About Managed Apple Accounts
Overview
Managed Apple Accounts function much like Apple Accounts but are specifically designed for, owned, and managed by, an organization to help increase the productivity of employees, instructors, and students and provide the services users may need. These accounts are separate from personal Apple Accounts users create for themselves. This helps to keep organizational data separate from personal data with robust management controls.
To view the certifications Apple maintains in compliance with the ISO 27001 and 27018 standards for Managed Apple Accounts, see Apple internet services security certifications in Apple Platform Certifications.
How Managed Apple Accounts are created
Managed Apple Accounts are designed to use a domain name an organization owns using the following methods:
Create accounts manually
Configure and turn on federated authentication with Google Workspace, Microsoft Entra ID, or an identity provider (IdP)
Sync using Open ID Connect (OIDC) with Google Workspace or Microsoft Entra ID
Sync using Open ID Connect (OIDC) or System for Cross-domain Identity Management (SCIM) with your IdP
Apple School Manager only: Import accounts from your Student Information System (SIS)
Apple School Manager only: Upload .csv files using the Secure File Transfer Protocol (SFTP)
Note: The term domain in the context of this document refers to an individual FQDN (Fully Qualified Domain Name). This means that (for example) betterbag.com and accounts.betterbag.com are considered two different domains and must be added and managed individually in Apple School Manager or Apple Business Manager.
How Managed Apple Accounts are used
Like personal Apple Accounts, Managed Apple Accounts can be used to sign in on dedicated or shared Apple devices and to access specific Apple services—including Shared iPad, iCloud, and collaboration with iWork, Notes, and Reminders.
Managed Apple Accounts can also be assigned a specific role. These roles define which tasks users can perform in Apple School Manager and Apple Business Manager.
As any user with the role of Administrator or any Manager, you use Managed Apple Accounts in three main ways—with user accounts, classes, and roles.
Accounts: Users with the role of Administrator can complete a range of tasks to manage user accounts. For example, you can assign roles or assign devices to users.
Classes: A class is a collection of instructor and student accounts. Classes have at least one instructor added when the class is created. After a class is created, it’s used with your mobile device management (MDM) solution to enable classes to appear in the Classroom app for iPad and Mac, and Shared iPad, and to simplify the experience for students using Shared iPad.
Roles: Roles help define what a user has access to. Apple School Manager and Apple Business Manager have the following roles:
Role | Description |
|---|---|
Administrator | This role is limited to four users and has the most privileges. |
Site Manager (Apple School Manager only) | This role has all the same privileges as the Administrator role with the following exceptions:
|
People Manager | This role is designed to manage user accounts, link to Student Information Systems (SIS), upload files using SFTP, link to identity providers (IdP), and assign roles. When you create each account, you assign a role that defines the privileges for that account. If you’re importing from your Student Information System (SIS), the individual doing the import automatically assigns roles. |
Device Enrollment Manager | This role is designed to link to third-party mobile device management (MDM) solutions, release devices, and remove Activation Lock from organization-owned devices. |
Manager (Apple School Manager only) | This role can be assigned to any location and can manage user accounts, classes, and content. |
Content Manager | This role is responsible for volume purchasing at specific locations and can manage licenses for apps and books. |
Instructor (Apple School Manager only) | This role can be in any location and can reset students’ passwords, manage classes and content. |
Staff | This role can be assigned to any location and can use Apple devices managed by your organization. |
Student (Apple School Manager only) | This role can be assigned to any location and can use Apple devices managed by your organization. |
For more information, see:
Apple School Manager User Guide: Intro to roles and privileges
Apple Business Manager User Guide: Intro to roles and privileges
What Managed Apple Accounts can and can’t access
Managed Apple Accounts have access to many Apple technologies, apps, and services, including specific iCloud services, Continuity services between devices, education and business services, Apple Developer programs and services, and collaboration and communication services.
Managed Apple Accounts don’t have access to specific iCloud services, Apple Developer apps, media services, and store content.
For a complete list, see the following:
Apple School Manager User Guide: Service access with Managed Apple Accounts
Apple Business Manager User Guide: Service access with Managed Apple Accounts