by default | On by default | Always off | Always off | On by default |
Assign roles to users | Always on | On by default | On by default | Always off | Always off | On by default |
Change students’ password policies | Always on | On by default | On by default | Always off | Always off | On by default |
Change account status of users | Always on | On by default | On by default | Always off | Always off | On by default |
Inspect user accounts | Always on | On by default | On by default | Always off | Always off | On by default |
View account inspection log | Always on | On by default | On by default | Always off | Always off | On by default |
Create, edit and delete classes | Always on | On by default | On by default | Always off | Always off | On by default |
Reset passwords for users | Always on | On by default | On by default | Always off | Always off | On by default |
Generate verification codes | Always on | On by default | On by default | Always off | Always off | On by default |
Device privileges
Manage device privileges, as shown in the table below.
Device privilege | Administrator | Site Manager | People Manager | Device Enrolment Manager | Content Manager | Manager |
|---|---|---|---|---|---|---|
Manage MDM servers | Always on | Always on | Always off | Always on | Always off | Always off |
Add, assign and remove devices | Always on | Always on | Always off | Always on | Always off | Always off |
Assign devices to organisation | Always on | Always on | Always off | Always on | Always off | Always off |
Release devices | Always on | Always on | Always off | On by default | Always off | Always off |
Content privileges
Configure content settings, as shown in the table below.
Content privilege | Administrator | Site Manager | People Manager | Device Enrolment Manager | Content Manager | Manager |
|---|---|---|---|---|---|---|
View Apps and Books | Always on | On by default | Always off | Always off | Always on | Off by default |
Purchase apps and books | Always on | On by default | Always off | Always off | Always on | On by default |
Reassign licences for apps | Always on | On by default | Always off | Always off | Always on | On by default |
Hold unassigned licences for apps and books | Always on | On by default | Always off | Always off | Always on | On by default |
Staff privileges
Configure staff privileges, as shown in the table below.
Staff privilege | Access | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Use managed devices | Always on | ||||||||||
Sign in to iCloud.com with a Managed Apple ID | Always on | ||||||||||
Use managed apps and books | Always on | ||||||||||
Participate in AppleSeed for IT | On by default | ||||||||||
Instructor privileges
Configure instructor privileges, as shown in the table below.
Instructor privilege | Access | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Change the password policy for students | On by default | ||||||||||
Reset passwords for students and generate verification codes for students | On by default | ||||||||||
Change the account status of students | On by default | ||||||||||
Create, edit and delete classes | On by default | ||||||||||
Create, edit and delete Managed Apple IDs | Off by default | ||||||||||
Assign roles to individuals | Off by default | ||||||||||
Inspect student accounts and view account inspection log | Off by default | ||||||||||
View Apps and Books | Off by default | ||||||||||
Purchase apps and books | Off by default | ||||||||||
Reassign licences for apps and books and hold unassigned licences for apps and books | Off by default | ||||||||||
View Student Progress dashboard | Always on | ||||||||||
Use managed devices | Always on | ||||||||||
Sign in to iCloud.com with a Managed Apple ID | Always on | ||||||||||
Use managed apps and books | Always on | ||||||||||
Participate in AppleSeed for IT | On by default | ||||||||||
Student privileges
Configure student privileges, as shown in the table below.
Student privilege | Student | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Use managed devices | Always on | ||||||||||
Sign in to iCloud.com with a Managed Apple ID | Always on | ||||||||||
Use managed apps and books | Always on | ||||||||||
Participate in AppleSeed for IT | Always off | ||||||||||