About Managed Apple Accounts in Apple School Manager
Overview
Managed Apple Accounts function much like Apple Accounts but are specifically designed for, owned, and managed by, an organization to help increase the productivity of instructors and students and provide the services users may need. These accounts are separate from personal Apple Accounts users create for themselves. This helps to keep organizational data separate from personal data with robust management controls.
This also includes role-based administration and—in certain instances—password resets. Users can access iCloud and collaboration with iWork, Notes, and Reminders—and users with the roles of Administrator, Managers, Staff, and Instructors can sign in to the Apple School Manager web portal. They also allows instructors and students to use, for example, the Classroom app and the Schoolwork app.
Lastly, Apple School Manager makes it easy for schools to create and manage these accounts at scale. Because Apple School Manager integrates with your existing environment, you can provide Managed Apple Accounts to users using their existing organization credentials—for example, your Student Information System (SIS), Google Workspace, Microsoft Entra ID, or your identity provider (IdP). You can then sync user accounts.
Apple uses only information that personally identifies your users in order to:
Provide Apple School Manager and associated services enabled by you
Support your users’ use of Apple School Manager
This can include solving issues in connection with the use of Apple School Manager, specific troubleshooting or enhancing your users’ experience.
How Managed Apple Accounts are created
Managed Apple Accounts can be created for any domains using the following methods:
Create accounts manually
Import accounts from your Student Information System (SIS)
Upload .csv files using the Secure File Transfer Protocol (SFTP)
Configure and turn on federated authentication with Google Workspace, Microsoft Entra ID, or an identity provider (IdP)
Sync with Google Workspace
Sync using Open ID Connect (OIDC) with Microsoft Entra ID
Sync using Open ID Connect (OIDC) or System for Cross-domain Identity Management (SCIM) with your IdP
Important: Keep in mind that every Managed Apple Account must be unique. It also can’t be the same as other Apple Accounts that other users may already have.
How Managed Apple Accounts are used
Like personal Apple Accounts, Managed Apple Accounts can be used to sign in on dedicated or shared Apple devices and to access specific Apple services—including Shared iPad, iCloud, and collaboration with iWork, Notes, and Reminders.
Managed Apple Accounts can also be assigned a specific role. These roles define which tasks users can perform in Apple School Manager.
As any user with the role of Administrator or any Manager, you use Managed Apple Accounts in three main ways—with user accounts, classes, and roles.
Accounts: Users with the role of Administrator can complete a range of tasks to manage user accounts. For example, you can assign roles or assign devices to users.
Classes: A class is a collection of instructor and student accounts. Classes have at least one instructor added when the class is created. After a class is created, it’s used with your mobile device management (MDM) solution to enable classes to appear in the Classroom app for iPad and Mac, and Shared iPad, and to simplify the experience for students using Shared iPad.
Roles: Roles help define what a user has access to.
For more information, see Intro to roles and privileges.
Deleted personal Apple Accounts
If a personal Apple Account goes through the formal deletion request process, it can’t ever be recreated nor can it be used as a Managed Apple Account, even if the organization has verified and captured the domain. For more information, see the Apple Support article How to delete your Apple Account.
Managed Apple Account password resets
Depending on how Managed Apple Accounts are created, password resets can be completed in Apple School Manager and Apple Business Manager or—if connected to an identity provider (IdP)—through the IdP.
If the reset is done through Apple School Manager:
A user with a Managed Apple Account can lock themselves out of their account if they enter an incorrect password more than 10 times. To reset their password, the user must contact any user with the role of Administrator, Site Manager, People Manager, or another user with password reset privileges.
Additional Managed Apple Account features for instructors and students
In Apple School Manager you can use Managed Apple Account features for instructors and students.
You can define password policies for each user account, and it’s easiest to assign them per role. Student role accounts can have a simpler four- or six-digit passcode. Accounts with all other roles must have strong passwords consisting of at least eight characters. See Role privileges.
In addition, the administrator and manager can manually add an account at any time, such as when a temporary instructor is added to your school. You can also view and edit account information, such as the user’s name, ID number, grade level, and more. Depending on your role, you can also reset a user’s Managed Apple Account password, send them a verification code so they can sign in, and delete, deactivate, or restore an account.
Many states and regions have laws that require schools to protect student data and restrict the ways in which it can be used. Managed Apple Accounts are designed to help K–12 schools (or equivalent) comply with student data privacy requirements. See About privacy and security for Apple products in education.
Additional features for education are shown in the table below.
Feature | Description |
|---|---|
iCloud storage | Managed Apple Accounts receive 200 GB of free iCloud storage. |
Schoolwork | Class rosters created in Apple School Manager are automatically available in Schoolwork. Student progress reporting can optionally be enabled in Apple School Manager. |
Classroom | Class rosters created in Apple School Manager are automatically available in Classroom. |
Organizational password reset | Using the Classroom app, instructors can reset students’ Managed Apple Account passwords without involving their IT department. |
Managed Apple Account password complexity
When you add users to Apple School Manager, you set a password complexity for that user. That complexity level dictates which Lock screen appears when a user signs in with Shared iPad. A four- or six-digit passcode shows only digits on the screen. A complex password shows the full keyboard. When the user signs in with their Managed Apple Account and their initial password, they are prompted to change their password using the level of complexity you initially set in Apple School Manager.
Important: If you set the Lock screen behavior to a four- or six-digit passcode and the Apple School Manager setting for that user is set to a complex password, that user must manually enter their Managed Apple Account and password.
Inspect Managed Apple Accounts
Organizations can comply with legal and privacy regulations by using Managed Apple Account inspection. Administrator, manager, and instructor accounts can be granted inspection privileges for specific accounts. Inspectors can monitor only accounts that are below them in the school’s hierarchy. For example, instructors can monitor students, and administrators can inspect managers, instructors, and students.
To inspect an account, an authorized user must create special inspection credentials within Apple School Manager for a specific Managed Apple Account. These credentials can be used only to access that Managed Apple Account, and they expire after 7 days. During that period, the inspector can access the user’s content stored in iCloud Drive or in CloudKit-enabled apps. Every request for access is logged in Apple School Manager. Logs show the inspector’s name, the Managed Apple Account in question, the time of the request, and whether or not the inspection was performed. All users with inspection privileges can search these logs, which discourages misuse of inspections.