Customize user access to certain apps and services using Apple School Manager
You may want users who sign in with a Managed Apple ID to access many Apple apps and services. With Apple School Manager, you can choose which of your users get access to which apps and services—if you’re an Administrator, Site Manager, or People Manager—by choosing which of your users get access to specific apps and services. For example, you can turn on access to specific iCloud features, specify which app data they can store in the cloud, and turn on access to FaceTime and iMessage.
To further customize, you can choose what devices users can sign in to, and you can tailor their access to specific privacy and security features.
Requirements
Some features require the following:
iOS 17, iPadOS 17, and macOS 14, or later.
Support from your third-party MDM solution. Consult your MDM vendor’s documentation to see whether they support these features.
Tärkeää: In case requirements for the management state of a device are changed, a Managed Apple ID is automatically signed out of a device if the device state doesn’t meet the new requirements.
Access to services using Managed Apple IDs
Access to specific services may vary when using Managed Apple IDs. See Service access with Managed Apple IDs in Apple Platform Deployment.
Manage iCloud features and app access
You can customize any of the features below to meet the needs of your organization. This includes deciding what devices a user can sign in with their Managed Apple ID:
Off: The user can’t store their data in iCloud.
Any device: The user can access their iCloud data on any device.
Managed devices only: The device is managed by an MDM solution which supports the new Get Token endpoint.
Supervised devices only: The device must be supervised (and managed) by an MDM solution which supports the new Get Token endpoint.
Huomaa: This feature requires iOS 17, iPadOS 17, macOS 14, and support from your MDM solution.
In Apple School Manager , sign in with an account that has the role of Administrator, Site Manager, or People Manager.
Select Access Management in the sidebar, then select Apple Services .
Select iCloud, then select what devices users can sign in to with their Managed Apple ID:
Off
Any device (default)
Managed devices only
Supervised devices only
Select Collaboration, then turn on the ability for users to collaborate on files created using Keynote, Numbers, and Pages, and whether to allow those files to be accepted automatically.
Anyone (default): Users can collaborate with any other users using an Apple ID.
Organization only: Users can collaborate only with other users using a Managed Apple ID from the same Apple School Manager organization.
Off: Users can’t share Keynote, Numbers, or Pages documents.
Auto Accept Files: Users can automatically accept invitations to collaborate on a shared document.
Shared by anyone except students
Shared by anyone
Off
Select iCloud from the top, then turn off access to the following iCloud features:
iCloud Drive: Users can store data in iCloud Drive.
Passcodes and Keychain: Users can store their passwords and passkeys in iCloud Keychain.
Access iCloud data on the web: Users can sign in to www.icloud.com to access their data.
iCloud Backup: Users can use iCloud Backup to back up their devices.
Turn on access to storing app data in iCloud for the apps in the table below.
App
Data sync to other devices?
Calendar
Contacts
Freeform
Messages
News
Notes
Photos
Reminders
Safari
Siri
Stocks
Turn on user access to FaceTime and iMessage
By default, users who don’t have the role of Administrator that sign in with a Managed Apple ID are unable to access FaceTime and iMessage. You can modify that access.
FaceTime: FaceTime (both audio only and video) can be turned on, allowed with only other users in your organization, or anyone inside and outside of your organization.
iMessage: iMessage can be turned on, allowed with only other users in your organization, or allowed with anyone inside and outside of your organization.
Huomaa: If iMessage is turned off, users can still send and receive SMS/MMS messages.
In Apple School Manager , sign in with an account that has the role of Administrator, Site Manager, or People Manager.
Select Access Management in the sidebar, then select Apple Services .
Select FaceTime, turn it on, then select one of the following:
Anyone (default)
Organization only
Select Apple Services from the top, select Messages, turn it on, then select one of the following:
Anyone (default)
Organization only
Turn on user access to Apple Wallet
By default, users who sign in with a Managed Apple ID can’t access Apple Wallet. You can turn on their access so they can add student IDs or employee badges, if allowed by their school.
In Apple School Manager , sign in with an account that has the role of Administrator, Site Manager, or People Manager.
Select Access Management in the sidebar, then select Apple Services .
Select Wallet, then turn on access to use Apple Wallet.
Turn on user access to Apple Developer content
By default, users who sign in with a Managed Apple ID can’t access Apple Developer content. You can modify that access.
Huomaa: This feature adds users with any role except Student to existing developer teams. It doesn’t create new developer accounts.
In Apple School Manager , sign in with an account that has the role of Administrator, Site Manager, or People Manager.
Select Access Management in the sidebar, then select Apple Services .
Select Developer, then do any of the following:
Turn on access to Apple Developer Program.
Turn on access to Xcode Cloud program.
Turn on user access to AppleSeed for IT
AppleSeed for IT is designed specifically for enterprise and education customers committed to testing each new version of Apple beta software in their organizations. Organizations using Apple School Manager can designate which account roles in their organization may participate. Participants then use their Managed Apple ID to access the program, and their feedback is associated with their organization.
By default, users who sign in with a Managed Apple ID can’t access AppleSeed for IT. You can modify that access.
In Apple School Manager , sign in with an account that has the role of Administrator, Site Manager, or People Manager.
Select Access Management in the sidebar, then select Apple Services .
Select AppleSeed for IT, then turn on user access to the website.
For more information, see Roles: Basic privileges and the AppleSeed for IT website.
Choose what devices users can sign in to
You can choose what devices users can sign in to with their Managed Apple ID.
In Apple School Manager , sign in with an account that has the role of Administrator, Site Manager, or People Manager.
Select Access Management in the sidebar, then select Apple Services .
Select “Allow Managed Apple ID on”, then select one of the following:
Any device (default): The user can sign in on any device, regardless of whether the device appears in Apple School Manager.
Managed devices only: The serial number of the device must appear in Apple School Manager.
Supervised devices only: The device must be supervised and the serial number of the device must appear in Apple School Manager.
Turn on user access to specific privacy and security features
You can turn on access to specific privacy and security features.
In Apple School Manager , sign in with an account that has the role of Administrator, Site Manager, or People Manager.
Select Access Management in the sidebar, then select Apple Services .
Select Privacy & Security, then turn on access to any of the following:
Data & Privacy Access: Allow users access to request a copy of their data.
User Account Lookup: Allow users the ability to look up other user’s contact information. See Käyttäjätilien haun käyttö.
Easy Student Sign-In: Allows instructors to quickly sign students in to their iPad devices.
Huomaa: Managed Apple IDs must be allowed to sign in to any device and this feature can’t be used with federated authentication.
Instructors signed into an iPad with their Managed Apple ID can use that device to sign students into their devices. This sign-in method can be used during Setup Assistant and on devices that have already been set up.
On the student iPad, student’s select Settings, tap “Sign into your iPad”, then choose the option to “Use Another Apple Device.” When an instructor brings their iPad near the student iPad, a dialog appears on the instructor iPad stating “Sign in to iPad.” The instructor can then scan the particle cloud on the student iPad or choose Activate Manually and enter a 6 digit code. The instructor selects the desired student from a list of classes. That student is then automatically signed in to the their iPad. When complete, the instructor iPad shows an “All Set” message.
Use unmanaged nearby classes in Classroom: Allows instructors to create and use unmanaged nearby classes instead of Apple School Manager classes in Classroom. iPad devices must be running iPadOS 17.4, or later.
Automatic sign in on Apple Watch: Allow users to pair their Apple Watch with their iPhone without having to enter a password.
Student Progress Data in Schoolwork: Allow instructors to view student progress on activities they assign in Schoolwork. To manage student progress on an individual basis, see Use Schoolwork to manage student progress.
Share Schoolwork Analytics: Allow Apple to process non-personally identifiable Schoolwork data using techniques such as machine learning to improve Schoolwork.
Additional Managed Apple ID features for instructors and students
In Apple School Manager you can use Managed Apple IDs features for instructors and students.
You can define password policies for each user account, and it’s easiest to assign them per role. Student role accounts can have a simpler four- or six-digit passcode. Accounts with all other roles must have strong passwords consisting of at least eight characters. See Role privileges.
In addition, the administrator and manager can manually add an account at any time, such as when a temporary instructor is added to your school. You can also view and edit account information, such as the user’s name, ID number, grade level, and more. Depending on your role, you can also reset a user’s Managed Apple ID password, send them a verification code so they can sign in, and delete, deactivate, or restore an account.
Many states and regions have laws that require schools to protect student data and restrict the ways in which it can be used. Managed Apple IDs are designed to help K–12 schools (or equivalent) comply with student data privacy requirements. See Privacy and Security for Apple Products in Education.
Additional features for education are shown in the table below.
Feature | Description |
---|---|
iCloud storage | Managed Apple IDs receive 200GB of free iCloud storage. |
Schoolwork | Class rosters created in Apple School Manager are automatically available in Schoolwork. Student progress reporting can optionally be enabled in Apple School Manager. |
Classroom | Class rosters created in Apple School Manager are automatically available in Classroom. |
Organizational password reset | Using the Classroom app, instructors can reset students’ Managed Apple ID passwords without involving their IT department. |
Managed Apple ID password complexity
When you add users to Apple School Manager, you set a password complexity for that user. That complexity level dictates which Lock screen appears when a user signs in with Shared iPad. A four- or six-digit passcode shows only digits on the screen. A complex password shows the full keyboard. When the user signs in with their Managed Apple ID and their initial password, they are prompted to change their password using the level of complexity you initially set in Apple School Manager.
If you add Profile Manager as one of your mobile device management (MDM) servers to Apple School Manager, you have the option of merging any users in Apple School Manager to Profile Manager. When you do this, those users appear in the Profile Manager users list. After they appear, you can view their Managed Apple ID password type in the About tab. See Merge Apple School Manager accounts in the macOS Server User Guide.
Tärkeää: If you set the Lock screen behavior to a four- or six-digit passcode and the Apple School Manager setting for that user is set to a complex password, that user must manually enter their Managed Apple ID and password.
Inspect Managed Apple IDs
Organizations can comply with legal and privacy regulations by using Managed Apple ID inspection. Administrator, manager, and instructor accounts can be granted inspection privileges for specific accounts. Inspectors can monitor only accounts that are below them in the school’s hierarchy. For example, instructors can monitor students, and administrators can inspect managers, instructors, and students.
To inspect an account, an authorized user must create special inspection credentials within Apple School Manager for a specific Managed Apple ID. These credentials can be used only to access that Managed Apple ID, and they expire after 7 days. During that period, the inspector can access the user’s content stored in iCloud Drive or in CloudKit-enabled apps. Every request for access is logged in Apple School Manager. Logs show the inspector’s name, the Managed Apple ID in question, the time of the request, and whether or not the inspection was performed. All users with inspection privileges can search these logs, which discourages misuse of inspections.