About Managed Apple Accounts
Overview
Organizations design, own, and manage Managed Apple Accounts specifically to help increase the productivity of employees, instructors, and students and provide the services users may need. These accounts are separate from personal (unmanaged) Apple Accounts users create for themselves. Your organization maintains this separation to help keep organizational data distinct from personal data with robust management controls.
To view the certifications Apple maintains in compliance with the ISO 27001 and 27018 standards for Managed Apple Accounts, see Apple internet services security certifications in Apple Platform Certifications.
How Managed Apple Accounts are created
You design Managed Apple Accounts to use a domain name your organization owns. You can then create accounts using the following methods:
Manually
Configure and turn on federated authentication with Google Workspace, Microsoft Entra ID, or an identity provider (IdP)
Sync using Open ID Connect (OIDC) with Google Workspace or Microsoft Entra ID global service (login.microsoftonline.com)
Sync using Open ID Connect (OIDC) or System for Cross-domain Identity Management (SCIM) with your IdP
Apple School Manager only: Import accounts from your Student Information System (SIS)
Apple School Manager only: Upload .csv files using the Secure File Transfer Protocol (SFTP)
Note: The term domain in the context of this document refers to an individual FQDN (Fully Qualified Domain Name). This means that (for example) betterbag.com and accounts.betterbag.com are considered two different domains and needs to be added and managed individually in Apple School Manager or Apple Business Manager.
How Managed Apple Accounts are used
Like personal Apple Accounts, Managed Apple Accounts can be used to sign in on dedicated or shared Apple devices and to access specific Apple services—including Shared iPad, iCloud, and collaboration with iWork, Notes, and Reminders.
You assign a specific role to each Managed Apple Account. This role defines which tasks users can perform in Apple School Manager and Apple Business Manager.
If you have a user account with the role of Administrator or specific manager roles, you use Managed Apple Accounts in three main ways—with user accounts, classes, and roles.
Accounts: Users with the role of Administrator can perform a range of tasks to manage user accounts. For example, you can assign roles or assign devices to users.
Classes (Apple School Manager only): A class brings together instructor and student accounts. Apple School Manager users with the appropriate role add at least one instructor when they create a class. After creating a class, your device management service enables classes to appear in the Classroom app for iPad and Mac, and simplifies the student experience on Shared iPad.
Roles: Roles determine what each user can access. Apple School Manager and Apple Business Manager have the following roles:
Role | Description |
|---|---|
Administrator | This role is limited to four users and has the most privileges. |
Site Manager (Apple School Manager only) | This role has all the same privileges as the Administrator role with the following exceptions:
|
People Manager | This role is designed to manage user accounts, link to Student Information Systems (SIS), upload files using SFTP, link to identity providers (IdP), and assign roles. When you create each account, assign a role that defines the privileges for that account. When importing from your Student Information System (SIS), a user with the role of Administrator automatically assigns roles to each account. |
Device Enrollment Manager | This role is designed to link to a device management service, release devices, and remove Activation Lock from organization-owned devices. |
Manager (Apple School Manager only) | This role can be assigned to any location and can manage user accounts, classes, and content. |
Content Manager | This role is responsible for volume purchasing at specific locations and can manage licenses for apps and books. |
Instructor (Apple School Manager only) | This role can be in any location and can reset students’ passwords, manage classes and content. |
Staff | This role can be assigned to any location and can use Apple devices managed by your organization. |
Student (Apple School Manager only) | This role can be assigned to any location and can use Apple devices managed by your organization. |
For more information, see:
Apple School Manager User Guide: Intro to roles and privileges
Apple Business Manager User Guide: Intro to roles and privileges
What Managed Apple Accounts can and can’t access
Managed Apple Accounts provide access to many Apple technologies, apps, and services, including specific iCloud services, Continuity services between devices, education and business services, Apple Developer programs and services, and collaboration and communication services.
Managed Apple Accounts exclude access to specific iCloud services, some Apple Developer apps, media services, and store content.
For a complete list, see the following:
Apple School Manager User Guide: Service access with Managed Apple Accounts
Apple Business Manager User Guide: Service access with Managed Apple Accounts