Customize user access to certain apps and services using Apple Business Manager
You may want users who sign in with a Managed Apple ID to access many Apple apps and services. With Apple Business Manager, you can choose which of your users get access to which apps and services—if you’re an Administrator or People Manager—by choosing which of your users get access to specific apps and services. For example, you can turn on access to specific iCloud features, specify which app data they can store in the cloud, and turn off access to FaceTime and iMessage.
To further customize, you can choose what devices users can sign in to, and you can tailor their access to specific privacy and security features.
Requirements
Some features require the following:
iOS 17, iPadOS 17, and macOS 14, or later.
Support from your third-party MDM solution. Consult your MDM vendor’s documentation to see whether they support these features.
Penting: In case requirements for the management state of a device are changed, a Managed Apple ID is automatically signed out of a device if the device state doesn’t meet the new requirements.
Access to services using Managed Apple IDs
Access to specific services may vary when using Managed Apple IDs. See Service access with Managed Apple IDs in Apple Platform Deployment.
Manage iCloud features and app access
You can customize any of the features below to meet the needs of your organization. This includes deciding what devices a user can sign in with their Managed Apple ID:
Off: The user can’t store their data in iCloud.
Any device: The user can access their iCloud data on any device.
Managed devices only: The device is managed by an MDM solution which supports the new Get Token endpoint.
Supervised devices only: The device must be supervised (and managed) by an MDM solution which supports the new Get Token endpoint.
Nota: This feature requires iOS 17, iPadOS 17, macOS 14, and support from your MDM solution.
In Apple Business Manager , sign in with an account that has the role of Administrator or People Manager.
Select Access Management in the sidebar, then select Apple Services .
Select iCloud, then select what devices users can sign into with their Managed Apple ID:
Off
Any device (default)
Managed devices only
Supervised devices only
Select Collaboration, then turn on the ability for users to collaborate on files created using Keynote, Numbers, and Pages, and whether to allow those files to be accepted automatically.
Anyone (default): Users can collaborate with any other users using an Apple ID.
Organization only: Users can collaborate only with other users using a Managed Apple ID from the same Apple Business Manager organization.
Off: Users can’t share Keynote, Numbers, or Pages documents.
Auto Accept Files: Users automatically accept invitations to collaborate on a shared document.
Select iCloud from the top, then turn off access to the following iCloud features:
iCloud Drive: Users can store data in iCloud Drive.
Passcodes and Keychain: Users can store their passwords and passkeys in iCloud Keychain.
Access iCloud data on the web: Users can sign in to www.icloud.com to access their data.
iCloud Backup: Users can use iCloud Backup to back up their devices.
Turn off access to storing app data in iCloud for the apps in the table below.
App
Data sync to other devices?
Calendar
Contacts
Freeform
Messages
News
Notes
Photos
Reminders
Safari
Siri
Stocks
Manage user access to FaceTime and iMessage
By default, users who sign in with a Managed Apple ID can access FaceTime and iMessage. You can modify that access.
FaceTime: FaceTime (both audio only and video) can be turned off, allowed with only other users in your organization, or anyone inside and outside of your organization.
iMessage: iMessage can be turned off, allowed with only other users in your organization, or allowed with anyone inside and outside of your organization.
Nota: If iMessage is turned off, users can still send and receive SMS/MMS messages.
In Apple Business Manager , sign in with an account that has the role of Administrator or People Manager.
Select Access Management in the sidebar, then select Apple Services .
Select FaceTime, turn it off or on. If you turn it on, select one of the following:
Anyone (default)
Organization only
Select Apple Services from the top, select Messages, turn it off or on. If you turn it on, select one of the following:
Anyone (default)
Organization only
Turn on user access to Apple Wallet
By default, users who sign in with a Managed Apple ID can’t access Apple Wallet. You can turn on their access so they can add employee badges, if allowed by their organization.
In Apple Business Manager , sign in with an account that has the role of Administrator or People Manager.
Select Access Management in the sidebar, then select Apple Services .
Select Wallet, then turn on access to use Apple Wallet.
Turn on user access to Apple Developer content
By default, users who sign in with a Managed Apple ID can’t access Apple Developer content. You can modify that access.
Nota: This feature adds users with any role to existing developer teams. It doesn’t create new developer accounts.
In Apple Business Manager , sign in with an account that has the role of Administrator or People Manager.
Select Access Management in the sidebar, then select Apple Services .
Select Developer, then do any of the following:
Turn on access to Apple Developer Program.
Turn on access to Xcode Cloud program.
Turn on access to the MFi portal.
Turn on user access to AppleSeed for IT
AppleSeed for IT is designed specifically for enterprise and education customers committed to testing each new version of Apple beta software in their organizations. Organizations using Apple Business Manager can designate which account roles in their organization may participate. Participants then use their Managed Apple ID to access the program, and their feedback is associated with their organization.
By default, users who sign in with a Managed Apple ID can’t access AppleSeed for IT. You can modify that access.
In Apple Business Manager , sign in with an account that has the role of Administrator or People Manager.
Select Access Management in the sidebar, then select Apple Services .
Select AppleSeed for IT, then turn on user access to the website.
For more information, see Roles: Basic privileges and the AppleSeed for IT website.
Choose what devices users can sign in to
You can choose what devices users can sign in to with their Managed Apple ID.
In Apple Business Manager , sign in with an account that has the role of Administrator or People Manager.
Select Access Management in the sidebar, then select Apple Services .
Select “Allow Managed Apple ID on”, then select one of the following:
Any device (default): The user can sign in on any device, regardless of whether the device appears in Apple Business Manager.
Managed devices only: The serial number of the device must appear in Apple Business Manager.
Supervised devices only: The device must be supervised and the serial number of the device must appear in Apple Business Manager.
Turn on user access to specific privacy and security features
You can turn on access to specific privacy and security features.
In Apple Business Manager , sign in with an account that has the role of Administrator or People Manager.
Select Access Management in the sidebar, then select Apple Services .
Select Privacy & Security, then turn on access to any of the following:
Data & Privacy Access: Allow users access to request a copy of their data.
User Account Lookup: Allow users the ability to look up other user’s contact information.
Automatic sign in on Apple Watch: Allow users to pair their Apple Watch with their iPhone without having to enter a password.