Review Apple School Manager roles and privileges for your team
After you enroll in Apple School Manager and integrate with your Identity Provider (IdP) or Student Information System (SIS), you can add administrators and assign roles to spread management tasks across your team.
Administrator role
The administrator is the highest–level account and has full administrative control over Apple School Manager. It is best practice to create at least one manager account in addition to your administrator account in case you (the administrator), or your account becomes unavailable. The administrator can then assign accounts to the roles detailed next.
Other Apple School Manager roles
Every Apple School Manager account has one or more roles that define what the user of the account can do. Each role consists of a set of privileges; if you add or remove a privilege, it affects all accounts that have that role. Student roles have very limited privileges, instructor and manager roles have more, and the administrators have the most. Below are the roles under the Administrator role.
Site Manager: Site Managers can do everything administrators can do except accept updated terms and conditions.
People Manager: People Managers can manage connections to IdPs and SISs, reset passwords, and manually add accounts.
Device Enrollment Manager: Device Enrollment Managers can manage device assignments to your mobile device management (MDM) solution. Having more than one Device Manager is useful. For example, if two schools in a district run different MDM servers and each school wants to be able to assign devices to its own MDM server.
Content Manager: Content Managers can make app and book purchases. Because each purchasing account has a separate purchase history, purchases can be made with separate funding sources.
Manager: Managers can create, edit, and delete manually created classes and change user account status.
Staff: Accounts with the role of Staff can use devices that appear in Apple School Manager and content purchased by a Content Manager, and also participate in AppleSeed for IT.
Instructors: Instructors can buy and reassign content, reset student passwords, view student progress in Schoolwork, and more.
Students: Accounts with the role of Student can use devices that appear in Apple School Manager and content purchased by a Content Manager.
Review privileges for your accounts
Managed Apple Accounts can be used across Apple services and those IDs are customizable. The Apple School Manager administrator can assign and revoke access to different services for the users that you create within Apple School Manager. The administrator can grant or revoke access to the following services:
Student Progress (Default is off): Enabling this feature allows accounts with the role of instructors to view student progress on activities they assign to their students in Schoolwork. You can disable this feature and delete any student data at any time. You can also opt out individual students.
FaceTime and Messages (Default is off): You can turn this service on for your organization and control which role can activate these services and whether iMessage can be used with accounts outside of your organization.
Note: iMessage and FaceTime conversations are encrypted in transit and can’t be inspected.
Data and Privacy Access (Default is off:): Enabling this feature allows your users to request a copy of their data using their Data & Privacy (http://privacy.apple.com/) page.
User Account Lookup (Default is on): This feature allows users to look up other users’ contact information in their operating system—for example, when composing an iMessage, a Mail message, or initiating a document share.
Sharing (Default is inside the organization only): These options allow you to choose if you would like your users to be able to collaborate on documents with personal Apple Accounts outside of your organization. For example, teachers might want to share a folder with their personal Apple Account if they work on teaching materials on a personal device.
Auto Accept: Enabling this feature allows for any role except Student (unless this option is explicitly selected) to initiate a shared or collaborative file and it is auto-accepted and appear in the iCloud Drive of other users within your organization. For example, a teacher can easily share a Keynote presentation with their students without needing to send links to them.