Managed Apple Accounts may offer some benefits to workplace security, but teams will have to consider whether it’s worth the sacrifice to the end-user experience.
Apple devices rely on an Apple Account (formerly Apple ID) in order for various services and integrations to function (e.g., Find My), as well as to link software licenses purchased via the App Store. There are two distinct types of Apple Accounts which a device may be configured/associated with:
Personal Apple Account (default).
Managed Apple Account (configured through Apple Business Manager or Apple Business Essentials).
Increasingly, employees are taking their organization-owned devices (such as MacBooks) off-site to use in a work from home (WFH) context. This shift has resulted in a greater overlap of personal and work-related activity taking place on organization-owned devices. For this reason, many organizations are reevaluating whether to permit employees to use their personal Apple Accounts. Here, we’ll go over the various options for end-user Apple Accounts and the tradeoffs associated with each.
Dealing with Apple Account in a corporate environment
For 1Password Device Trust, we’re often asked to build Checks relating to the configured Apple Account on devices. The most common form this question takes is:
“I want to find individuals using a personal email address for their Apple Account."
Typically, admins want to forbid the use of personal Apple Accounts in order to exercise greater control over their Apple devices. However, this task comes with a number of downstream effects which you should be aware of before deciding how to proceed.
Before we dive into the request, let’s unpack Apple Accounts for a moment. As mentioned above, Apple Accounts are a tightly integrated component of the macOS and iOS experience, and understanding how they are used can help inform the scope of your security objectives.
What capabilities do Apple Accounts enable?
The syncing services provided via personal Apple Accounts are considerable due to the intended quality of life benefits they offer a normal home user:
iCloud Drive (Documents, Desktop, Photos): These synced User home directory folders allow a user to access documents they’ve saved via iCloud.
Find My: Allows a user to remotely locate a device in the event it becomes lost or stolen.
Calendar, Contacts, and Mail: These basic apps/services can be configured with both personal and work information.
Media and Purchases: Apps purchased through the App Store are associated with the Apple Account which purchased them, and can be transferred from device to device.
Why are personal Apple Accounts sometimes a concern for IT and security administrators?
There are a variety of reasons an IT or Security administrator may wish to limit or prohibit the use of personal Apple Accounts on company-provided devices. The following are some (but not all) possible reasons:
Shadow IT
Shadow IT describes personal or unmanaged applications or devices which are not within the purview of the IT or Security team at an organization.
A good example of Shadow IT would be an employee connecting their personal Dropbox account to their company laptop. An employer may worry that this personal Dropbox account could sync proprietary or sensitive organization data, with no ability for the company to know what was synced or to revoke access in the event the employee leaves the company.
Activation lock
Devices which have Secure Enclaves (T1 and T2 Intel Macs, all Apple Silicon Macs, and most iPads and iPhones) and are not enrolled in MDM have a feature called Activation Lock. This feature works with Find My to prevent a device from being recovered or reimaged without the express authorization of the registered Apple Account on the device. This can pose an issue if a company-owned device (with Find My enabled) is returned to an IT department, as the device will not be serviceable until that Apple Account has been disconnected or Find My has been disabled.
For this reason, Apple expressly recommends that personal users turn off Activation Lock when sending a device in for service or transferring ownership to another individual.
Software provisioning
When an end-user purchases software licenses through the Apple App Store using their personal Apple Account, the license is non-transferable and linked to their Apple Account. This means that if the software is intended to be used for work purposes, that license cannot be re-provisioned to another end-user if the existing end-user discontinues their employment.
Managed Apple Accounts: An alternative with restrictions
For a number of years, Apple has provided a more restricted version of Apple Account used in education environments through Apple School Manager. In 2018, Apple Business Program accounts became able to use Managed Apple IDs (now Managed Apple Accounts) as well. Managed Apple Accounts are provisioned, configured, and managed through Apple Business Manager, or through Apple Business Essentials (which is, broadly speaking, Apple Business Manager packaged with Apple’s own MDM solution).
Managed Apple Account restrictions
While Managed Apple Accounts are the only real alternative to personal accounts, they come with some real changes to user experience.
iCloud restrictions
Find My is disabled.
Health is disabled.
iCloud Family Sharing is disabled.
iCloud Mail is disabled.
All iCloud+ services (e.g., Private Relay) are unavailable.
Apple Pay is unavailable.
Media & content restrictions
Media-related Apple services, subscriptions, and stores (e.g., Apple One, Apple Arcade, Apple TV+) are completely inaccessible with a Managed Apple Account.
In addition, users can browse but not purchase or download items in the App Store, iTunes Store, and Apple Books.
Instead, administrators must manually distribute apps through a Mobile Device Management (MDM) solution.
Individual and role-based restrictions
Managed Apple Accounts can also be assigned different role-based administration and denied access to certain other Apple services, like Apple Wallet, FaceTime, or Apple Developer content, depending on the company’s policies or the employee’s role.
BYOD device restrictions
The role that Managed Apple Accounts can or can’t play in BYOD scenarios is worth mentioning as well.
Employees using a personal macOS or iOS device can log into that device with multiple accounts, switching between their Managed and Personal Apple Account. However, this may disrupt workflows, and users requiring Windows or Linux devices will certainly have issues.
And for companies using an IdP and MDM solution, recent updates from Apple require User Enrollment for BYOD devices, in order to separate users' Personal and Managed Apple accounts from MDM management. This means that users can only enroll their personal macOS or iOS devices by using a Managed Apple Account. So even if your company allows for Personal Apple Accounts, you’ll need to provision Managed Apple Accounts for any users looking to enroll a personal device in your MDM.
Managed Apple Account benefits
Apple Account access can be provisioned, configured, managed, and revoked for onboarding/off-boarding purposes.
Apple Account passwords can be reset by an administrator if a user forgets their password.
App Store app licenses can be centrally managed, purchased, and distributed/re-provisioned as needed.
If iCloud FileVault recovery is configured, an administrator can recover FileVault without an escrowed key via Apple Account password reset.
Managed Apple Accounts can be restricted to only allow use on supervised or managed devices.
As you can see, there are a significant number of considerations to take into account (no pun intended) before deciding which path is best for your organization, and the level of control/restriction you wish to deploy.
What are my choices as an employer?
Option 1: Allow end-users to use their personal Apple Account with their work laptop.
We believe this is the best choice for organizations that do not have an explicit compliance requirement prohibiting Apple Account/iCloud usage. The risk of unauthorized data syncing is no greater than an employee uploading or emailing sensitive files via other services. If your organization uses an MDM solution, you can manage items such as Activation Lock and FileVault 2 Recovery without the need for a Managed Apple Account.
Option 2: Assign and configure Managed Apple Accounts for employees and require their usage on managed devices.
This will permit greater control by security and IT teams, at the cost of reduced or restricted end-user functionality.
Option 3: Use a personal Apple Account with a corporate email.
See below for why this is not recommended.
Why not to use personal Apple Accounts with company emails
Having an employee use their work email to sign up for a personal Apple Account might seem like an ideal workaround, but in reality, you get none of the benefits of a Managed Apple Account while negatively impacting the user experience of your employee (e.g., preventing them from installing apps from the App Store).
You will not be able to:
Centrally configure or manage company Apple Accounts.
Provision software.
Restrict which devices can log into the account.
Reset passwords.
Revoke access to any services or synced data when the employee leaves.
Furthermore, the employee will still be able to sync files and services to iCloud, purchase software licenses, Activation Lock their device, etc.
A caveat to these limitations
Some teams work around the limitations of Personal Apple Accounts configured via work email address by assuming they can access the employee’s email upon termination.
By accessing an employee’s work email (which they signed up for the Apple Account with), an administrator may be able to reset the password and delete any synced information, prevent the end-user from accessing that Apple Account, and ensure that any linked services requiring Apple Account authorization (e.g., Activation Lock) can be disabled by the administrator.
Final thoughts: choosing the right strategy
There is no perfect option here, and every route requires some tradeoffs between security, privacy, and user experience.
It is ultimately up to the IT or Security team to decide which path is best for their organization. Whatever you choose, 1Password Device Trust can then assist in identifying the Apple Accounts connected to a device, and notify users and admins if any do not match your policy.
Want to learn more about how 1Password Device Trust can help you tailor your access management policies? Reach out for a demo!
Fritz Ifert-Miller
Principal Product Manager
Tweet about this post