Do more with managed Apple IDs: https://developer.apple.com/wwdc23/10254

Managed Apple IDs now support:

* iCloud Keychain:
	- Allows companies, schools or institutions to use passkeys with iCloud Keychain
	Note: For more information, please see the "Deploy passkeys at work" session: https://developer.apple.com/wwdc23/10263
* App data sync with iCloud: Supports Messages, Stocks, News and Siri
* Wallet
* Continuity

To see what features are supported with Managed Apple IDs for business, please see the link below:

https://support.apple.com/guide/apple-business-manager/use-managed-apple-ids-axm78b477c81/web

To see what features are supported with Managed Apple IDs for schools, please see the link below:

https://support.apple.com/HT205918

You can be signed in with both a personal Apple ID and a Managed Apple ID on the same device.

Account-driven user enrollment:

Managed Apple IDs are needed for account-driven user enrollement for BYOD devices.
Note: Note: For more information, please see the "Discover account-driven User Enrollment" session from WWDC 21: https://developer.apple.com/wwdc21/10136

Note: Profile-based user enrollment for BYOD devices is now deprecated.

Example configuration workflow for account-driven user enrollment shown in the session video from 4:00 - 5:12.


Account-driven device enrollment:

Devices enrolled through account-driven Device Enrollment get:

* Most of the management capabilities of a profile-based Device Enrollment
* On-device separation of personal and work data

Example configuration workflow for account-driven device enrollment shown in the session video from 5:42 - 6:50.

Managed Apple IDs can also be used for apps which use the "Sign in with Apple at Work and School" feature

Works with apps on the following platforms:

iOS
iPadOS
macOS

Example workflow for "Sign in with Apple at Work and School" feature shown in the session video from 7:06 - 7:34.

Signing in with managed Apple IDs on macOS:

Example workflow for signing in with a Managed Apple ID on macOS shown in the session video from 7:39 - 8:25.


New access management policies for managed Apple IDs in Apple Business Manager / Apple School Manager

Policies are configured in ABM / ASM

Control managed Apple ID sign-in based on level of management

Default policy: Any Device (requires no management)

Effect: Allows managed Apple ID to sign in on any device.

Other policies available:

Managed Devices Only

Effect: Allows managed Apple ID to sign-in only on managed devices.

Supervised Devices Only

Effect: Allows managed Apple ID to sign-in only on supervised devices.

New controls added for Messages and FaceTime
	- Can restrict Messages and FaceTime to accept messages and calls only from those in your organization
	- Can disable Messages and FaceTime entirely
New controls added for Xcode and the Apple Developer Site
	- Note: No further details on these controls, so I'm going to investigate further on this topic.

iCloud can be disabled for any of the supported apps and services for Managed Apple IDs.

Example workflow for disabling iCloud services for Managed Apple IDs shown in the session video from 12:22 - 12:47.

The new Access Management controls will be available later this summer as beta features in Apple Business Manager and Apple School Manager.

Apple Business Manager / Apple School Manager federation with Identity Providers:

Supports:

Azure AD
Google Workspace

Adding support for:

OpenID Connect - federated authentication
System for Cross-domain Identity Management (SCIM) - directory sycn
OpenID Shared Signals Framework - account security events

If an Identity Provider supports all three standards, it should be able to federate.

Okta is working on becoming a supported Identity Provider for federation.