Managed Apple ID security
Managed Apple IDs function much like an Apple ID but are owned and controlled by enterprise or educational organizations. These organizations can reset passwords and turn off communications such as FaceTime and iMessage, and set up role-based permissions for employees, staff members, teachers, and students.
For Managed Apple IDs, some services are disabled (for example, App Store, HomeKit, and Find My).
Access management for Managed Apple IDs
Organizations can use access management available in Apple Business Manager, Apple School Manager, and Apple Business Essentials to define where Managed Apple IDs can be used and what services are available to them.
With access management, you can define whether users can sign in with a Managed Apple ID on any device, on managed devices only, or on managed and supervised devices only. Also, administrators can configure whether users are allowed to sign in to iCloud on the web. This allows organizations to use the management state of the device as a factor to decide if access to organizational data should be granted.
Additionally, administrators can define what iCloud services are available to their users. This includes defining access to Apple Developer Programs, and the AppleSeed for IT beta program, and determining whether users are allowed to access the Apple Privacy portal at privacy.apple.com.
Managed Apple IDs also support collaboration on documents using Keynote, Numbers, Pages, Reminders, and Notes as well as communication using FaceTime and iMessage. For those services, organizations can define whether users can collaborate with anyone or just with accounts created within the same Apple School Manager, Apple Business Manager, or Apple Business Essential organization.
If access management rules change, they are reflected on devices the user is signed in to with their Managed Apple ID. If requirements for the management state of a device are changed, a Managed Apple ID is automatically signed out of a device if the device state doesn’t meet the new requirements.
Inspecting Managed Apple IDs
Managed Apple IDs created in Apple School Manager also support inspection, which allows organizations to comply with legal and privacy regulations. A user with the role of Administrator, Site Manager, People Manager, or Instructor can inspect specific Managed Apple ID accounts.
Inspectors can monitor only accounts that are below them in the organization’s hierarchy. For example, teachers can monitor students, managers can inspect teachers and students, and administrators can inspect managers, teachers, and students.
When inspecting credentials are requested using Apple School Manager, a special account is issued that has access to only the Managed Apple ID for which inspecting was requested. The inspector can then read and modify the user’s content stored in iCloud or in CloudKit-enabled apps. Every request for auditing access is logged in Apple School Manager. The logs show who the inspector was, the Managed Apple ID the inspector requested access to, the time of the request, and whether the inspection was performed.