Federated authentication with Apple Business Manager
Short Introduction:
This introduction will touch on a definition from Microsoft realm and Apple realm
Microsoft Realm: Federated authentication is used to link Apple Business Manager to an instance of Microsoft Azure Active Directory (Azure AD). As a result, users can leverage their Azure AD usernames (User Principal Name) and passwords as Managed Apple IDs. They can then use their Azure AD credentials to sign into their assigned iPad or Mac and even to iCloud on the web.
Apple Realm: Managed Apple IDs were specifically created to enable IT administrators to manage employee accounts within their organization. These accounts empower IT Admins to establish password policies and efficiently manage app licensing. They serve as an ideal solution, striking a balance between providing valuable and productive tools for your team while ensuring compliance with your organization’s security standards. Fortunately, Apple has streamlined this process, eliminating the need for any additional applications. Account management is conveniently conducted through the Apple portal known as Apple Business Manager (ABM). This platform allows you to effortlessly monitor all the accounts within your organization, providing the capability to manage existing accounts or generate new ones directly from your web browser.
Pros of Managed Apple ID:
- Creates a single sign-on: Syncing Apple Business Manager with your Azure tenant, federated authentication allows Managed Apple IDs to use the corresponding Azure Active Directory username and password. This provides your employees with a single sign-on for their corporate identity, whether it is Apple or Microsoft
- Device management simplicity: Unifying identities across Apple Business Manager and Azure Active Directory, e.g. If you deactivate an employee’s account in Active Directory, their Managed Apple ID will also be deactivated, preventing employees who no longer require access to your system from logging in.
- BYOD devices: Managed Apple ID also enables the new User Enrollment process for BYOD devices. When a user signs in on a personal device with their Managed Apple ID, the enrollment process is automatically initiated. This ensures that all devices are synced under corporate credentials while allowing employees to maintain control over their personal data
- Shared iPad: Another Pro for Managed Apple ID for business is Shared iPad, where this works that a user’s data is stored in the cloud until they log in on an iPad. Once they log in, that information is downloaded and cached on the device until they log out. After logging out, the data becomes inaccessible to anyone else until the user signs back in.
Cons of Managed Apple ID:
The following features are by default disabled:
- iMessage (Possibility for admin to enable it)
- FaceTime (Possibility for admin to enable it)
- iCloud Mail and Keychain
- Find My
- Apple Pay
- Purchasing on the App Store and iBook Store
How to set up a Managed Apple ID
Prerequisites:
- Azure Global Admin Account
- ABM Admin Account
- Login with Global admin account
- Consent to preform the federation.
- After few minutes, ‘Federate’ will show up on the domain
- Sign in one more time with the Global Admin.
With this it’s going to check that the usernames within the Tenant do not already have Apple-ID, because this step will manage all the usernames.
(This process might take long time, depending on how many accounts in tenant)
Incase of username Conflict:-
- Click on the ‘User Name Conflict’
- Click continue
- Here we can notify the Users that they will have to relinquish their ownership and change the Apple ID within 60 days.
- Click on ‘Ok’
- Enable federation.
- From the user side:- the user has the possibility to follow the instruction in the email and get the Apple ID changed.
User has to go through the security questions
