Intro to roles and privileges in Apple School Manager
Every Apple School Manager user has one or more roles that define what the user can do. Certain roles can manage other roles. For example, a user that has the role of Instructor can manage a user that has the role of Student. In this way, an instructor can change a student’s passcode.
Users with the role of Administrator, Site Manager, or People Manager can’t sign in using federated authentication; they can only manage the federation process.
In addition, each role consists of a set of privileges, which affect all users that have that role. Student roles have very limited privileges, Instructor and Manager roles have more, and users with the role of Administrators have the most. To edit roles, you need to have the appropriate privileges. You’re unable to add a privilege that you yourself don’t have.
Important: If an account with a role of Administrator, Manager, or Instructor is also assigned a Student role, they will be unable to buy content.
Role | Can manage the following other roles |
|---|---|
| Other Administrators Site Manager People Manager Device Enrollment Manager Content Manager Manager Staff Instructor Student |
| Other Site Managers People Manager Device Enrollment Manager Content Manager Manager Staff Instructor Student |
| Other People Managers Site Manager Device Enrollment Manager Content Manager Manager Staff Instructor Student |
| None |
| None |
| Staff Instructor Student |
| None |
| Student |
| None |
Administrator
Site Manager
People Manager
Device Enrollment Manager
Content Manager
Manager
Staff
Instructor
StudentEdit a role’s privileges
In Apple School Manager
, sign in with a user that has the role of Administrator.Select Access Management
in the sidebar, then select Roles 
.Select a role, select Edit, then do one of the following:
To remove a privilege from a role, deselect its checkbox, then select Save.
To add a privilege, select its checkbox, then select Save.
Basic privileges
Manage basic privileges as shown in the table below.
Basic privilege | Administrator | Site Manager | People Manager | Device Enrollment Manager | Content Manager | Manager |
|---|---|---|---|---|---|---|
Accept terms and conditions | Always on | Always off | Always off | Always off | Always off | Always off |
Edit role privileges | Always on | Always on | Always on | Always off | Always off | Always off |
Add Apple Customer Numbers and Reseller Numbers | Always on | Always off | Always off | Always off | Always off | Always off |
Set tax status information | Always on | Always off | Always off | Always off | Always off | Always off |
Configure federated authentication | Always on | On by default | Always on | Always off | Always off | Always off |
Integrate with SIS | Always on | On by default | Always on | Always off | Always off | Always off |
Create, edit, and delete locations | Always on | On by default | Always on | Always off | Always off | Always off |
Set default Managed Apple Account user name formats | Always on | On by default | Always on | Always off | Always off | Always off |
Set the default password policy for new students | Always on | On by default | Always on | Always off | Always off | Always off |
Turn on Student Progress | Always on | On by default | Always on | Always off | Always off | Always off |
Administer AppleSeed for IT | On by default | On by default | Off by default | Always off | Always off | Always off |
Participate in AppleSeed for IT | On by default | On by default | On by default | On by default | On by default | On by default |
Use managed devices | Always on | Always on | Always on | Always on | Always on | Always on |
Sign in to iCloud.com with a Managed Apple Account | Always on | Always on | Always on | Always on | Always on | Always on |
Use managed apps and books | Always on | Always on | Always on | Always on | Always on | Always on |
For more information on AppleSeed for IT, see the AppleSeed for IT website.
People privileges
Manage people privileges as shown in the table below.
People privilege | Administrator | Site Manager | People Manager | Device Enrollment Manager | Content Manager | Manager |
|---|---|---|---|---|---|---|
Create, edit, and delete Managed Apple Accounts | Always on | On by default | Always on | Always off | Always off | On by default |
Assign roles to users | Always on | On by default | Always on | Always off | Always off | On by default |
Change students’ password policies | Always on | On by default | Always on | Always off | Always off | On by default |
Change account status of users | Always on | On by default | Always on | Always off | Always off | On by default |
Inspect user accounts | Always on | On by default | Always on | Always off | Always off | On by default |
View account inspection log | Always on | On by default | Always on | Always off | Always off | On by default |
Create, edit, and delete classes | Always on | On by default | Always on | Always off | Always off | On by default |
Reset passwords for users | Always on | On by default | Always on | Always off | Always off | On by default |
Generate verification codes | Always on | On by default | Always on | Always off | Always off | On by default |
Use FaceTime | Off by default | Off by default | Off by default | Off by default | Off by default | Off by default |
Use iMessage | Off by default | Off by default | Off by default | Off by default | Off by default | Off by default |
Device privileges
Manage device privileges, as shown in the table below.
Device privilege | Administrator | Site Manager | People Manager | Device Enrollment Manager | Content Manager | Manager |
|---|---|---|---|---|---|---|
Manage MDM servers | Always on | Always on | Always off | Always on | Always off | Always off |
Add, assign, and unassign devices to MDM servers | Always on | Always on | Always off | Always on | Always off | Always off |
Assign devices to organization | Always on | Always on | Always off | Always on | Always off | Always off |
Turn off Activation Lock | Always on | On by default | Always off | On by default | Always off | Always off |
Release devices | Always on | Always on | Always off | On by default | Always off | Always off |
Content privileges
Configure content settings, as shown in the table below.
Note: Any role that can buy apps and books can view payment information.
Content privilege | Administrator | Site Manager | People Manager | Device Enrollment Manager | Content Manager | Manager |
|---|---|---|---|---|---|---|
View apps and books | Always on | On by default | Always off | Always off | Always on | On by default |
Buy apps and books | Always on | On by default | Always off | Always off | Always on | Off by default |
Reassign licenses for apps | Always on | On by default | Always off | Always off | Always on | Off by default |
Hold unassigned licenses for apps and books | Always on | On by default | Always off | Always off | Always on | Off by default |
Staff privileges
Configure staff privileges, as shown in the table below.
Staff privilege | Access | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Use managed devices | Always on | ||||||||||
Sign in to iCloud.com with a Managed Apple Account | Always on | ||||||||||
Use managed apps and books | Always on | ||||||||||
Participate in AppleSeed for IT | On by default | ||||||||||
Use FaceTime | Off by default | ||||||||||
Use iMessage | Off by default | ||||||||||
Instructor privileges
Configure instructor privileges, as shown in the table below.
Instructor privilege | Access | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Participate in AppleSeed for IT | On by default | ||||||||||
Use managed devices | Always on | ||||||||||
Sign in to iCloud.com with a Managed Apple Account | Always on | ||||||||||
Use managed apps and books | Always on | ||||||||||
Inspect student accounts | Off by default | ||||||||||
View account inspection log | Off by default | ||||||||||
Create, edit, and delete classes | On by default | ||||||||||
Reset passwords for students | On by default | ||||||||||
Generate verification codes for students | On by default | ||||||||||
Create, edit, and delete Managed Apple Accounts | Off by default | ||||||||||
Assign roles to individuals | Off by default | ||||||||||
Change the password policy for students | On by default | ||||||||||
Change the account status of students | On by default | ||||||||||
Use FaceTime | Off by default | ||||||||||
Use iMessage | Off by default | ||||||||||
View apps and books | Off by default | ||||||||||
Buy apps and books | Off by default | ||||||||||
Reassign licenses for apps and books | Off by default | ||||||||||
Hold unassigned licenses for apps and books | Off by default | ||||||||||
View Student Progress Dashboard | Always on | ||||||||||
Student privileges
Configure student privileges, as shown in the table below.
Student privilege | Student | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Use managed devices | Always on | ||||||||||
Sign in to iCloud.com with a Managed Apple Account | Always on | ||||||||||
Use managed apps and books | Always on | ||||||||||
Participate in AppleSeed for IT | Always off | ||||||||||
Use FaceTime | Off by default | ||||||||||
Use iMessage | Off by default | ||||||||||