blog.dataJAR

How to create Managed Apple ID accounts

Managed Apple IDs are special, school-created and school-owned, accounts that provide enhanced access to Apple services. These IDs are available to all schools, colleges, or universities that are enrolled with Apple School manager.

Institutions can make these IDs available to staff and students to use for educational purposes across a variety of Apple devices and services. Managed Apple IDs are unique to your institution and are separate from the consumer-facing Apple IDs you can create for yourself. If you are a datajar.mobi customer, we can link your current instance with your Apple School Manager and unlock the Managed Apple ID functionality.

To ensure a successful implementation of Managed Apple IDs, there are a number of prerequisites to be met and behaviours to understand. To help with this, we have prepared a list of useful tips in this article.

Uploading and syncing of school data into Apple School Manager

Apple School Manager relies on the importing of data from your local School Information System (SIS). This data includes user rosters, student and teacher lists as well as class information and registers. Although it is possible to manually craft and upload this data, we would strongly recommend utilising an automated system for this.

If your SIS does not have an option to synchronise with Apple School Manager, you can use a third-party solution, such as Salamander.

Another useful tip, if you are considering a SIS synchronisation, is to prepend “SIS – ” to the location name to avoid confusion with existing locations.

Updating of school data in Apple School Manager and datajar.mobi

Data from your SIS will be synced into Apple School Manager, on the schedule configured in your syncing solution. Data from Active Directory is pulled into your datajar.mobi instance on demand, as required.

If you are an existing datajar.mobi customer, data from Apple School Manager is pulled into your instance every 24 hours at 08:00. This can also be manually updated on request.

Federated Authentication with Microsoft Azure AD

The ability to federate a Microsoft Azure AD domain with your Apple School Manager instance greatly extends the functionality of Managed Apple IDs. This feature has been available since early 2019 and allows you to utilise a user’s Microsoft Azure AD credentials (email address and password) to log into their assigned iPad or Mac and iCloud on the web. Students can also use it to sign in on Shared iPad. These accounts will be automatically created in Apple School Manager, with the user’s email address becoming their Managed Apple ID.

There are two scenarios where this can be used:

Federated authentication only

Users will be able to log into devices with their Microsoft Azure AD credentials as above, however, there will be no classes or roster data.

Federated authentication with users from other sources

Users will be able to log into devices with their Microsoft Azure AD credentials as above, but data for classes and rosters will be populated from your SIS data source as previously mentioned.

Requirements for Federated Authentication with Microsoft Azure AD

In order to configure Federated Authentication with Microsoft Azure AD, you will require following:

All users must have an email address
Details of the Microsoft Azure AD domain that will be used with Apple School Manager Federation
Username and password of a Microsoft Azure AD account that:
- Is a Global Administrator, Application Administrator, or Cloud Application Administrator account
- Has permission to add domains in Microsoft Azure AD
- Is in the domain to be federated

Managed Apple ID Username Options

As part of the user synchronisation/creation process in Apple School Manager, each account will be given an Apple ID (specifically a Managed Apple ID or MAID). By default, Apple School Manager will add “appleid.” to each user’s email address, for example:

j.bloggs@domain.com becomes j.bloggs@appleid.domain.com

This is to ensure all Apple School Manager users do not already have an Apple ID linked to the email address at your domain. This option can be disabled, but we strongly recommend it is used.

We strongly advise our customers to consider and take decisions on the above prior to starting the integration work.

Linking of users in Active Directory and your School Information System

In order to link users in your Active Directory to your students and staff in Apple School Manager, we need to map a value. This can either be:

AD username
Email address

These values would need to be present and correct in both your Active Directory and your SIS, as well as the data synchronised into your Apple School Manager instance.

Example 1:

Email address in AD: j.bloggs@domain.com

Email address in SIS: j.bloggs@domain.com

Mapping value: email address

Example 2:

Username in AD: j.bloggs

Username in SIS: j.bloggs

Mapping value: username

Example 3:

Email address is: j.bloggs@domain.com

MAID: j.bloggs@appleid.domain.com

Mapping value: starts with email address

Using Managed Apple IDs with Apple Shared iPads

If you wish to use the Apple Shared iPad mode (sometimes called Shared Personalised iPad), each device will need to be wiped, changes made to your enrolment workflow and redeployed fully before they will be usable.

Once enabled, Students and staff will be able to log in with their Managed Apple ID address (not their username or email address) and the password generated in Apple School Manager (again, not their AD password or email password).

Using Managed Apple IDs with 1:1 Deployment

If you wish to use a 1:1 iPad model, users will need to log in to iCloud as below.

Students and staff will need to log in with their Managed Apple ID address (not their username or email address) and the password generated in Apple School Manager (again, not their AD password or email password).