Intro to federated authentication with Apple School Manager
You use federated authentication to link Apple School Manager to the following:
Google Workspace
Microsoft Entra ID
Your identity provider (IdP)
As a result, your users can leverage their Google Workspace, Microsoft Entra ID, or IdP user names (User Principal Name) and passwords as Managed Apple IDs. They can then use those credentials to sign in to their assigned iPhone, iPad, or Mac, and even to iCloud on the web.
Note: You can link to Google Workspace, Microsoft Entra ID, or your IdP, but only one at a time.
To use federated authentication, your Apple devices must meet the following operating system requirements:
Usage | Minimum supported operating system | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Federated authentication with Microsoft Entra ID | iOS 11.3 iPadOS 13.1 macOS 10.13.4 | ||||||||||
Federated authentication with Google Workspace | iOS 15.5 iPadOS 15.5 macOS 12.4 | ||||||||||
Federated authentication with your identity provider | iOS 15.5 iPadOS 15.5 macOS 12.4 |
There are specific instances where you might use federated authentication:
Federated authentication only
When Apple School Manager and Google Workspace, Microsoft Entra ID, or your IdP are linked, Managed Apple IDs are automatically created for users. They can then sign in using their existing user name (generally their email address) and password. If a user is removed from one of those services, that user can be removed from Apple School Manager.
Federated authentication and Shared iPad
When you use federated authentication with Shared iPad, the sign-in process varies depending on whether the user already exists in Apple School Manager. To view the sign-in scenarios, see Sign in to Shared iPad.
The default passcode policy is standard (8 or more letters and numbers) and can be changed. See Password policy scenarios.
If the user forgets their passcode, you must reset the Shared iPad passcode.
Federated authentication with users from SIS or SFTP
When you link to Google Workspace, Microsoft Entra ID, or your IdP, Managed Apple IDs are automatically created for users, and they simply sign in with their current email address as their Managed Apple ID.
You then link to your SIS or upload files with SFTP. All information, such as classes and rosters, are matched against users from Google Workspace, Microsoft Entra ID, or your IdP. If a user is removed from Google Workspace, Microsoft Entra ID, or your IdP, that user must be deactivated in Apple School Manager by an account with privileges to change the status of users.
Important: If you’re connecting to a Student Information System (SIS) or importing users with Secure File Transfer Protocol (SFTP), and using federated authentication, the user’s email address in SIS must match their Google Workspace, Microsoft Entra ID, or your IdP user name that they already use to sign in.