Intro to directory syncing with Apple School Manager
Directory syncing helps to keep the data in Apple School Manager up to date with your identity provider (IdP). Using directory sync, Apple School Manager is automatically informed by your IdP and can update its information when the following occurs:
A new user account is created
User account information changed
A user account is deleted
You can use OpenID Connect (OIDC) with Apple School Manager to sync user accounts from the following (but only one at a time):
Google Workspace
Microsoft Entra ID
Your IdP
Some IdPs can also use System for Cross-domain Identity Management (SCIM)
Before you begin
Before you sync to Google Workspace, Microsoft Entra ID, or your IdP, consider the following:
Syncing user groups isn’t supported.
The initial sync takes longer to perform than subsequent cycles do. Consult your IdP’s documentation to learn how often they sync users.
Requirements
If necessary, manually verify a domain. See Add and verify a domain.
You need to turn on federated authentication. See Intro to federated authentication.
Have on call an administrator with permissions to edit Google Workspace, Microsoft Entra ID, or another IdP’s settings.
Disconnect from your Student Information System (SIS) or stop uploads using SFTP.
Apple School Manager requires that the attribute used for the Managed Apple Account be unique. This is normally the user’s email address. If a user has an attribute that’s exactly the same as an existing Apple School Manager user with the role of Administrator, no syncing is performed and the source field remains unchanged.
When you configure the initial connection, you need to use the email address of a user with the role of Administrator, Site Manager, or People Manager so they can receive notifications from Google Workspace, Microsoft Entra ID, or another IdP you’re syncing with.
IdP-specific requirements
When linking to Microsoft Entra ID:
To use OIDC with Apple School Manager, your organization can’t have the same Microsoft Entra ID tenant as any other Apple School Manager organization. If you want to use OIDC for your organization, contact your Microsoft Entra ID Global Administrator to ensure that no other organization is using your Entra ID tenant for OIDC.
If a user account has a User Principal Name (UPN) that is exactly the same as an existing user account that has the role of Administrator, Site Manager, or People Manager, no syncing is performed and the source field remains unchanged. This occurs regardless of the sync method originally used (SIS or SFTP).
When linking to an IdP that’s not Google Workspace or Microsoft Entra ID, have the following information:
Unique identifier field for users: The value of this attribute is normally the email address of the user. This is used to create the user’s Managed Apple Account. For example, it may be userName.
Authentication method: SAML 2.0.
Authentication mode: OAuth 2.
Single sign-on URL: Consult your IdP’s documentation.
Authorization callback URL: Consult your IdP’s documentation.
Automatic changes
Account creation
When directory sync is configured, user accounts are synced to Apple School Manager and assigned the role of Student. The synced account information is added as read-only, but the Roles, Grade Level, and Student Information System (SIS) user name attributes of a user account can be edited. These attributes are stored with the user account in Apple School Manager and aren’t written back to Google Workspace, Microsoft Entra ID, or your IdP.
Note: File uploads to Apple School Manager using SFTP don’t support automatic syncing.
When federated authentication is turned off, accounts become manual accounts, and attributes in these accounts (such as user names) can then be edited.
Account modification
Directory sync monitors changes to the synced attributes and automatically updates them in Apple School Manager. The interval at which those changes are being synced depends on the IdP.
Account removal
When a user account is removed in Google Workspace, Microsoft Entra ID, or your IdP, the corresponding account in Apple School Manager is deactivated and flagged for deletion. A deactivated account is signed out of devices and can’t be signed back in. Unless the account is synced again within the next 120 days, it automatically gets removed.
About the Person ID
To identify conflicting accounts, when a user account is initially synced using OIDC or SIS to Apple School Manager, a Person ID is automatically generated for that user account.
Important: The Person ID isn’t automatically generated for user accounts imported using SFTP because those IDs are created in the .csv files that are uploaded to Apple School Manager. If you disconnect from Google Workspace, Microsoft Entra ID, or your IdP and upload users again, new users are created unless the Person ID in the .csv files matches the Person ID that was initially assigned by the initial directory sync. See Upload Student Information System data.
If you modify the Person ID in Apple School Manager for a user account previously synced, that user account is no longer paired with Google Workspace, Microsoft Entra ID, or your IdP. If you want to reconnect the user account, you need to resolve the Person ID conflict.