Managed Apple Account security
Managed Apple Accounts function much like an Apple Account but are owned and controlled by enterprise or educational organizations. These organizations can reset passwords and turn off communications such as FaceTime and iMessage, and set up role-based permissions for employees, staff members, teachers, and students.
For Managed Apple Accounts, some services aren’t available (for example, Find My, Health, and HomeKit).
Access management for Managed Apple Accounts
Organizations can use access management available in Apple Business Manager and Apple School Manager to define where Managed Apple Accounts can be used and what services are available to them.
With access management, you can define whether users can sign in with a Managed Apple Account on any device, on managed devices only, or on managed and supervised devices only. Also, administrators can configure whether users are allowed to sign in to iCloud on the web. This allows organizations to use the management state of the device as a factor to decide if access to organizational data should be granted.
Additionally, administrators can define what iCloud services are available to their users. This includes defining access to Apple Developer Programs, and the AppleSeed for IT beta program, and determining whether users are allowed to access the Apple Privacy portal at privacy.apple.com.
Managed Apple Accounts also support collaboration on documents using Keynote, Numbers, Pages, Reminders, and Notes as well as communication using FaceTime and iMessage. For those services, organizations can define whether users can collaborate with anyone or just with accounts created within the same Apple School Manager or Apple Business Manager organization.
If access management rules change, they are reflected on devices the user is signed in to with their Managed Apple Account. If requirements for the management state of a device are changed, a Managed Apple Account is automatically signed out of a device if the device state doesn’t meet the new requirements.
Inspecting Managed Apple Accounts
Managed Apple Accounts created in Apple School Manager also support inspection, which allows organizations to comply with legal and privacy regulations. A user with the role of Administrator, Site Manager, People Manager, or Instructor can inspect specific Managed Apple Account accounts.
Inspectors can monitor only accounts that are below them in the organization’s hierarchy. For example, teachers can monitor students, managers can inspect teachers and students, and administrators can inspect managers, teachers, and students.
When inspecting credentials are requested using Apple School Manager, a special account is issued that has access to only the Managed Apple Account for which inspecting was requested. The inspector can then read and modify the user’s content stored in iCloud or in CloudKit-enabled apps. Every request for auditing access is logged in Apple School Manager. The logs show who the inspector was, the Managed Apple Account the inspector requested access to, the time of the request, and whether the inspection was performed.