Intro to roles and privileges in Apple Business Essentials
Every Apple Business Essentials user has one or more roles that define what the user can do. Certain roles can manage other roles. For example, a user with the role of Administrator can manage a user that has the role of any Manager or Staff.
Users with the role of Administrator or People Manager can’t sign in using federated authentication; they can only manage the federation process.
In addition, each role consists of a set of privileges, which affect all users that have that role. Staff roles have very limited privileges, Manager roles have more, and users with the role of Administrators have the most.
Role | Can manage the following other roles |
---|---|
Administrator | Other Administrators People Manager Device Enrollment Manager Content Manager Staff |
People Manager | Other People Managers Device Enrollment Manager Content Manager Staff |
Device Enrollment Manager | None |
Content Manager | None |
Staff | None |
Edit a role’s privileges
In Apple Business Essentials, sign in with a user that has the role of Administrator.
Select Access Management in the sidebar, then select Roles .
Select a role, select Edit, then do one of the following:
To remove a privilege from a role, deselect its checkbox, then select Save.
To add a privilege, select its checkbox, then select Save.
Basic privileges
Manage basic privileges as shown in the table below.
Basic privilege | Administrator | People Manager | Device Enrollment Manager | Content Manager |
---|---|---|---|---|
Accept terms and conditions | Always on | Always off | Always off | Always off |
Edit role privileges | Always on | Always on | Always off | Always off |
Add Apple Customer Numbers and Reseller Numbers | Always on | Always off | Always off | Always off |
Set tax status information | Always on | Always off | Always off | Always off |
Configure federated authentication | Always on | Always on | Always off | Always off |
Create, edit, and delete locations | Always on | Always on | Always off | Always off |
Set default Managed Apple Account user name formats | Always on | Always on | Always off | Always off |
Administer AppleSeed for IT | On by default | Off by default | Always off | Always off |
Participate in AppleSeed for IT | On by default | On by default | On by default | On by default |
Use managed devices | Always on | Always on | Always on | Always on |
Sign in to iCloud.com with a Managed Apple Account | Always on | Always on | Always on | Always on |
Use managed apps and books | Always on | Always on | Always on | Always on |
For more information on AppleSeed for IT, see the AppleSeed for IT website.
People privileges
Manage people privileges as shown in the table below.
People privilege | Administrator | People Manager | Device Enrollment Manager | Content Manager |
---|---|---|---|---|
Create, edit, and delete Managed Apple Accounts | Always on | Always on | Always off | Always off |
Assign roles to users | Always on | Always on | Always off | Always off |
Change account status of users | Always on | Always on | Always off | Always off |
Reset passwords for users | Always on | Always on | Always off | Always off |
Create, edit, and delete user groups | Always on | Always on | Always off | Always off |
Use FaceTime | Off by default | Off by default | Off by default | Off by default |
Use iMessage | Off by default | Off by default | Off by default | Off by default |
Subscription privileges
Configure plans, as shown in the table below.
Subscription privilege | Administrator | People Manager | Device Enrollment Manager | Content Manager |
---|---|---|---|---|
Create, edit, and delete subscription | Always on | Always off | Always off | Always off |
Device privileges
Manage device privileges, as shown in the table below.
Device privilege | Administrator | People Manager | Device Enrollment Manager | Content Manager |
---|---|---|---|---|
Manage MDM servers | Always on | Always off | Always on | Always off |
Add, assign, and unassign devices to MDM servers | Always on | Always off | Always on | Always off |
Assign devices to organization | Always on | Always off | Always on | Always off |
Turn off Activation Lock | Always on | Always off | On by default | Always off |
Release devices | Always on | Always off | On by default | Always off |
Perform device actions | Always on | Always off | Always off | Always off |
Manage Settings | Always on | Always off | Always off | Always off |
Manage Collections | Always on | Always off | Always off | Always off |
Manage repair requests | Always on | Always off | Always off | Always off |
Content privileges
Configure content settings, as shown in the table below.
Note: Any role that can buy apps and books can view payment information.
Content privilege | Administrator | People Manager | Device Enrollment Manager | Content Manager |
---|---|---|---|---|
View apps and books | Always on | Always off | Always off | Always on |
Buy apps and books | Always on | Always off | Always off | Always on |
Reassign licenses for apps | Always on | Always off | Always off | Always on |
Hold unassigned licenses for apps and books | Always on | Always off | Always off | Always on |
Staff privileges
Configure staff privileges, as shown in the table below.
Staff privilege | Access | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Use managed devices | Always on | ||||||||||
Sign in to iCloud.com with a Managed Apple Account | Always on | ||||||||||
Use managed apps and books | Always on | ||||||||||
Participate in AppleSeed for IT | On by default | ||||||||||
Use FaceTime | Off by default | ||||||||||
Use iMessage | Off by default |