Customise user access to apps and services using Apple Business
Overview
You may want users who sign in with a Managed Apple Account to access many Apple apps and services. With Apple Business, you can choose what devices users can sign in to and which apps and services are available to them. For example, you can turn on access to specific iCloud features, specify which app data they can store in the cloud and turn off access to FaceTime and iMessage.
Access to specific services may vary when using Managed Apple Accounts. See Service access with Managed Apple Accounts.
Important: In case requirements for the management state of a device are changed, a Managed Apple Account is automatically signed out of a device if the device state does not meet the new requirements.
Choose what devices users can sign in to
You can choose what devices users can sign in to with their Managed Apple Account or their unmanaged (personal) Apple Account.
Requirements
This feature requires iOS 17, iPadOS 17, macOS 14, visionOS 2 or later. The device management service also needs to support Get Token. For more information, see Support access management for Managed Apple Accounts on the Apple Developer website.
In Apple Business, sign in with a user whose role has permissions to edit access to Apple services for Managed Apple Accounts.
To view roles and permissions, see Intro to roles and permissions.
In your browser, choose Settings > Apple Services.
Next to “Allow Managed Apple Account on,” select one of the following:
Option
Description
Any device (default)
The user can sign in on any device.
Managed devices only
The user can sign in on a device that is managed by a device management service that supports the
Get Tokenendpoint.Supervised devices only
The user can sign in on a device that is supervised (and managed) by a device management service that supports the
Get Tokenendpoint.
Choose which users can sign into devices
You can choose which users can sign in to organisation-owned devices. This restricts only new sign-in attempts. Accounts already signed in are unaffected.
Requirements
This feature requires iOS 17, iPadOS 17, macOS 14, visionOS 2 or later.
Note: To learn more about what the user sees when they attempt to sign in with an unmanaged Apple Account on their device after you’ve changed their access to “Managed Accounts Only”, see the Apple Support article If you can’t sign in to your device with your personal Apple Account.
In Apple Business, sign in with a user whose role has permissions to edit access to Apple services for Managed Apple Accounts.
To view roles and permissions, see Intro to roles and permissions.
In your browser, choose Settings > Apple Services.
Next to “Apple Account on Organisation Devices,” select one of the following:
Option
Description
Any Apple Account (default)
The user can sign in on any organisation-owned device with their unmanaged (personal) Apple Account or their Managed Apple Account.
Managed Apple Account Only
The user can sign in on any organisation-owned device with only their Managed Apple Account.
Read the confirmation dialogue, then confirm or cancel your selection.
Manage iCloud features and app access
You can customise any of the features below to meet the needs of your organisation. This includes deciding what devices a user can sign in to with their Managed Apple Account.
Requirements
This feature requires iOS 17, iPadOS 17, macOS 14, visionOS 2 or later. The device management service also needs to support Get Token. For more information, see Support access management for Managed Apple Accounts on the Apple Developer website.
In Apple Business, sign in with a user whose role has permissions to edit access to Apple services for Managed Apple Accounts.
To view roles and permissions, see Intro to roles and permissions.
In your browser, choose Settings > Apple Services.
Select iCloud, then from the top, choose what devices users can sign in to with their Managed Apple Account:
Option
Description
Off
The user cannot store their data in iCloud.
Any device (default)
The user can access their iCloud data on any device.
Managed devices only
The user can sign in on a device that is managed by a device management service that supports the
Get Tokenendpoint.Supervised devices only
The user can sign in on a device that is supervised (and managed) by a device management service that supports the
Get Tokenendpoint.Select Collaboration, then turn on the ability for users to collaborate on files created using Keynote, Numbers and Pages, and whether to allow those files to be accepted automatically.
Option
Description
Anyone (default)
Users can collaborate with any other users using an Apple Account.
Organisation only
Users can collaborate with any other users using an Apple Account from the same Apple Business Manager organisation.
Off
Users cannot share Keynote, Pages or Numbers documents.
Auto Accept Files
Users can automatically accept invitations to collaborate on a shared document.
Shared by anyone
Off (default)
Select iCloud from the top, then turn off access to the following iCloud features:
Option
Description
iCloud Drive (On by default)
Users can store data in iCloud Drive.
Passwords and Keychain (On by default)
Users can store their passwords and passkeys in iCloud Keychain.
Access iCloud data on the web (On by default)
Users can sign in to www.icloud.com from a Mac to access their data.
iCloud Backup (On by default)
Users can use iCloud Backup to back up their devices.
Select iCloud from the top, then manage access to the following apps that use iCloud:
App name or service
Description
Contacts
Can be shared to other devices signed in with the same Managed Apple Account.
Freeform
Can be shared to other devices signed in with the same Managed Apple Account.
iCloud Calendar
Can be shared to other devices signed in with the same Managed Apple Account. (Off by default)
Image Playground history
Can be shared to other devices signed in with the same Managed Apple Account.
Messages in iCloud
Can be shared to other devices signed in with the same Managed Apple Account.
(Only if turned on.)
News
Can be shared to other devices signed in with the same Managed Apple Account.
Notes
Can be shared to other devices signed in with the same Managed Apple Account, but users cannot share to “Anyone with the link”.
Phone and FaceTime
Users can use the Phone app and FaceTime app.
Photos
Can be shared to other devices signed in with the same Managed Apple Account.
Reminders
Can be shared to other devices signed in with the same Managed Apple Account.
Safari
Can be shared to other devices signed in with the same Managed Apple Account.
Siri
Siri can be used.
Stocks
Can be shared to other devices signed in with the same Managed Apple Account.
Turn on access to allow storing app data in iCloud for the apps listed in the iCloud services table.
Manage user access to iMessage
By default, users who sign in with a Managed Apple Account can access iMessage and you can allow iMessage with only other users in your organisation or anyone inside and outside of your organisation.
Note: If iMessage is turned off, users can still send and receive SMS/MMS messages.
In Apple Business, sign in with a user whose role has permissions to edit access to Apple services for Managed Apple Accounts.
To view roles and permissions, see Intro to roles and permissions.
In your browser, choose Settings > Apple Services.
Select Messages. If it’s turned on, select one of the following:
Anyone (default)
Organisation only
Manage user access to FaceTime
By default, users who sign in with a Managed Apple Account can access FaceTime (both audio only and video) and you can allow FaceTime with only other users in your organisation or anyone inside and outside of your organisation.
In Apple Business, sign in with a user whose role has permissions to edit access to Apple services for Managed Apple Accounts.
To view roles and permissions, see Intro to roles and permissions.
In your browser, choose Settings > Apple Services.
Select FaceTime. If it’s turned on, select one of the following:
Anyone (default)
Organisation only
Turn on user access to Apple Wallet
By default, users who sign in with a Managed Apple Account cannot access Apple Wallet. You can turn on their access so they can add employee badges, if allowed by your organisation.
In Apple Business, sign in with a user whose role has permissions to edit access to Apple services for Managed Apple Accounts.
To view roles and permissions, see Intro to roles and permissions.
In your browser, choose Settings > Apple Services.
Select Wallet, then turn on access to use Apple Wallet.
Turn on user access to Apple Developer content
You can turn on access to allow users to sign up for the Apple Developer Programme.
In Apple Business, sign in with a user whose role has permissions to edit access to Apple services for Managed Apple Accounts.
To view roles and permissions, see Intro to roles and permissions.
In your browser, choose Settings > Apple Services.
Select Developer, then do any of the following:
Turn on access to Apple Developer Programme.
Turn on access to Xcode Cloud.
Turn on access to the MFi portal.
Turn on user access to AppleSeed for IT
AppleSeed for IT is designed specifically for enterprise and education customers committed to testing each new version of Apple beta software in their organisations. Organisations using Apple Business can designate which account roles in their organisation may participate. Participants then use their Managed Apple Account to access the programme and their feedback is associated with their organisation.
By default, users who sign in with a Managed Apple Account cannot access AppleSeed for IT. You can modify that access. See Participate in beta features.
In Apple Business, sign in with a user whose role has permissions to edit access to Apple services for Managed Apple Accounts.
To view roles and permissions, see Intro to roles and permissions.
In your browser, choose Settings > Apple Services.
Select AppleSeed for IT, then turn on user access to the website.
Turn on user access to specific privacy and security features
You can turn on access to specific privacy and security features.
In Apple Business, sign in with a user whose role has permissions to edit access to Apple services for Managed Apple Accounts.
To view roles and permissions, see Intro to roles and permissions.
In your browser, choose Settings > Apple Services.
Select Privacy & Security, then turn on access to any of the following:
Option
Description
Data & Privacy Access (On by default)
Allow users access to request a copy of their data.
User Account Lookup (On by default)
Allow users the ability to look up other user’s contact information. See How to use User Account Lookup.
Automatic sign-in on Apple Watch (On by default)
Allow users to pair their Apple Watch with their iPhone without having to enter a password.