Create Managed Apple IDs in Apple School Manager
Recommended Managed Apple ID structure
A Managed Apple ID should be different from a user’s personal or work email address to help avoid confusion and possible conflicts with an existing Apple ID. Managed Apple IDs also can’t be more than 128 characters.
A unique username to the left-hand side of the at sign (@).
You can use information from the user’s Student Information System (SIS) account, such as an email address or other account name, as the unique username. You can also create a unique username from their names, initials or ID numbers. If two users end up with the same username, Apple School Manager will add a number to differentiate them.
For example, scottmiller1@ would be the unique username.
Text immediately to the right-hand side of the @ sign.
Apple recommends using “appleid.” as the text for all accounts.
For example, scottmiller1@appleid. would be the beginning of the full Managed Apple ID.
The domain of your school.
For example, a fully complete Managed Apple ID would be firstname.lastname@example.org.
Important: This should be your institution’s registered domain name. Do not use a domain name you created, because this can cause all created Managed Apple IDs to fail.
Be sure you use the same formula for all Managed Apple IDs in your institution.
Note: Managed Apple IDs cannot contain more than 256 characters.
Create Managed Apple IDs from existing email addresses
Managed Apple IDs do not have to be different from user email addresses. If everybody in your institution has an email address and those addresses have never been used for the Device Enrolment Programme, Volume Purchase Programme or personal iTunes or iCloud accounts, then you can choose to create Managed Apple IDs using those email addresses.
Important: If you choose to use existing email addresses for Managed Apple IDs, the user will have to remember two passwords — the original one that is associated with their email address, and the one associated with their Managed Apple ID.
Managed Apple IDs, Roles and passwords
When you create each account, you assign a role that defines the privileges for that account. If you are importing from your Student Information System (SIS), the individual doing the import automatically assigns roles.
You can define password policies for each account, and it is easiest to assign them per role. Student role accounts can have a simpler four or six-digit passcode. Instructor, Staff, Manager, and Administrator accounts must have strong passwords consisting of at least eight characters.
Managed Apple ID password complexity
When you add a user to Apple School Manager, you set a password complexity level for that user. That complexity level dictates which Lock screen appears when a user signs in with Shared iPad. A four- or six-digit passcode shows only digits on the screen. A complex password shows the full keyboard. When the user signs in with their Managed Apple ID and their initial password, they are prompted to change their password using the level of complexity you initially set in Apple School Manager.
If you add Profile Manager as one of your mobile device management (MDM) servers to Apple School Manager, you have the option of merging any users in Apple School Manager to Profile Manager. When you do this, those users appear in the Profile Manager users list. After they appear, you can view their Managed Apple ID password type in the About tab. See Merge Apple School Manager accounts in the macOS Server User Guide.
Important: If you set the Lock screen behaviour to a four- or six-digit passcode and the Apple School Manager setting for that user is set to a complex password, that user must manually enter their Managed Apple ID and password.
Inspect Managed Apple IDs
Institutions can comply with legal and privacy regulations by using Managed Apple ID inspection. Administrator, manager and instructor accounts can be granted inspection privileges for specific accounts. Inspectors can monitor only accounts that are below them in the school’s hierarchy. For example, instructors can monitor students, and administrators can inspect managers, instructors, and students.
To inspect an account, an authorised user must create special inspection credentials within Apple School Manager for a specific Managed Apple ID. These credentials can be used only to access that Managed Apple ID, and they expire after 7 days. During that period, the inspector can access the user’s content stored in iCloud Drive or in CloudKit-enabled apps. Every request for access is logged in Apple School Manager. Logs show the inspector’s name, the Managed Apple ID in question, the time of the request and whether or not the inspection was performed. All users with inspection privileges can search these logs, which discourages misuse of inspections.
Create Managed Apple IDs
In Apple School Manager , tap your name in the top right-hand corner, then choose Setup Assistant.
Tap Add next to Create Accounts and Classes in Setup Assistant.
Tap Change Settings to view the options for the Managed Apple ID. They are:
Domain: this option is everything to the right of ”@appleid.” in the Managed Apple ID.
Include “appleid.” in the domain: this option prevents potential conflicts by prepending “appleid.” to the existing domain name.
Select your settings for each group, then tap Save Format to close the format window and return to Setup Assistant.
Tap Preview Accounts and Classes to view all the proposed Managed Apple IDs for the selected groups.
If the Managed Apple IDs are approved, tap Create Managed Apple IDs to begin the process.
You can view progress in Setup Assistant.
Tap Skip Setup Assistant.
You can also edit the default Managed Apple ID formats within the Settings for your Location.