Forum Discussion

david972's avatar
david972
Copper Contributor
Apr 07, 2022
Solved

Use federated authentication with MS Azure AD in Apple Business Manager

Hello Everyone ,   iOS Migration Airwatch to Intune Existing: I have users added in the ABM who already have a device managed in Airwatch and Intune.   Today I want to set up a federated authe...
ABM
apple
Intune
mobile device management (mdm)
  • Harm_Veenstra's avatar
    Harm_Veenstra
    Apr 08, 2022
    1. Yes, when creating the Federation the Apple ID will get a notification telling it to change it to another email domain within x days
    2. No, the Apple ID with the maildomain which was the same as the Azure user must be renamed
    3. No, I don't think so but you will have to communicate (and test this yourself)
    4. If they registered an iCloud address which is the same as the Azure AD userprincipalname, then yes. They will have to login again on their device with the renamed account, all apps and settings will still be there

    But.. There are downsides to having Managed Apple ID's:

    What is the downside of using Managed Apple IDs?
    You may be reading the above section and thinking to yourself, “All of that is perfect, why wouldn’t everyone be using these?” It’s a fair question to ask, and to summarize an answer for you, Apple stresses that because Managed Apple IDs help protect your business, there are services that are automatically disabled.

    These disabled services include:

    App Store purchasing
    iTunes Store purchasing
    Book Store purchasing
    HomeKit connected devices
    Apple Pay
    Find My iPhone
    Find My Mac
    Find My Friends
    iCloud Mail
    iCloud Keychain (although, keychain items are saved and restored on Shared iPad devices)
    iCloud Family Sharing
    FaceTime (this is off by default, but your institution can turn it on)
    iMessage (this is off by default, but your institution can turn it on)

    https://www.jamf.com/blog/managed-apple-ids-in-business/
Harm_Veenstra's avatar
Harm_Veenstra
MVP
Apr 07, 2022
For users who already have a normal iCloud account registered at the work domain name, they will have to change the email-address on that iCloud account to something else (They will get a email from Apple telling them to change it in x amount of days otherwise they will change it for them) If you enable Federation, there will be a message telling you how many users will receive that email.. But it won't tell you who those users are 😞
david972's avatar
david972
Copper Contributor
Apr 08, 2022

Harm_Veenstra 

Thank you for your reply

So the user will receive an email, but no significant impact if I understand correctly.

 

In my current situation I create an Apple id managed account
from the Apple business manager console.
I create an Azure AD account identical to the managed Apple id account.

 

example :

ABM
- Apple ID Managed: Email address removed
- Email address: mailto:Email address removed

AZURE AD
- Azure AD: Email address removed
- Email address: mailto:Email address removed

 

Tomorrow I will have to set up federated authentication
the questions I have are :

1- can there be a login conflict?
2- Will there be a duplicate Apple id Managed login name?
3- Will the production be blocked?
4- Will this have a big impact on users already registered?

 

Thank you in advance.

  • Harm_Veenstra's avatar
    Harm_Veenstra
    MVP
    Apr 11, 2022
    Was this enough information for you?
    • david972's avatar
      david972
      Copper Contributor
      Apr 11, 2022
      Hello,
      yes thanks for that information who helped me
      • Harm_Veenstra's avatar
        Harm_Veenstra
        MVP
        Apr 11, 2022
        No problem, glad to help. Please mark my answer as solution to mark it as solved
  • Harm_Veenstra's avatar
    Harm_Veenstra
    MVP
    Apr 08, 2022
    1. Yes, when creating the Federation the Apple ID will get a notification telling it to change it to another email domain within x days
    2. No, the Apple ID with the maildomain which was the same as the Azure user must be renamed
    3. No, I don't think so but you will have to communicate (and test this yourself)
    4. If they registered an iCloud address which is the same as the Azure AD userprincipalname, then yes. They will have to login again on their device with the renamed account, all apps and settings will still be there

    But.. There are downsides to having Managed Apple ID's:

    What is the downside of using Managed Apple IDs?
    You may be reading the above section and thinking to yourself, “All of that is perfect, why wouldn’t everyone be using these?” It’s a fair question to ask, and to summarize an answer for you, Apple stresses that because Managed Apple IDs help protect your business, there are services that are automatically disabled.

    These disabled services include:

    App Store purchasing
    iTunes Store purchasing
    Book Store purchasing
    HomeKit connected devices
    Apple Pay
    Find My iPhone
    Find My Mac
    Find My Friends
    iCloud Mail
    iCloud Keychain (although, keychain items are saved and restored on Shared iPad devices)
    iCloud Family Sharing
    FaceTime (this is off by default, but your institution can turn it on)
    iMessage (this is off by default, but your institution can turn it on)

    https://www.jamf.com/blog/managed-apple-ids-in-business/

Resources