Intro to Managed Apple Accounts
Managed Apple Accounts function much like unmanaged Apple Accounts but are specifically designed for, owned, and managed by an organization to help increase the productivity of employees and provide the services users may need. These accounts are separate from unmanaged (personal) Apple Accounts users create for themselves. This separation keeps organizational data separate from personal data and gives the organization robust management controls.
They also provide access to iCloud and collaboration with iWork, Notes, and Reminders, as well as collaboration tools, such as Messages, FaceTime, Continuity features, iCloud Keychain, Apple Wallet, and more. Managed Apple Accounts are required for Shared iPad.
An unmanaged Apple Account gives users access to all iCloud services, and a Managed Apple Account doesn’t include access to all iCloud services. Because a Managed Apple Account is created and owned by an organization, the organization can managed access to the iCloud services available with a Managed Apple Account.
A Managed Apple Account doesn’t allow purchases in the App Store, iTunes Store, and Book Store because the organization purchases and distributes content. A Managed Apple Account doesn’t store Health data, and limits use of the Wallet app. Find My can’t be used with a Managed Apple Account because an organization uses Managed Lost Mode with their device management service to manage lost or stolen iPhone and iPad devices.
Apple School Manager and Apple Business Manager make it easy for organizations to create and manage these accounts at scale. Accounts can be created manually, or by importing account data, and password management can be handled in Apple School Manager and Apple Business Manager.
Because Apple School Manager and Apple Business Manager integrate with your existing environment, you can provide Managed Apple Accounts to users using their existing organization credentials—for example, Google Workspace, Microsoft Entra ID, or your identity provider (IdP). You can then sync user accounts.
When an organization connects their Apple School Manager or Apple Business Manager to their IdP, password changes are handled in the organization’s IdP. When an organization manually creates Managed Apple Accounts in Apple School Manager or Apple Business Manager, password changes are handled in Apple School Manager or Apple Business Manager.
A Managed Apple Account is used when users enroll their user-owned devices in an organization’s device management service using account-driven User Enrollment, or when enrolling previously deployed organizationally owned devices, using account-driven Device Enrollment. Enrollment with these enrollment types begins when a user signs in to their Managed Apple Account.
After enrollment, an organization’s device management service can manage an enrolled device’s app installations, configuration profiles, security and compliance settings, restrictions, Wi-Fi settings, email accounts, and more.
User Enrollment provides more autonomy for users on their own devices, while increasing the security of enterprise data by cryptographically separating managed data. This provides a balance of security, privacy, and user experience for user-owned devices. A similar data separation mechanism exists for account-driven Device Enrollment.
Users who enroll personal devices into an organization’s device management service can unenroll at any time by signing out of their Managed Apple Account, or removing the enrollment profile. If a device is unenrolled, organizational configurations, data, and apps are removed.
Understanding differences between a Managed Apple Account and an unmanaged Apple Account can help you troubleshoot potential issues and determine whether users’ questions relate to their device and its use, or management by the organization’s device management service.
The following table lists some differences between a Managed Apple Account and an unmanaged Apple Account:
Feature or service | Managed Apple Account | Unmanaged Apple Account |
|---|---|---|
Create the account | Apple School Manager or Apple Business Manager user with required role. | User |
Manage the account | Apple School Manager or Apple Business Manager user with required role. | User |
Secure devices | Device management service secures supervised devices. | Find My |
Health, Siri | Can’t be shared to other devices signed in with the same Managed Apple Account. | Shared across devices |
Home | The app appears, but the user can’t add HomeKit devices to the Home app. | Shared across devices |
iCloud+ services (Private Relay, Hide My Email, Custom Email Domain) | Can’t use these features. | Full access |
Apple Wallet | The app appears, but organizations can add only student ID cards and employee badges. | Full access |
For a complete list of services that are available to a Managed Apple Account, see Service access with Managed Apple Accounts in the Apple School Manager User Guide or Service access with Managed Apple Accounts in the Apple Business Manager User Guide.
Managed Apple Account and unmanaged Apple Account on the same device
A user-owned device enrolled using account-driven User Enrollment can be signed into both an unmanaged Apple Account and a Managed Apple Account. Managed data is stored in a separate, cryptographically protected volume from user data, allowing the organization to manage and control its data. This provides a better balance of security, privacy, and user experience.
If permitted by the organization in its Apple School Manager or Apple Business Manager, users can sign in to an unmanaged Apple Account on an organizationally owned device; however, with a device management service, the organization can manage the user’s ability to use services such as, Find My, Activation Lock, and iCloud Drive, as well as available features in many services and apps.
In Apple School Manager or Apple Business Manager, an organization can allow Managed Apple Accounts on any device, managed devices only, or supervised devices only.
If permitted by the organization in its Apple School Manager or Apple Business Manager, a user can sign in to a Managed Apple Account on a user-owned device. A device management service can manage a device enrolled using account-driven User Enrollment with app installations, configuration profiles, security and compliance settings, restrictions, Wi-Fi settings, email accounts, and more. Apps that the organization assigns are integrated with the Managed Apple Account using encryption keys and stored in a separate, cryptographically protected volume. The device management administrator can manage services and apps for the organization, but has no visibility or control over the user’s personal data.
The user can also sign in to an unmanaged Apple Account and has full control over their iCloud services and data, like Safari bookmarks, browsing history, personal data, and Health app data. Users can use features like iCloud Photos, Messages, and Find My for personal content. The organization can’t see or manage a user’s personal data stored with their unmanaged Apple Account.
Should the device be lost or stolen, or the user leave the organization, the device management administrator can delete organizational data using the device management service. The removal of organizational management, data, because an organization would use Managed Lost Mode and apps happens in a similar way to a user unenrolling their device from management. The encryption keys securing the organizational volume are destroyed and data is rendered cryptographically inaccessible.
If a user can’t reset their password for their Managed Apple Account or unmanaged Apple Account
What to look for:
User reports repeated password prompts.
Password reset attempts don’t work.
Uncertainty about whether the account is a Managed Apple Account or unmanaged Apple Account.
What’s happening:
Password management depends on the type of Apple Account:
Managed Apple Accounts: Passwords are handled in Apple School Manager or Apple Business Manager if created manually, or in the organization’s IdP if federated (such as Microsoft Entra ID or Google Workspace).
Unmanaged Apple Accounts: Users reset their own password at iforgot.apple.com.
Steps to take:
Confirm account type: Verify if the user is signing in with a Managed Apple Account or an unmanaged Apple Account.
For Managed Apple Accounts:
If federated with an IdP, direct the user to reset their password in accordance with organizational policy.
If manually created, reset the password in Apple School Manager or Apple Business Manager.
For unmanaged Apple Accounts: Direct the user to reset their password at iforgot.apple.com.
If a user can’t use services as expected
What to look for:
User reports missing services (for example, Health, iCloud Mail, Family Sharing, or iCloud Photos).
iMessage or FaceTime may be restricted or only allow communication with organizational contacts.
User reports they can’t use feature available with their unmanaged Apple Account.
What’s happening:
Managed Apple Accounts provide access to a specific set of iCloud and Apple services. Some services, like Find My, iCloud Mail, Family Sharing, and iTunes Store, aren’t available. Organizations can optionally apply restrictions to services like iMessage, FaceTime, and iCloud Drive.
Steps to take:
Confirm account type: Verify if the user is signed in with a Managed Apple Account or an unmanaged Apple Account.
Review service availability: Check Service access with Managed Apple Accounts in Apple School Manager or Apple Business Manager.
Clarify differences: Explain that some services are unavailable in a Managed Apple Account.
Check organizational policies: Confirm if restrictions on communication or iCloud services are enforced by the device management service and Apple School Manager or Apple Business Manager.