Managed Apple ID security
Managed Apple IDs function much like an Apple ID but are owned and controlled by enterprise or educational organisations. These organisations can reset passwords, limit purchasing and communications such as FaceTime and Messages and set up role-based permissions for employees, staff members, teachers and students.
For Managed Apple IDs, some services are disabled (for example, Apple Pay, iCloud Keychain, HomeKit and Find My).
Inspecting Managed Apple IDs
Managed Apple IDs also support inspection, which allows organisations to comply with legal and privacy regulations. An Apple School Manager administrator, manager or teacher can inspect specific Managed Apple ID accounts.
Inspectors can monitor only accounts that are below them in the organisation’s hierarchy. For example, teachers can monitor students, managers can inspect teachers and students and administrators can inspect managers, teachers and students.
When inspecting credentials are requested using Apple School Manager, a special account is issued that has access to only the Managed Apple ID for which inspecting was requested. The inspector can then read and modify the user’s content stored in iCloud or in CloudKit-enabled apps. Every request for auditing access is logged in Apple School Manager. The logs show who the inspector was, the Managed Apple ID the inspector requested access to, the time of the request and whether the inspection was performed.
Managed Apple IDs and personal devices
Managed Apple IDs can also be used with personally owned iOS and iPadOS devices and Mac computers. Students sign into iCloud using the Managed Apple ID issued by the institution and an additional home-use password, which serves as the second factor of the Apple ID two-factor authentication process. While students are using a Managed Apple ID on a personal device, iCloud Keychain isn’t available and the institution might restrict other features such as FaceTime or Messages. Any iCloud documents created by students when they are signed in are subject to audit as described previously in this section.