iCloud for Managed Apple Accounts
Depending on your organization’s deployment model, users of your managed devices might use their personal Apple Account, a Managed Apple Account, both, or neither.
For users working on devices your organization owns, consider providing them with a Managed Apple Account. Because the account is owned by your organization, you can then manage not only the services they can access but also the devices they can sign in to.
iCloud services
With iCloud services available to a Managed Apple Account, users can store content such as contacts, calendars, documents, and notes—and keep them up to date across multiple Apple devices. iCloud secures content by encrypting it when it’s sent over the internet, storing it in an encrypted format, and using secure tokens for authentication. For more information on iCloud security see, iCloud security overview in Apple Platform Security.
Note: Some iCloud features require a Wi-Fi connection, some features aren’t available in all countries or regions, and access to some services is limited to 10 devices with the same Apple Account.
iCloud Drive
Users can store their documents and files on iCloud Drive and access them from iPhone, iPad, and Mac devices, and from Windows computers that are set up with iCloud. Documents are kept up to date on all devices, and changes made to a file when the user is offline are automatically updated when the device comes online.
Users can also configure their macOS Desktop and Documents folders to be stored in iCloud Drive automatically, allowing the contents to be available on all the user’s devices.
Users can even collaborate on documents stored in iCloud Drive provided that they’re created with Pages, Numbers, Keynote, and other apps that support CloudKit. For Managed Apple Accounts, organizations can define whether collaboration is possible only with internal users or also with external users.
iCloud Keychain
iCloud Keychain keeps Wi-Fi network passwords and website passwords used in Safari up to date on all your iPhone, iPad, and Mac devices set up with iCloud. It also stores internet account sign-in and configuration information, and passwords for other apps that support iCloud. iCloud Keychain can also store credit card information users save in Safari, so Safari can automatically fill in the information.
iCloud Keychain consists of two services:
Keeping Keychain up to date on all devices
Keychain recovery
To securely exchange keychain items, a circle of trust is established and used among approved devices of a user. New devices joining the circle need to be approved either by an existing iCloud Keychain device or by using iCloud Keychain recovery. Each item that’s synced is encrypted so that it can be decrypted only by a device within the user’s circle of trust; it can’t be decrypted by any other devices or by Apple.
iCloud Keychain escrows users’ keychain data with Apple without allowing Apple to read the passwords and other data it contains. Even if the user has only a single device, keychain recovery provides a safety net against data loss. This is particularly important when Safari is used to generate random, strong passwords for web accounts, because the only record of those passwords is in the keychain.
Part of keychain recovery is secondary authentication and a secure escrow service, created by Apple specifically to support this feature. The user’s keychain is encrypted under a strong encryption key, and the escrow service provides a copy of that key only if a strict set of conditions are met, and the user enters the passcode of one of their previous devices.
Important: Managed Apple Accounts don’t support iCloud Keychain recovery using a recovery contact.
Passkeys
Passkeys are designed to provide a passwordless sign-in experience that is both convenient and secure. They’re a standard-based technology that can resist phishing, are always strong, and have no shared secrets.
With iCloud Keychain support for Managed Apple Accounts, organizations can deploy passkeys to allow employees to access corporate resources and make sure passkeys securely sync to all their iPhone, iPad, and Mac devices. Using access management functionality, they can also define the required management state of a device to allow access to the managed passkeys.
A declarative passkey attestation configuration allows a managed device to provide an attestation when a passkey gets provisioned for an organizational service. The attestation is provided when a user registers a passkey for a website or app using a domain specified in the configuration. After the device has securely generated a passkey, it uses the certificate identity defined in the configuration to perform a WebAuthn attestation with the accessed service. This allows the service to verify that the passkey was created on a device managed by the organization before provisioning access.
The generated passkeys get automatically stored in the iCloud Keychain associated with the Managed Apple Account. When no Managed Apple Account is present, the passkey can’t be created.
To provide a simple sign-in flow to the user, app developers can make use of associated domains to establish a secure association between domains and their app (and optionally allow a configuration of associated domains via MDM). If this is available, iOS, iPadOS, and macOS can automatically select and provide the correct passkey for a seamless sign-in experience. If authentication is being performed by a third-party service, ASWebAuthenticationSession can be used instead.
For more information, see Passkey Attestation declarative configuration.
Access iCloud services
Signing in with a Managed Apple Account during Setup Assistant or using the Apple Account menu item at the top of Settings (iPhone and iPad) or System Settings (Mac) provides access to all services available to the account.
Users can add additional accounts in Settings > Mail > Accounts (iPhone, iPad, Apple Vision Pro) or in System Settings > Internet Accounts (Mac) to access mail (if mail is available for the account), contacts, and calendars stored with another personal Apple Account and contacts, calendars, and reminders of a Managed Apple Account.
Account-driven Device Enrollment and User Enrollment extend the list of services accessible on a device with a Managed Apple Account to contacts, calendars, reminders, notes, iCloud Drive, and iCloud Backup.
Manage iCloud access
You can turn off individual iCloud services available to a Managed Apple Account in Apple School Manager and Apple Business Manager. In addition, you can define which devices users can sign in to, access their Managed Apple Account data, and specify who they can communicate and collaborate with. If the user primarily uses a personal Apple Account, organizations can disable certain iCloud services on managed devices through restrictions. Note that some restrictions require that the device be supervised.