Intro to Apple identity services
Apple provides your organization with various identity services, to help you manage passwords and user names securely—both across your workplace and in the cloud. Apple uses security measures like authentication, authorization, and identity federation, so that individual users can access their favorite apps and other resources without, for example, the additional hardship of setting up user names and passwords for each one.
Below is an overview of the key identity service methods—authentication, authorization, and identity federation—along with examples of how Apple uses them in identity services.
Authentication and associated Apple services
The first step in a security process is authentication. Authentication verifies the identity of the user to make sure it’s legitimate.
Apple uses many methods of authentication. With single sign-on and Apple services such as a personal Apple ID, Managed Apple ID, iCloud, iMessage, and FaceTime, users communicate securely, create documents online, and back up their personal data—all without compromising their organization’s data. Each service uses its own security architecture. In this way, Apple ensures secure handling of data (whether it’s on an Apple device or in transit over a wireless network), protects users’ personal information, and defends against malicious or unauthorized access to information and services. In addition, Apple has a built-in mobile device management (MDM) solution framework that supports MDM solutions to restrict and manage access to specific services on Apple devices.
Authorization and associated Apple services
Whereas authentication proves who you are, authorization defines what users are allowed to do. For authorization to work, you provide a user’s name and password to an identity provider (IdP). In conceptual terms, the IdP is the “authority,” the user name and password is the “assertion” (because that person “asserts” their identity), and the data a user receives after successfully signing in is the “token.”
Apple employs many types of tokens, and many types of assertions. Some assertions that can be used include certificates, smart cards, and other multifactor devices.
Identity federation is the process of establishing trust between IdPs across security domains, so users can then move freely between systems while maintaining security. For identity federation to work, administrators must set up domains that trust each other, and they must agree on a single method to identify users.
A common example of identity federation is using your enterprise account to sign in to an IdP. For example, to help streamline the creation of Managed Apple IDs for an organization, Apple has enabled federation between Google Workspace and Microsoft Azure Active Directory (Azure AD) and Apple School Manager, Apple Business Manager, or Apple Business Essentials. Users can then use their existing Google Workspace or Azure AD accounts to sign in to iCloud or to sign in on Apple devices associated with Apple School Manager, Apple Business Manager, or Apple Business Essentials. If a user isn’t challenged to assert their identity again, then federation is performed using single sign-on or a Kerberos Single Sign-on extension.