Managed Apple Accounts for Apple devices
Managed Apple Accounts are a great way to increase the productivity of employees and provide the services users may need. These accounts are designed specifically for organisations and separate from personal Apple Accounts users create for themselves. This helps to keep organisational data separate from personal data with robust management controls.
Like any Apple Account, Managed Apple Accounts can be used on dedicated or shared devices to access specific Apple services — including Shared iPad, iCloud and collaboration with iWork and Notes — and to access and use Apple School Manager, Apple Business Manager and Apple Business Essentials.
In Apple School Manager, Managed Apple Accounts are owned and managed by the educational institution and are designed to meet the needs of education organisations — including password resets, limitations on communications and role-based administration. Apple School Manager makes it easy to create a unique Managed Apple Account for each person in bulk.
In Apple School Manager, Apple Business Manager and Apple Business Essentials, Managed Apple Accounts are owned and managed by the organisation — including password resets, managing service access and role-based administration. Apple School Manager, Apple Business Manager and Apple Business Essentials make it easy to create a unique Managed Apple Account for each person in bulk.
To view the certifications Apple maintains in compliance with the ISO 27001 and 27018 standards for Managed Apple Accounts, see Apple internet services security certifications in Apple Platform Certifications.
How Managed Apple Accounts are created
Managed Apple Accounts are created after you:
Use federated authentication with Google Workspace, Microsoft Entra ID or an identity provider (IdP)
Import users from Google Workspace, Microsoft Entra ID or an IdP
Apple School Manager only: Import accounts from your Student Information System (SIS)
Apple School Manager only: Import .csv files using the Secure File Transfer Protocol (SFTP)
Create accounts manually
Sign in with Apple at Work & School
Sign in with Apple at Work & School is a feature that adds support for Managed Apple Accounts to sign in with Apple. Employees, instructors and students can sign in with their Managed Apple Accounts to access apps and websites that support Sign in with Apple. Administrators, Site Managers (Apple School Manager only) and People Managers can control which apps can be used with Sign in with Apple. To use Sign in with Apple at Work & School, Apple devices must be using iOS 16, iPadOS 16.1, macOS 13 or later.
To learn more, see the WWDC22 video Discover Sign in with Apple at Work & School.
Passkeys with Managed Apple Accounts
Passkeys are designed to provide a passwordless sign-in experience that is both convenient and secure. They are a standard-based technology that can resist phishing, are always strong and have no shared secrets.
With iCloud Keychain support for Managed Apple Accounts, organisations can deploy passkeys to allow employees to access corporate resources and make sure passkeys securely sync to all their iPhone, iPad and Mac devices. Using access management functionality, they can also define the required management state of a device to allow access to the managed passkeys.
A declarative passkey attestation configuration allows a managed device to provide an attestation when a passkey gets provisioned for an organisational service. The attestation is provided when a user registers a passkey for a website or app using a domain specified in the configuration. After the device has securely generated a passkey, it uses the certificate identity defined in the configuration to perform a WebAuthn
attestation with the accessed service. This allows the service to verify that the passkey was created on a device managed by the organisation before provisioning access.
The generated passkeys get automatically stored in the iCloud Keychain associated with the Managed Apple Account. When no Managed Apple Account is present, the passkey can’t be created.
To provide a simple sign-in flow to the user, app developers can make use of associated domains to establish a secure association between domains and their app (and optionally allow a configuration of associated domains via MDM). If this is available, iOS, iPadOS and macOS can automatically select and provide the correct passkey for a seamless sign-in experience. If authentication is being performed by a third-party service, ASWebAuthenticationSession
can be used instead.
For more information, see Passkey Attestation declarative configuration.