Explore the latest updates to Managed Apple IDs and learn how you can use them in your organization. Take advantage of additional apps and services available to Managed Apple IDs, discover the Account-Driven Device Enrollment flow, and find out how to use access management controls to limit the devices and Apple services that Managed Apple IDs can access. We'll also show you how to federate with your identity provider to automate creation and sync with your directory.
♪ ♪ Darsh: Welcome! My name is Darsh, and I am an engineer in the Enterprise Services team. Today, I'm thrilled to talk to you about all the updates coming to Managed Apple IDs this year. In this talk, I will be covering key new features for using, managing, and creating Managed Apple IDs. Before I begin, let's do a quick review of Managed Apple IDs.
Managed Apple IDs are a type of Apple ID designed specifically for use in an organization, like business or a school. They allow an employee or a student to sign in to devices, apps, and services and keep their data synced across devices without needing to use a personal Apple ID. They allow the organization to own both the account and data on it. And they are created and managed through Apple Business Manager or Apple School Manager. With that review, let's get started. In this talk, I'll first go over new features and enrollment options that we are introducing to make it easier to use your Managed Apple IDs. Then, I'll talk about new Access Management features that gives you more control over your Managed Apple IDs. And finally, I'll talk about new ways to integrate with Identity Providers in order to easily create your Managed Apple IDs. Let's start with the new features and enrollment options that will be available for Managed Apple IDs this year. When you sign in to a device with your Managed Apple ID, iCloud backs up your data and keeps it synced across all devices for apps like Calendar, Contacts, Notes, and others. And this year, we're adding support for even more. Let's take a look. Managed Apple IDs now support iCloud Keychain, letting you autofill and sync your passwords and other secure information across your devices. And you can use iCloud Keychain to sync passkeys, making it easy to use Face ID or Touch ID to sign in to apps and websites. To learn more about how passkeys work with Managed Apple IDs, watch the session "Deploy passkeys at work." While Managed Apple IDs already support Messages, Stocks, News, and Siri, now you can keep the data within these apps synced across all the devices signed in with your Managed Apple ID. We're also introducing support for Wallet for Managed Apple IDs. You can now securely save items like credit and debit cards, driver's license or state ID, transit cards, keys, and badges, and access them on all your devices. And finally, we're bringing all the great productivity features of Continuity to Managed Apple IDs, so that you can seamlessly move between devices. With Continuity for Managed Apple IDs, features like Continuity Camera, Handoff, Sidecar, Instant Hotspot, Universal Clipboard, and many more will now be available for Managed Apple IDs that are signed in to multiple devices. So now, in addition to the existing supported apps and services for Managed Apple IDs, we're adding even more features with full iCloud support. To access all these features, you just sign in with your Managed Apple ID in Settings. When you do that, you'll be able to see information related to your account and all the iCloud services available for your Managed Apple ID. Using iCloud with your Managed Apple ID is great when you have a device dedicated for work. But what if you're part of an organization that lets you use your personal device for work? You'll likely want to access your work data on it, but your personal Apple ID is already signed in to iCloud on that device. So how can you access both accounts on the same device? Well, Managed Apple IDs allow you to access your work data on your personal devices today, using account-driven user enrollment. For a deep dive, check out "Discover account-driven User Enrollment" from WWDC 21. We'll do a quick recap here of how this works for the user.
You can use account-driven User Enrollment to have both a personal account, using a personal Apple ID, and a work account, using a Managed Apple ID. Your work and personal data on the device is cryptographically separated and stored on different partitions, keeping your work data secure and your personal data private. When you are signed in with both accounts, your Managed Apple ID can use iCloud for the most important work-related things. It's really simple to set this up. From Settings, just go to General, then VPN & Device Management, and tap on "Sign in to Work or School Account." You then use your Managed Apple ID to sign in to your organization. And with User Enrollment, you're signing in to your work account and enrolling your device into management all at once. Once you accept management, you're signed in and enrolled. But this year, we wanted to offer something more for organizations who own the devices they give their users. These organizations usually manage their devices with Device Enrollment, which gives them a higher level of management and visibility of a device. It is important that organizations using Device Enrollment get the same easy sign-in experience as User Enrollment. So this year, in addition to account-driven User Enrollment, we are introducing account-driven Device Enrollment. Devices enrolled through account-driven Device Enrollment get most of the management capabilities of a profile-based Device Enrollment and the on-device separation of personal and work data. Let's see how it works The new enrollment flow starts exactly the same way as the User Enrollment does today, by signing in to a Work or School Account in Settings. Like User Enrollment, this uses Service Discovery to fetch the enrollment profile and then prompts the user to authenticate with their Managed Apple ID. If the enrollment is set to account-driven Device Enrollment, a new remote management screen appears, informing the user of what their organization can see and do on their device. When they complete enrollment, the Managed Apple ID is signed in to the device alongside the personal Apple ID, just like in User Enrollment. They can see the information about their Managed Apple ID, including the management profile installed through enrollment and the iCloud services available to them, which are same ones that are available in User Enrollment. It's that simple. With account-driven Device Enrollment, users no longer need to manually download and install a profile to accomplish Device Enrollment. For devices enrolled through either of the account-driven enrollment flows, we have updates for apps that use "Sign in with Apple at Work and School" feature. Now, you will be able to use your Managed Apple ID to sign in to managed iOS, iPadOS, and macOS apps that use Sign in with Apple. This allows you to use your work account for work apps and your personal account for personal apps. If the app uses a web view for authentication or you are using Safari, clicking "Use a different Apple ID" lets you enter a Managed Apple ID to complete the sign in. Now let's talk about signing in with your Managed Apple ID on Macs. This year, we're really excited to bring both of the account-driven enrollment flows to macOS. Let's take a look. In System Settings, go to Privacy & Security. Under Profiles, there's a brand-new "Work or School Account" sign-in button. Just like before, you sign in with your Managed Apple ID, and depending on the type of enrollment defined, you will either receive a User Enrollment or a Device Enrollment. And like on iOS and iPadOS, the account signed in with the Managed Apple ID is listed separately, and the work data is kept separate from the personal data. It gives you access to the same iCloud features under your Managed Apple ID that we saw earlier in iOS and iPadOS. Now that we have seen both of these enrollment experiences, let's go over how MDM developers can support account-driven Device Enrollment alongside User Enrollment and the information that can be used to choose between the two. If you're an MDM developer already supporting account-driven User Enrollment, you've implemented the well-known endpoint. When an enrollment occurs, the Managed Apple ID trying to enroll is passed along as a query parameter. Now, in addition to the user identifier, you will receive the device model attempting to enroll. This new information will help you decide which users and which devices receive a User Enrollment or a Device Enrollment. To support account-driven User Enrollment today, the server responds with "mdm-byod" as the value of the "Version" key when a device sends a request to the well-known endpoint. And in the Enrollment Profile, the value of the EnrollmentMode is set to "BYOD." To use account-driven Device Enrollment, MDM developers simply need to change the "Version" key in the well-known response to "mdm-adde" and, in the enrollment profile, set the enrollment mode to ADDE. And that's it. These few config changes will unlock account-driven Device Enrollment for users. So let's summarize. Account-driven Device Enrollment makes it easy to enroll your devices into management. Just like in User Enrollment, all you need to do is sign in with your Managed Apple ID. You receive almost all of the capabilities of a Device Enrollment, giving you more control over things like passcode policies and the ability to wipe and lock a device. It allows your Managed Apple ID to sign in alongside a personal Apple ID and keeps the data between the two separate. It's available on iOS, iPadOS, and macOS. And just like profile-based Device Enrollment for macOS, it results in the device being Supervised, giving you the highest level of management. And for MDMs, all it takes is a few changes to support it. With this year's updates to features and enrollment options, Managed Apple IDs now give organizations more ways to provide the right balance of productivity, privacy, and data security. Along with the new ways to use your Managed Apple IDs, we're also introducing more powerful controls to determine what they can do and access. Let's dive into it. We're introducing new Access Management policies that apply to all of your organization's Managed Apple IDs. These policies allow you to control Managed Apple ID sign-in based on the level of management of a device, and they can be used to determine which iCloud services are available. These policies are configured in Apple Business Manager or Apple School Manager. Let's see how it looks. You can control what type of devices a Managed Apple ID can sign in to based on their management level. You can keep the default policy of Any Device, requiring no management, set it to Managed Devices Only, which provides higher security and can be used for cases where users bring their own devices to work, or Supervised Devices Only, which offers the highest level of security for organizations that provide devices to their employees. We have also added new controls for Messages and FaceTime. You can now restrict Messages and FaceTime to accept messages and calls only from those in your organization or disable them entirely.
For developers, in addition to AppleSeed for IT, you can control access to Xcode and the Apple Developer site. And you can disable iCloud for any of the supported apps and services for Managed Apple IDs. When you disable iCloud for individual apps, the policy set by the organization will be reflected on the device. In this example, because the Admin has turned off Reminders in Apple Business Manager, the corresponding toggle is turned off on the device. The user can still use Reminders locally on the device, but their data will not be synced with iCloud. In order to support the sign-in policy for Managed Devices Only and Supervised Devices Only, MDM developers will need to implement a new Check-in request message type that returns a secure token. This token will verify that Managed Apple IDs only sign in to devices that are managed by an MDM server registered in the organization. Let's see how it works. The new Check-in request message type is called GetToken. To implement this, MDMs will need the server UUID for the MDM server registered for the organization in Apple Business Manager or Apple School Manager. This is available in the Get Account Detail endpoint. And the private key for the MDM server certificate associated with this registered MDM server. Admins set the Access Management policy for their organization in Apple Business Manager or Apple School Manager. This policy will be applied to all Managed Apple IDs belonging to the organization. When a Managed Apple ID tries to sign in to a device, the device requests the token using this GetToken message from the MDM server that is managing the device. The MDM server will respond with a JSON Web Token that is signed by the private key. The device will then use this token during the sign in flow to check the policy. Once the token is verified, and if the user's device management state is compliant with the organization's sign-in policy, the user is successfully signed in. Organization sign in-policies in Access Management will work on iOS 17, iPadOS 17, and macOS 14. If either an update to the policy or a device state change leads to non-compliance, the user will get signed out from the device. The GetToken check-in message ensures only authorized access to the device and the data. For MDM developers out there, let me show you the implementation details. The GetToken request follows similar structure as other Check-in commands. The MessageType is GetToken. And the new TokenServiceType key, indicating which service we are requesting the token for, should be set to com.apple.maid. The response of this GetToken check-in request is a JSON Web Token. The claims are: Issuer, which is set to the MDM server UUID. Issued at, the timestamp for when this token is generated by the server. This will be used to limit the time period for which the token is considered valid. Jwt identifier. It is a server-generated Identifier which should be a random UUID string. This will be used to ensure a token can only be used once. Service_type. This is the TokenServiceType that was sent in the request and should be set to com.apple.maid. The JSON Web Token should be signed by the MDM server's private key before sending it as the response. The new Access Management controls will be available later this summer as beta feature in Apple Business Manager and Apple School Manager. Now that we've covered what's new with using and managing Managed Apple IDs, let's talk about creating and integrating them with your Identity Providers. You can create Managed Apple IDs yourself through Apple Business Manager or Apple School Manager, but can also use an Identity Providers to help you create them. When you have an Identity Provider, you can use your own domain so that your Managed Apple ID looks like your organization email ID, enable federated authentication which allows your users to sign in into their Managed Apple IDs with the same credentials they use in your organization, and sync your user directory to automatically get updates when changes happen to your Managed Apple IDs. Apple Business Manager and Apple School Manager first added federated authentication for Microsoft Azure Active Directory. And last year, we added support for Google Workspace. Today, thousands of organizations use these Identity Providers to automatically create Managed Apple IDs and keep their accounts synchronized. This year, we wanted to give any organization the ability to take advantage of using an Identity Provider for their Managed Apple IDs. And we are excited to introduce a new integration option that adds support for custom identity providers. Now, any public or in-house Identity Provider can integrate with Apple Business Manager or Apple School Manager. Like our existing integrations with Microsoft Azure Active Directory and Google Workspace, the custom Identity Provider integration will support federated authentication, directory sync, and account security events. This integration uses three standards: OpenID Connect for federated authentication, System for Cross-domain Identity Management, or SCIM, for directory sync, and the OpenID Shared Signals Framework for account security events, like password changes. In order to be compatible with this integration, Identity Providers need to support these three standards. And we're happy to share that Okta is working on becoming a supported Identity Provider later this year. This means that if you use Okta, you'll soon be able to take advantage of all the benefits of having a fully-integrated Identity Provider for your Managed Apple IDs. We're excited to see more organizations start creating and syncing their Managed Apple IDs with their Identity Providers using this new integration option. So let's wrap up. Take advantage of all the new features available to Managed Apple IDs in your organization, including iCloud Keychain, Wallet, and all the great Continuity features. With support from your MDM solution, use account-driven Device Enrollment to enroll iPhones, iPads, and Macs into management without having a user manually install a profile. Control where Managed Apple IDs can sign in and what apps and services they can use with all-new Access Management features. And finally, Identity Providers can start integrating with Apple Business Manager or Apple School Manager to unlock federated authentication, directory sync, and account security events for Managed Apple IDs. We can't wait for you to start using everything new we've introduced this year for Managed Apple IDs. Thank you so much for joining, and I hope you have a great day.
Looking for something specific? Enter a topic above and jump straight to the good stuff.
An error occurred when submitting your query. Please check your Internet connection and try again.