Intro to roles and permissions in Apple Business
Overview
Roles in Apple Business allow users to perform certain tasks or use certain features and every Apple Business user needs to be assigned at least one role. These roles have permissions that are either predefined or that you can edit and are separated into two categories:
Default roles: Organisation Administrator, IT Administrator, Marketing Administrator, Staff
You can change a few permissions on all default roles.
Custom roles: People Manager, Device Enrolment Manager, Content Manager, roles that you create
You can configure custom roles with very granular permissions.
Certain roles can manage other roles. For example, a user with the role of Organisation Administrator can manage a user with the role of IT Administrator, Marketing Administrator or Staff.
Important: Users with the role of Organisation Administrator or any custom role that has permissions to set up and configure federation and connect to an identity provider (IdP) can’t sign in using federated authentication; they can only manage the federation process.
What permissions do roles assigned to additional organisational units have?
When you sign up for Apple Business, Apple creates an initial organisation for you based on the information you provided and Apple verified. The initial user is assigned the role of Organisation Administrator and there can only be 10 total users with that role. Users with that role have permissions to manage any features of any additional organisational units.
When additional organisational units are created, users can be assigned a role for that organisational unit. Any user assigned a role to any additional organisational units have permissions only for that specific organisational unit. They’re unable to make changes to the initial organisation.
Can users have more than one role assigned?
Users can be assigned more than one role in more than one organisational unit. For example, you can have a user whose role has the following permissions:
View apps and books
Get licences for apps and books
Reassign licences for apps and books
If that role is assigned to the initial organisation, those permissions can be used for all organisational units.
If that role is assigned to two organisation units (neither of which are the initial organisation), those permissions can be used only for those two organisational units.
What default roles can manage other roles?
Role | Can manage the following other roles |
|---|---|
Organisation Administrator | Other Organisation Administrators IT Administrator Marketing Administrator Staff All custom roles |
IT Administrator | Other Administrators Staff All custom roles |
Marketing Administrator | None |
Staff | None |
What are custom roles?
There are three predefined custom roles:
People Manager: Users assigned this role are responsible for specific organisational units. They can be assigned to any organisational unit and by default, manage individuals and content.
Content Manager: Users assigned this role are responsible for volume purchasing at specific organisational units. They can be assigned to any organisational unit and by default, manage licences for apps and books.
Device Enrolment Manager: Users assigned this role helps Organisation Administrators and IT Administrators in Apple Business. By default, they manage devices and device management services.
Device API Manager: This custom role appears only when an Apple Business Manager or Apple Business Essentials organisation migrates to Apple Business with existing API accounts. See Create an API account.
Brand Manager: This custom role appears only when an Apple Business Connect organisation migrates to Apple Business with existing Brand Manager accounts.
Default role permissions
When permissions change on a default role, all users who are assigned that role now have their default permissions updated. For example, if you remove the ability to use FaceTime and iMessage from the IT Administrator role, all users assigned that role will now be unable to use their Managed Apple Account with FaceTime and iMessage.
Custom role permissions example
When you edit a current custom role or create a new custom role, you can select from many different permissions in five different categories. For example, you could create a custom role with the name Device Configuration Manager that has only the following permissions:
Permissions category | Example permission |
|---|---|
Organisation | Edit access to Apple services for Managed Apple Accounts and allowed apps for Sign in with Apple |
People | Reset Managed Apple Account passwords |
Devices | View device management services, manage default platform assignment and add devices with Apple Configurator View device configurations Create, edit and delete device configurations View Blueprints Manage Blueprints |
Apps & Services | View Apps and Books Reassign licences for apps and books |
Brands | No permissions |
Permission lists
To view tables of roles and their default permissions select any of the following:
Staff permissions
Users with the role of Staff have the following permissions on by default:
Download beta software, view programme resources and submit feedback
Use FaceTime
Use iMessage