July 15, 2020

Mobility Engineers live in a very peculiar world nowadays. Back in the good ol’ BlackBerry days, we had the world at our mercy. We could do anything and everything was built EXACTLY how it needed to be. We didn’t have to worry about the conundrum of “is it business?”, “is it consumer?”, or is it “prosumer?” If we fast-forward to 2020, every day we have to take something that is built for a consumer or education and make it into an enterprise device. Being honest, it’s a battle that we often lose more than we win.

Losing Battle, Will, Ferrell GIF | Gfycat

On occasion, we find little glimmers of hope. I always cringe at WWDC when I see so few glimmers of hope in our enterprise world. We aren’t education, we aren’t consumers, and we are the minority. A few examples of these glimmers I can think of:

  • FaceTime
  • iMessage
  • Screen Recording
  • HomePods
  • iCloud Drive
  • AirDrop
  • Device Enrollment Program (DEP) and Volume Purchasing Program (VPP)
  • Background App Refresh, and a few more…

I turn my focus now to a potential new item that we can thank education for: Managed Apple IDs. There’s very little information about there about Managed Apple IDs and I have dug in deep on them to show what we can actually use them for, but first let’s briefly discuss Apple Business Manager.

What is Apple Business Manager?

Apple Business Manager (ABM) is the convergence of two major programs at Apple that Enterprises are using heavily today: DEP and VPP. Apple did a nice job to combine these two platforms in a unified and user-centric console.

Without going too deep into the weeds, we can use ABM to view/manage devices that we bought through the Device Enrollment Program, manage/purchase apps and books bought through VPP, and now start to manage a special type of account called a “Managed Apple ID” which provides some intriguing potential. (Yes I know that’s a simplistic breakdown of ABM, but I’m sticking to the basics here.)

What are Managed Apple IDs?

Managed Apple IDs are basically Apple IDs that are managed by your organization. Similar to other technologies, you map a domain to your organization and take control of Apple IDs or create Apple IDs in various ways that match you domain e.g. mobile-jon.com.

These Managed Apple IDs are using to sign into Apple devices, collaborate leveraging iCloud, notes, and iWork. Companies own those accounts, which lets them use role-based access control (RBAC) and manage the credentials for them. You also get additional security, such as account lockouts for potential fraudulent activity or incorrect password attempts. One of the best use cases with these managed Apple IDs is the use of ABM and Shared iPads to generate multi-factor authentication with an Azure identity and a Shared iPad Passcode

Shared iPad and Classroom

How do Managed Apple IDs help me in the Enterprise?

The first thing that I always ask myself is “Is this actually an enterprise feature or is this a round peg in a square hole?”

hole round GIF

Azure AD with Apple Business Manager

My initial reaction was “OMG Apple is integrating with Azure AD! This must be an amazing new enterprise feature that we ALL must have”, but as we peel back the onion it’s sort of a meh feature. Let’s break down the Azure integration real quick….

On its own, the feature is pretty interesting. The steps are pretty basic, which you can read about here which is really just:

  1. Claim your domain
  2. Configure Azure Federation
  3. Turn on Azure Federation for your domains

I’ll give them major props for how easy it is. Every other product on the market requires you configure stuff in your Azure Portal and to have at least a basic understanding of Identity and Access Management (IAM) which most mobility people don’t. I decided to unwrap what they actually do on the Azure side because I was interested.

I did find it to be relatively interesting was the “User Assignment Required” set to no, which means anyone can use it, which does simplify things since you don’t need to entitle users. I also found it interesting that the automatic provisioning says “manual”, which I don’t entirely buy since it behaves like automatic user provisioning.

For you nerds, this is the last item that I found interesting (the permissions that ABM is granted against the Graph API).

Conceptually, its all pretty basic. You log into an iOS device with your work email, it redirects to Azure for your authentication, and then like magic your device is now using a managed Apple ID by your company.

What are some potential uses for Managed Apple IDs?

Like most technologies, it entirely depends on your industry and what you’re trying to accomplish. A few use-cases that I can think of for managed Apple IDs are:

  • Shared iPads
  • Store Accounts that need to use Apple Services e.g. you’re already delivering apps via VPP but want to do FaceTime across retail stores or use iMessage.
  • Corporate Devices that aren’t using Device-Based Assignment for VPP (Yeah I don’t know they would be either)
  • Low-tech organizations that want to protect Apple ID credentials and perform white-glove services for their business partners (E.g. password resets)
  • DLP controls for iCloud Drive
  • Collaborating with iWork, Notes, and the suite of Apple Services

I think we can agree that overall there is definitely major value to be had, but first impressions are that this is truly still a 1.0 offering. I have found several gaps and I have heard of several others from trusted engineers around the mobility family. Let’s close things out by discussing that more.

The Clear Gaps with Managed Apple IDs

I was so excited when I saw “integrate with Azure AD woohoo!!!”, but once I really dug into things it became fundamentally disappointing. Let’s list a few of those:

  • You cannot use Azure-integrated Managed Apple IDs to log into Apple Business Manager
  • You cannot integrate domains that have existing users that are admins in Apple Business Manager
  • You cannot map users to roles via Azure provisioning

These are just a few, but WOW! How do you offer SSO but not let the most important people use SSO (the people with the keys to the kingdom). This was absolutely baffling to me overall and hugely disappointing. There are certainly other gaps as well that I found, such as User Enrollment devices cannot use iOS SSO powered by Kerberos, which does make the offering fall a bit flat.

What I love about Managed Apple IDs

So let’s talk a bit about what I love about Managed Apple IDs for business users. I think we should truly focus on how good it can be in the right circumstances. These are a few of my favorites:

  • User Enrollment Devices can have a personal Apple ID and a managed Apple ID for true separation.
  • Employees can search for each other more easily through the account lookup feature
  • You can delegate access/permissions easily in ABM to let only the support staff of an individual office to be able to manage accounts
  • Several levels of RBAC to truly achieve some of the major security tenets e.g. least privilege.
  • Apple disables many different services for these accounts like Find my iPhone and Apple Pay which minimizes the attack surface and simplifies supportability.

In Closing

Apple is definitely onto something with this offering. They created them with Education in mind and are trying to pass that value onto their enterprise customers, similar to Apple School Manager. It may not have everything that we need yet, but I believe with time it will get there.

At its core, many of the hot button issues in tech are being addressed here e.g. automated provisioning of user accounts, single sign-on, privacy, and security. That can only be a good thing. It’s up to US to capitalize on technology and translate it into a tangible value for our organization.

What's New in Managing Apple Devices - WWDC 2019 - Videos - Apple ...
%d bloggers like this: