Glossary
- Apple Business Essentials
A simple, web-based portal for IT administrators — with one complete subscription that seamlessly brings together device management, 24/7 support and cloud storage, so your small business can easily manage every employee’s iPhone, iPad and Mac, every step of the way.
- Apple Business Manager
A simple, web-based portal for IT administrators that provides a fast, streamlined way for you to deploy Apple devices that your organisation has purchased directly from Apple or from a participating Apple Authorised Reseller or network provider. You can automatically enrol devices in your mobile device management (MDM) solution without having to physically touch or prepare the devices before users get them.
- Apple Customer Number
The account number (or numbers) assigned to your organisation by Apple, used to purchase Apple hardware or software. It’s required in order to verify your organisation’s eligibility for certain programmes. If you don’t know the numbers, contact your purchasing agent, finance department or Apple account team. This number isn’t the same as your GSX account number.
- Apple School Manager
A simple, web-based portal for IT administrators that provides a fast, streamlined way for you to deploy Apple devices that your organisation has purchased directly from Apple or from a participating Apple Authorised Reseller or network provider. You can automatically enrol devices in your mobile device management (MDM) solution without having to physically touch or prepare the devices before users get them.
- authentication
Retrieving a credential from an authority after providing an assertion that proves your identity.
- authorisation
Retrieving a token from an authority after authentication is done by providing an assertion that proves your identity.
- backup
A copy of important data that includes information such as the layout of the Home Screen, app data (such as Safari bookmarks and Calendar events), anything you can set in Settings on the device (including restrictions, certificates and some account types), contacts, and the Camera Roll (but not photo albums). Backups don’t include apps or media that you would normally sync using the Finder (macOS 10.15 or later), using iTunes (macOS 10.14 or earlier), or stored in iCloud or iCloud Drive. A backup of an unsupervised device is identical to and interchangeable with a Finder or iTunes backup, and can be restored only to an unsupervised device. Similarly, a backup of a supervised device can be restored only to another supervised device.
- Bootstrap Token
An MDM-based feature that automatically provides a secure token on all mobile accounts. Specifically, a bootstrap token is used to help with granting a secure token to both mobile accounts and to the optional device enrolment–created administrator account (“managed administrator”). In macOS 11 or later, the bootstrap token can grant a secure token to any user logging in to a Mac computer, including local user accounts.
- configuration profile
An XML file (ending in .mobileconfig) that consists of payloads that load settings and authorisation information onto Apple devices. Configuration profiles automate the configuration of settings, accounts, restrictions and credentials. These files can be created by an MDM solution or Apple Configurator for Mac, or they can be created manually.
- D-U-N-S Number
A nine-digit identifier that’s assigned to each business by Dun & Bradstreet (D&B) and maintained in its database. Apple cross-checks programme enrollees with the D&B database. For more information on how to obtain a D-U-N-S number for your business, see Welcome to D&B Support.
- duplicates
In MDM, two or more identical payloads. For example, a Certificates payload often involves more than one certificate, and a VPN payload may involve more than one VPN setting. If two or more specific payloads cannot be active for a device or user, the payload is single.
- enrolment types
The three main types of device enrolment into mobile device management (MDM) solutions: User Enrolment, Device Enrolment and Automated Device Enrolment.
- eSIM (embedded-SIM)
A software-based SIM used in Apple Watch Series 3 or later; in iPhone XR, iPhone XS, iPhone XS Max or later; and in every iPad released since the 3rd generation iPad Pro. See also SIM card (Subscriber Identity Module).
- federated authentication
The process of using an account’s username and password from one directory system and allowing the same username and password to be used in other systems.
- identity
A certificate and its associated private key. Certificates can be freely distributed, but identities must be kept secure. The freely distributed certificate, and especially its public key, are used for encryption that can be decrypted only by the matching private key. The private key part of an identity is stored in a PKCS #12 (.p12) file and encrypted with another key that’s protected by a passphrase.
- Identity federation
The establishment of trust between identity providers across security domains.
- local account pairing
In macOS, a way to enforce smart card authentication for Mac computers on local accounts.
- machine-based enforcement (MBE)
In macOS, an implementation that removes the option for password-based authentication in favour of smart card–only authentication for any account accessible by a Mac. Compare user-based enforcement (UBE).
- mobile device management (MDM)
A service that lets an administrator remotely manage enrolled devices. After a device is enrolled, the user can use the MDM service over the network to configure settings and perform other tasks on the device without user interaction.
- operating system and channel
Mobile device management (MDM) solution payloads can be used on specific operating systems and for Shared iPad and Mac channels. Because Shared iPad and Mac can have more than one user, a payload can be applied to the device channel (all users) or a user channel (specific users).
- Organisation ID
Your unique identifier in Apple School Manager, Apple Business Manager or Apple Business Essentials. When you give a participating Apple Authorised Reseller or network provider your Organisation ID and you add that their Reseller Number to your account profile, you authorise that reseller to submit devices you purchased through them to Apple so that devices’ serial numbers can appear in Apple School Manager, Apple Business Manager or Apple Business Essentials.
- payload
At least one managed setting. Some settings, such as LDAP, can have more than one payload. Use payloads to administer increased network security, user authentication, Wi-Fi authentication, VPN policy settings, mail settings and more. See also settings.
- personal identity verification (PIV) card
A type of smart card technology used for two-factor authentication, digital signing and encryption. The built-in support for smart cards in macOS is based on the CryptoTokenKit framework.
- Reseller Number
A unique identifier for each Apple Authorised Reseller or network provider that participates in Apple School Manager, Apple Business Manager or Apple Business Essentials. When you add a participating Apple Authorised Reseller’s or network provider’s Reseller Number to your account profile and you give them your Organisation ID, you authorise that reseller to submit devices you purchased through them to Apple so that devices’ serial numbers can appear in Apple School Manager, Apple Business Manager or Apple Business Essentials.
- Secure Token
A macOS feature that addresses the implementation of encryption keys, when theyʼre generated and how theyʼre stored. Specifically, a secure token is a wrapped version of a key encryption key (KEK) protected by a userʼs password.
- settings
In the context of MDM, unique identifiers that can be applied to specific apps, features or connectivity functions, such as Exchange, passcodes, VPN, Wi-Fi, proxies and so forth. For example, the name of a Wi-Fi network or information about how to authenticate to an Exchange server would be a setting. After settings are entered for a given app, feature or connectivity function, they become a payload. See also payload.
- SIM card (Subscriber Identity Module)
A universal integrated circuit card (UICC) for identifying and authenticating subscribers on mobile devices. See also eSIM (embedded-SIM).
- single sign-on
A process in which a user provides authentication and authorisation information once and receives a ticket to access resources for as long as the ticket is valid (usually 10 hours).
- supplier
The entity you purchase eligible devices from. If you purchased the device directly from Apple using a purchase order (PO), you would enter your Apple Customer Number as your supplier using the Apple (Direct) option. If you purchased your device through a participating Apple Authorised Reseller or network provider, then you would add them as a supplier to your account by entering their Reseller Number using the Reseller option. Each supplier needs to be added only once to your account profile.
- user-approved MDM enrolment
In macOS 10.13.2, user-approved MDM enrolment allows mobile device management (MDM) software additional privileges. As of macOS 11, it’s no longer possible to install profiles using the command line, so all new MDM enrolments are approved by the user. User-approved MDM enrolment is different from User Enrolment.
- user-based enforcement (UBE)
In macOS, an implementation that creates an exception to smart card–only authentication for specific users or groups of users. This option disables all password-based authentication. Compare machine-based enforcement (MBE).