Forum Discussion

david972's avatar
david972
Copper Contributor
Apr 07, 2022

Use federated authentication with MS Azure AD in Apple Business Manager

Hello Everyone :smile:,

 

iOS Migration Airwatch to Intune

Existing: I have users added in the ABM who already have a device managed in Airwatch and Intune.

 

Today I want to set up a federated authentication, link between Apple Business manager and Azure AD.

 

Will I have a significant impact if I enable federated authentication and is it transparent to the user?

 

Thanks

  • 1. Yes, when creating the Federation the Apple ID will get a notification telling it to change it to another email domain within x days
    2. No, the Apple ID with the maildomain which was the same as the Azure user must be renamed
    3. No, I don't think so but you will have to communicate (and test this yourself)
    4. If they registered an iCloud address which is the same as the Azure AD userprincipalname, then yes. They will have to login again on their device with the renamed account, all apps and settings will still be there

    But.. There are downsides to having Managed Apple ID's:

    What is the downside of using Managed Apple IDs?
    You may be reading the above section and thinking to yourself, “All of that is perfect, why wouldn’t everyone be using these?” It’s a fair question to ask, and to summarize an answer for you, Apple stresses that because Managed Apple IDs help protect your business, there are services that are automatically disabled.

    These disabled services include:

    App Store purchasing
    iTunes Store purchasing
    Book Store purchasing
    HomeKit connected devices
    Apple Pay
    Find My iPhone
    Find My Mac
    Find My Friends
    iCloud Mail
    iCloud Keychain (although, keychain items are saved and restored on Shared iPad devices)
    iCloud Family Sharing
    FaceTime (this is off by default, but your institution can turn it on)
    iMessage (this is off by default, but your institution can turn it on)

    https://www.jamf.com/blog/managed-apple-ids-in-business/
  • For users who already have a normal iCloud account registered at the work domain name, they will have to change the email-address on that iCloud account to something else (They will get a email from Apple telling them to change it in x amount of days otherwise they will change it for them) If you enable Federation, there will be a message telling you how many users will receive that email.. But it won't tell you who those users are 😞
    • david972's avatar
      david972
      Copper Contributor

      Harm_Veenstra 

      Thank you for your reply

      So the user will receive an email, but no significant impact if I understand correctly.

       

      In my current situation I create an Apple id managed account
      from the Apple business manager console.
      I create an Azure AD account identical to the managed Apple id account.

       

      example :

      ABM
      - Apple ID Managed: Email address removed
      - Email address: Email address removed

      AZURE AD
      - Azure AD: Email address removed
      - Email address: Email address removed

       

      Tomorrow I will have to set up federated authentication
      the questions I have are :

      1- can there be a login conflict?
      2- Will there be a duplicate Apple id Managed login name?
      3- Will the production be blocked?
      4- Will this have a big impact on users already registered?

       

      Thank you in advance.

      • 1. Yes, when creating the Federation the Apple ID will get a notification telling it to change it to another email domain within x days
        2. No, the Apple ID with the maildomain which was the same as the Azure user must be renamed
        3. No, I don't think so but you will have to communicate (and test this yourself)
        4. If they registered an iCloud address which is the same as the Azure AD userprincipalname, then yes. They will have to login again on their device with the renamed account, all apps and settings will still be there

        But.. There are downsides to having Managed Apple ID's:

        What is the downside of using Managed Apple IDs?
        You may be reading the above section and thinking to yourself, “All of that is perfect, why wouldn’t everyone be using these?” It’s a fair question to ask, and to summarize an answer for you, Apple stresses that because Managed Apple IDs help protect your business, there are services that are automatically disabled.

        These disabled services include:

        App Store purchasing
        iTunes Store purchasing
        Book Store purchasing
        HomeKit connected devices
        Apple Pay
        Find My iPhone
        Find My Mac
        Find My Friends
        iCloud Mail
        iCloud Keychain (although, keychain items are saved and restored on Shared iPad devices)
        iCloud Family Sharing
        FaceTime (this is off by default, but your institution can turn it on)
        iMessage (this is off by default, but your institution can turn it on)

        https://www.jamf.com/blog/managed-apple-ids-in-business/

Resources