You can make a difference in the Apple Support Community!
When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.
When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.
We have recently done a domain capture with apple business manager. we have no intention of rolling out an MDM. How do we make apps available on macos to the users now using managed apple ids. Its a free app and i set it up in Apple business manager or so i thought. but the word get is still greyed out on the mac.
again we do not want an MDM solution
You may not want an MDM, but the only way to distribute apps through the volume purchase program is to have an MDM.
You must understand the difference between ABM and an MDM. ABM is a binding association between your business and Apple and it establishes chain of custody for hard (Macs, iPads, iPhones, etc.) and soft (App Store apps, books) assets. ABM is about establishing and enforcing custody. ABM is not about managing those hard or soft assets. Management is provided by an MDM. Proof of ownership/control is provided by ABM.
Next, you have entered into the second realm of ABM... identity. By creating Managed Apple IDs (MAIDs), you are establishing a chain of custody to an identity. This is true if you did this the right way but federation and sync, or the hard way by manually creating MAIDs. In either case, the MAIDs created in ABM are linked via chain of custody to your business and you have the right and the ability to reclaim them once a staff member leaves. Regular Apple IDs, even those created with your domain, follow the user when the user moves on. The user leaves, the ID goes with them. You have no rights to the ID.
Ah, but MAIDs have limitations. The one that is impacting you is that a MAID cannot have payment information associated to it. No payment info, no participation in stores. Scroll down on this page to Content Availability. But read the entire article to understand the limitation of MAIDs.
You have two options. And I suspect you don't want to hear either. (1) deploy an MDM. Your problems are solved. Well, your app distribution problems are solved at least. I tell all my customers... Deploying an MDM makes everything easy. Deploying an MDM is hard. But it is the right thing to do. (2) Allow users to log into devices with personal Apple IDs. This is a terrible idea because the apps belong to the user, not the company, the personal Apple ID will allow activation lock (Find My) to be associated to the person's personal Apple ID (which means if the employee leaves the device my be left activation locked and bricked unless you go through the proof of ownership process with Apple - or the employee releases the device), and you will likely be granting the employee access to too many features - don't get me started on how large a date leaker iCloud Desktop and Documents is.
Hope this helps. If you need help setting up an MDM, I encourage you to find a qualified consultant by using the Apple Consultants Network Finder.
Bridging personal and business devices with Apple IDs is a delicate dance for any organization. If you are looking for handoff, universal control, continuity, iPhone mirroring, etc., the bottom line is you need the same Apple ID on each device. This is an architectural requirement but it does open a number of challenges.
For example, if you use personal Apple IDs, then you have no control and the business device is configured with an ID that may expose data and provide more services than intended on the work device. On the flip side, the employee may not want the personal ID on the device. If they leave and the business can access the home folder, the person's personal data may be exposed. It has risks on both sides of the desk.
On the other side, if you use MAIDs, then you are asking staffers to add a work specific account to personal devices. This has its challenges as well since many employees are distrustful of anything a business asked them to do on personal devices, especially if there is no renumeration.
As for preventing personal Apple IDs (or, more logically, only allowing Managed Apple IDs on supervised devices), this is a topic that has been requested from Apple for some time. Send a feedback request so maybe it happens. You may get a lot out of this video. With MDM, you can stop all Apple IDs. But it would be great to allow only MAIDs. Maybe one day.
Hope this is helpful.
Assuming we deploy an mdm
is there a way to prevent users from logging in with personal Apple ids but still allow for the handoff between their personal iPhones. Using messages etc on the Mac. This is why most of our users use a personal Apple ID now because the company owns the Mac’s but the iPhones are all personally owned.
I have always allowed users to log in with their personal Apple Accounts but restricted what can be done. Almost all features can be turned off or on through MDM. Say you want the employee to be able to use Messages, but not iCloud Keychain. An MDM allows much more flexibility and security.
Make an App available to managed appleid
