Customize user access to apps and services using Apple Business
Overview
You may want users who sign in with a Managed Apple Account to access many Apple apps and services. With Apple Business, you can choose what devices users can sign in to and which apps and services are available to them. For example, you can turn on access to specific iCloud features, specify which app data they can store in the cloud, and turn off access to FaceTime and iMessage. You can also configure Sign in with Apple for users. See Use Sign in with Apple.
Access to specific services may vary when using Managed Apple Accounts. See Service access with Managed Apple Accounts.
Important: In case requirements for the management state of a device are changed, a Managed Apple Account is automatically signed out of a device if the device state doesn’t meet the new requirements.
Choose what devices users can sign in to
You can choose what devices users can sign in to with their Managed Apple Account or their unmanaged (personal) Apple Account.
Requirements
This feature requires iOS 17, iPadOS 17, macOS 14, visionOS 2, or later. The device management service also needs to support Get Token. For more information, see Support access management for Managed Apple Accounts on the Apple Developer website.
In Apple Business, sign in with a user whose role has permissions to edit access to Apple services for Managed Apple Accounts.
To view roles and permissions, see Intro to roles and permissions.
In your browser, choose Settings > Access Management > Apple Services.
Next to “Allow Managed Apple Account on,” select one of the following:
Option
Description
Any device (default)
The user can sign in on any device.
Managed devices only
The user can sign in on a device that’s managed by a device management service that supports the
Get Tokenendpoint.Supervised devices only
The user can sign in on a device that’s supervised (and managed) by a device management service that supports the
Get Tokenendpoint.
Choose which users can sign in to devices
You can choose which users can sign in to organization-owned devices. This restricts only new sign-in attempts. Accounts already signed in are unaffected.
Requirements
This feature requires iOS 17, iPadOS 17, macOS 14, visionOS 2, or later.
Note: To learn more about what the user sees when they attempt to sign in with an unmanaged Apple Account on their device after you changed their access to “Managed Apple Account Only,” see the Apple Support article If you can’t sign in to your device with your personal Apple Account.
In Apple Business, sign in with a user whose role has permissions to edit access to Apple services for Managed Apple Accounts.
To view roles and permissions, see Intro to roles and permissions.
In your browser, choose Settings > Access Management > Apple Services.
Next to “Apple Account on Organization Devices,” select one of the following:
Option
Description
Any Apple Account (default)
The user can sign in on any organization-owned device with their unmanaged (personal) Apple Account or their Managed Apple Account.
Managed Apple Account Only
The user can sign in on any organization-owned device with only their Managed Apple Account.
Read the confirmation dialog, then confirm or cancel your selection.
Manage iCloud features and app access
You can customize any of the features below to meet the needs of your organization. By default, most iCloud features are on. Review each setting and remove access to services that fall outside your organization’s security or compliance posture.
Requirements
This feature requires iOS 17, iPadOS 17, macOS 14, visionOS 2, or later. The device management service also needs to support Get Token. For more information, see Support access management for Managed Apple Accounts on the Apple Developer website.
In Apple Business, sign in with a user whose role has permissions to edit access to Apple services for Managed Apple Accounts.
To view roles and permissions, see Intro to roles and permissions.
In your browser, choose Settings > Access Management > Apple Services.
Select iCloud, then from the top, choose what devices users can sign in to with their Managed Apple Account:
Option
Description
Off
The user can’t store their data in iCloud.
Any device (default)
The user can access their iCloud data on any device.
Managed devices only
The user can sign in on a device that’s managed by a device management service that supports the
Get Tokenendpoint.Supervised devices only
The user can sign in on a device that’s supervised (and managed) by a device management service that supports the
Get Tokenendpoint.Select Collaboration, then manage the ability for users to collaborate on files created using Keynote, Pages, and Numbers, and whether to allow those files to be accepted automatically.
Option
Description
Anyone (default)
Users can collaborate with any other users using an Apple Account.
Organization only
Users can collaborate with any other users using an Apple Account from the same Apple Business organization.
Off
Users can’t share Keynote, Pages, or Numbers documents.
Auto Accept Files
Users can automatically accept invitations to collaborate on a shared document.
Shared by anyone
Off (default)
Select iCloud from the top, then manage access to the following iCloud features:
Option
Description
iCloud Drive (On by default)
Users can store data in iCloud Drive.
Passwords and Keychain (On by default)
Users can store their passwords and passkeys in iCloud Keychain.
Access iCloud data on the web (On by default)
Users can sign in to www.icloud.com from a Mac to access their data.
iCloud Backup (On by default)
Users can use iCloud Backup to back up their devices.
Select iCloud from the top, then manage access to the following apps that use iCloud:
App name or service
Description
Contacts
Can be shared to other devices signed in with the same Managed Apple Account.
Freeform
Can be shared to other devices signed in with the same Managed Apple Account.
iCloud Calendar
Can be shared to other devices signed in with the same Managed Apple Account. (Off by default)
Image Playground history
Can be shared to other devices signed in with the same Managed Apple Account.
Messages in iCloud
Can be shared to other devices signed in with the same Managed Apple Account.
(Only if turned on.)
News
Can be shared to other devices signed in with the same Managed Apple Account.
Notes
Can be shared to other devices signed in with the same Managed Apple Account, but users can’t share to “Anyone with the link.”
Phone and FaceTime
Users can use the Phone app and FaceTime app.
Photos
Can be shared to other devices signed in with the same Managed Apple Account.
Reminders
Can be shared to other devices signed in with the same Managed Apple Account.
Safari
Can be shared to other devices signed in with the same Managed Apple Account.
Siri
Siri can be used.
Stocks
Can be shared to other devices signed in with the same Managed Apple Account.
Turn on access to allow storing app data in iCloud for the apps listed in the iCloud services table.
Manage user access to iMessage
By default, users who sign in with a Managed Apple Account can access iMessage and you can allow iMessage with only other users in your organization, or anyone inside and outside of your organization.
Note: If iMessage is turned off, users can still send and receive SMS/MMS messages.
In Apple Business, sign in with a user whose role has permissions to edit access to Apple services for Managed Apple Accounts.
To view roles and permissions, see Intro to roles and permissions.
In your browser, choose Settings > Access Management > Apple Services.
Select Messages. If it’s turned on, select one of the following:
Anyone (default)
Organization only
Manage user access to FaceTime
By default, users who sign in with a Managed Apple Account can access FaceTime (both audio only and video) and you can allow FaceTime with only other users in your organization, or anyone inside and outside of your organization.
In Apple Business, sign in with a user whose role has permissions to edit access to Apple services for Managed Apple Accounts.
To view roles and permissions, see Intro to roles and permissions.
In your browser, choose Settings > Access Management > Apple Services.
Select FaceTime. If it’s turned on, select one of the following:
Anyone (default)
Organization only
Turn on user access to Apple Wallet
By default, users who sign in with a Managed Apple Account can’t access Apple Wallet. You can turn on their access so they can add employee badges, if allowed by your organization.
In Apple Business, sign in with a user whose role has permissions to edit access to Apple services for Managed Apple Accounts.
To view roles and permissions, see Intro to roles and permissions.
In your browser, choose Settings > Access Management > Apple Services.
Select Wallet, then manage access to use Apple Wallet.
Turn on user access to Apple Developer content
You can turn on access to allow users to sign up for the Apple Developer Program.
In Apple Business, sign in with a user whose role has permissions to edit access to Apple services for Managed Apple Accounts.
To view roles and permissions, see Intro to roles and permissions.
In your browser, choose Settings > Access Management > Apple Services.
Select Developer, then do any of the following:
Turn on access to Apple Developer Program.
Turn on access to Xcode Cloud.
Turn on access to the MFi portal.
Turn on user access to AppleSeed for IT
AppleSeed for IT is designed specifically for enterprise and education customers committed to testing each new version of Apple beta software in their organizations. Organizations using Apple Business can designate which account roles in their organization may participate. Participants then use their Managed Apple Account to access the program, and their feedback is associated with their organization.
By default, users who sign in with a Managed Apple Account can’t access AppleSeed for IT. You can modify that access. See Participate in beta features.
In Apple Business, sign in with a user whose role has permissions to edit access to Apple services for Managed Apple Accounts.
To view roles and permissions, see Intro to roles and permissions.
In your browser, choose Settings > Access Management > Apple Services.
Select AppleSeed for IT, then manage user access to the website.
Turn on user access to specific privacy and security features
You can turn on access to specific privacy and security features.
In Apple Business, sign in with a user whose role has permissions to edit access to Apple services for Managed Apple Accounts.
To view roles and permissions, see Intro to roles and permissions.
In your browser, choose Settings > Access Management > Apple Services.
Select Privacy & Security, then manage access to any of the following:
Option
Description
Data & Privacy Access (On by default)
Allow users access to request a copy of their data.
User Account Lookup (On by default)
Allow users the ability to look up other user’s contact information. See User Account Lookup in Apple Business.
Automatic sign-in on Apple Watch (On by default)
Allow users to pair their Apple Watch with their iPhone without having to enter a password.