Extending Access Management for Apple Services: Beyond Federated Authentication

Somesh Pathak -

Apple Business Manager, along with Microsoft Entra ID, offers a powerful solution for enhancing business security through federated authentication. By seamlessly integrating these two platforms, organizations can strengthen their security measures, streamline authentication processes, and protect their valuable assets. In this article, we will explore the benefits and features of federated authentication in Apple Business Manager and how it can help enhance your business security.

The Importance of Business Security

Ensuring the security of your enterprise sensitive data and information should be a top priority. Cyber threats and breaches continue to loom over, making it crucial to implement robust security measures. Without proper security protocols in place, your organization can face significant financial losses, reputational damage, and legal consequences.

Federated authentication is a powerful solution that can enhance your security. By implementing federated authentication in Apple Business Manager, you can establish a secure and streamlined authentication process for your employees.

In addition to protecting your assets, federated authentication also simplifies the user experience. Employees can use their existing credentials to access multiple applications and platforms, eliminating the need for multiple passwords and reducing the risk of password-related security vulnerabilities.

Understanding Federated Authentication

Federated authentication is a method that allows users to access multiple applications and platforms with a single set of credentials. Instead of having separate usernames and passwords for each system, federated authentication enables users to sign in once and gain access to all authorized resources.

In the context of Apple Business Manager, federated authentication is the process of using an account’s username and password from one directory system allowing the same username and password to be used in other systems. When a user attempts to access an application, they are redirected to the IdP, where they enter their credentials. The IdP verifies the user's identity and issues a digitally signed token, also known as an SAML assertion. This token is then sent back to the application, which uses it to verify the user's identity and grant access.

How ABM Can Enhance Security?

Apple Business Manager is a comprehensive solution that not only simplifies management of your organization's Apple devices but also enhances security through federated authentication. By utilizing this powerful feature, you can reinforce your business's security measures in multiple ways.

Firstly, with federated authentication, your employees no longer need to remember and manage multiple usernames and passwords for different applications and platforms. This eliminates the risk of weak passwords or password reuse, significantly reducing the chances of unauthorized access to your company's resources. Furthermore, federated authentication ensures that only authorized individuals can access your organisation's data and applications. When users attempt to access an application, they must authenticate themselves through the identity provider (IdP) using their credentials. This adds an extra layer of security, as the IdP verifies the user's identity before issuing a digitally signed token.

Additionally, Apple Business Manager supports industry-standard protocols for federated authentication. This compatibility allows seamless integration with a wide range of applications and identity providers, making it easier to implement and manage federated authentication in your organisation.

So let's start and delve into the step-by-step process of implementing federated authentication in Apple Business Manager and explore some of its new features in greater detail.

Implement Federated Authentication in ABM

Now that we understand the importance and benefits of federated authentication in enhancing business security, let's dive into the step-by-step process of implementing this feature in Apple Business Manager.

To add the Apple Business Manager Entra ID app with Microsoft tenants, the administrator of the tenants must go through the federated authentication setup process, including testing authentication. When authentication has succeeded, the Apple Business Manager Entra ID app is populated in the tenant and the administrator can federate domains and configure Apple Business Manager to use SCIM (System for Cross-domain Identity Management) for directory sync. 

Prepare ABM for Federation

To use Managed Apple IDs, you must verify the domains you want to use, or you can use the reserved domain. The verification process ensures that your organisation is the one that has authority to modify the domain name service (DNS) records for your domain.

  • In Apple Business Manager , sign in as a user that has the role of Administrator or People Manager.
  • Select your name at the bottom of the sidebar, select Preferences , then select Accounts .
  • Select Edit in the Domains section, select Add Domain, add the domain you want to use, then select Continue.
  • Select Verify next to the domain.A TXT record appears and you’ll receive an email saying that the domain you selected is now attempting to be verified.
💡
You have 14 calendar days to complete the verification process. The TXT record contains a string with random characters at the end, for example, “apple-domain-verification=RaNdOmLeTtErSaNdNuMbErS.”
  • Select Copy.
  • After the TXT record is added, finalise the verification process.

Finalise the Verification Process

  1. In Apple Business Manager , sign in as a user that has the role of Administrator or People Manager.
  2. Select your name at the bottom of the sidebar, select Preferences , then select Accounts .
  3. Locate the domain whose TXT record was added, then select Check Now.
  4. After a domain has been successfully verified, you can remove the TXT record from the zone file.

Copy SCIM Token from ABM

  1. In Apple Business Manager , sign in as a user that has the role of Administrator or People Manager.
  2. Select your name at the bottom of the sidebar, select Preferences , then select Directory Sync .
  3. Select Connect next to SCIM, carefully read the warning, select Copy, then select Close.
💡
Leave this window open to copy the tenant URL from Apple Business Manager to Entra ID.

Configure Automatic User Provisioning to ABM

  • Sign in to Microsoft Entra Admin center (https://entra.microsoft.com)
  • Browse to Identity > Applications > App registrations.
  • Search for Apple Business Manager Azure AD app (you will see the Apple Business Manager icon ).
  • Select Provisioning in the sidebar, select Get Started
  • Select the Provisioning tab.
  • Set the Provisioning Mode to Automatic.
  • Under the Admin Credentials section, input the SCIM 2.0 base URL and Access Token values retrieved from Apple Business Manager in Tenant URL and Secret Token respectively.
  • Click Test Connection to ensure Microsoft Entra ID can connect to Apple Business Manager.
Connection is successful
💡
This process can take up to 60 seconds for Apple Business Manager to reflect the latest connection status.
  • In the Notification Email field, enter the email address to receive the provisioning error notifications and check the checkbox - Send an email notification when a failure occurs.
  • Under the Mappings section, select Synchronize Microsoft Entra users to Apple Business Manager.
  • Define the users and/or groups that you would like to provision to Apple Business Manager by choosing the desired values in Scope in the Settings section.
  • Check the progress bar to see the status of the provisioning cycle and how close it is to completion.
Status of provisioning cycle
Federation Status.

At this point, we've successfully set up Federated Authentication in Apple Business Manager, and it's now time to delve into some of its forthcoming exciting features. These beta functionalities offer you the opportunity to assist Apple in their evaluation process. By integrating these features into your IT infrastructure, and with a select group of users, you can ensure that your organization is well-prepared to support your workforce once these features officially graduate from beta status.

Exploring Beta Features After Federated Authentication

To enable Beta Features in ABM, follow the below steps:

  1. In Apple Business Manager , sign in with your account.
  2. Select your name at the bottom of the sidebar, select Preferences , then select Beta Features .
  3. Do one of the following:
    • If any user from this organisation with AppleSeed for IT administrator privileges has already accepted the AppleSeed for IT terms and conditions, select Enable to have the beta feature appear in Apple Business Manager.
    • If no user from this organisation has accepted the AppleSeed for IT terms and conditions, select Begin Enrolment, sign in to AppleSeed for IT, and accept the terms and conditions.
💡
Please Note: Beta Features once toggled ON, CANNOT be switched-off! Do Not Proceed with next steps in your PRODUCTION Environment!

The new feature I am trying out today is customizing the user access to certain apps and services on managed and unmanaged devices using ABM.

Customise access to certain apps and services using ABM

If you're looking to grant users signed in with a Managed Apple ID access to various Apple apps and services, Apple Business Manager allows you to do just that. As an Administrator or People Manager, you have the flexibility to customize app and service accessibility for individual users. For instance, you can enable particular iCloud features, define what app data can be stored in the cloud, or even restrict access to FaceTime and iMessage.

To further customise, you can choose what devices users can sign in to, and you can tailor their access to specific privacy and security features.

💡
A user’s Managed Apple ID is automatically signed out of all devices if any access feature is changed or if the device state does not meet the access management requirements.

Requirements

  • iOS 17, iPadOS 17
  • macOS 14
  • Rights to create policy/configurations in Intune

Access Management for Apple Services

Once activated, a section for Apple Services will appear under the Access Management tab, and any modifications made will affect all users.

These restrictions will only apply to devices running iOS 17, iPadOS 17, or macOS 14 Sonoma. Users on devices with older operating systems won't be able to sign in, or will be automatically signed out.

Beta-specific issues to be aware of:

  • Changes to iCloud service permissions will only take effect upon a user's next sign-in. Users already signed in must log out and log back in on their device to receive the updated policy.
  • If a user is logged in on a device that fails to meet your designated device management criteria, they may be logged out after a delay of up to 24 hours.

Manage iCloud Features & Access

You can customise any of the features below to meet your business requirements. This includes deciding what devices a user can sign in with their Managed Apple ID:

  1. Any device: The user can sign in on any device, regardless of whether the device appears in Apple Business Manager.
  2. Managed devices only: The serial number of the device must appear in Apple Business Manager and be managed Intune.
  3. Supervised devices only: The device must be supervised (and managed) and the serial number of the device must appear in Apple Business Manager and be managed by Intune.

Below are the steps to configure the access:

  • In Apple Business Manager , sign in with an account that has the role of Administrator or People Manager.
  • Select Access Management  in the sidebar, then select Apple Services .
  • Select iCloud, then select what devices users can sign into with their Managed Apple ID:
          • Off
          • Any device (default)
          • Managed devices only
          • Supervised devices only
  • Select Collaboration, then turn on the ability for users to collaborate on files created using Keynote, Numbers and Pages, and whether to allow those files to be accepted automatically.
          • Anyone (default)
          • Organisation only
          • Off
          • Auto Accept Files
  • Select iCloud from the top, then turn off access to the following iCloud features:
          • iCloud Drive: Users can store data in iCloud Drive.
          • iCloud Keychain: Users can store their passwords and passkeys in iCloud Keychain.
          • iCloud Backup: Users can use iCloud Backup to back up their devices.
          • Turn off access to storing app data in iCloud for the apps

Manage user access to FaceTime & iMessage

By default, users who sign in with a Managed Apple ID can access FaceTime and iMessage. You can modify that access.

      • FaceTime: FaceTime (both audio only and video) can be turned off, allowed with only other users in your organisation, or anyone inside and outside of your organisation.
      • iMessage: iMessage can be turned off, allowed with only other users in your organisation, or allowed with anyone inside and outside of your organisation.Note: If iMessage is turned off, users can still send and receive SMS/MMS messages.

Steps to configure:

  • In Apple Business Manager , sign in with an account that has the role of Administrator or People Manager.
  • Select Access Management  in the sidebar, then select Apple Services .
  • Select FaceTime, turn it off or on. If you turn it on, select one of the following:
          • Anyone (default)
          • Organisation only
  • Select Apple Services from the top, select Messages, turn it off or on. If you turn it on, select one of the following:
          • Anyone (default)
          • Organisation only

Choose what devices users can sign in to

You can choose what devices users can sign in to with their Managed Apple ID.

  • In Apple Business Manager , sign in with an account that has the role of Administrator or People Manager.
  • Select Access Management  in the sidebar, then select Apple Services .
  • Select 'Allow Managed Apple ID on', then select one of the following:
    • Any device (default): The user can sign in on any device, regardless of whether the device appears in Apple Business Manager.
    • Managed devices only: The serial number of the device must appear in Apple Business Manager.
    • Supervised devices only: The device must be supervised and the serial number of the device must appear in Apple Business Manager.

End User Experience

Conclusion

In conclusion, integrating federated authentication with Apple Business Manager and Microsoft Entra ID offers a robust and streamlined solution for enhancing business security. The process not only simplifies user experience by allowing single sign-on capabilities across various platforms but also adds multiple layers of security to protect sensitive organizational data. This integration supports industry-standard protocols, making it highly compatible and easy to implement. Additionally, Apple Business Manager's beta features and customization options for app and service accessibility provide businesses with the flexibility to meet specific security and usability requirements. With cyber threats on the rise, leveraging these integrated features could be a game-changer in fortifying your organization's security infrastructure.