SCIM is no longer available in Apple Business Manager :/ Is there another way to sync only specific users or groups?

As someone who implement solutions like this for customers big and small - enabling federation to Azure AD/eNtRa iD will always be one of the biggest hurdles on the way. Usually companies will have had users manually create apple ID's using the corporate domain, and then use them privately for years! Since enabling federation requires "claiming" any Apple ID usernames using the domain, will result in a lot of prompts to the end user for changing the username. A lot of users confuse this "claming" the entire account, which it doesn't - but since it's often C-level users that happen to completely merge private and business..... then yeah, it because cumbersome when Apple does not provide and easy overview of what users this miht be (even though it makes sense privacy wise). This Federation is usually our go to implementation for customers of any size.

@DeanEllerbyMVP

5 ай бұрын

Thanks for the comment - this (among others) prompted me to do an updated and more 'full' video. Appreciate you!

Excelente!

Visible to users. Thank for that tip, I didn't know.

Perfecto ✌️

This option is no longer there, when I go to Provisioning inb Microsoft Entra, this is the message that comes up: Out of the box automatic provisioning to Apple Business Manager is not supported today. Ensure that Apple Business Manager supports the SCIM standard for provisioning and request support for the application as described here. To determine if the application supports SCIM, please contact the application developer.

This is a very nice solution to manage Apple users, but I believe it is also very important what the limitations are from the user perspective. For example, with a managed apple ID, you are not able to download and install apps from the app store. Luckily i have set up intune on our apple devices so the needed apps will be installed via the company portal.

@abuamin146

6 ай бұрын

But also this limitation is a „feature“ so that you can assign needed Apps via VPP

I found out this method has some limitation. User logged in with federation domain ID can't pair apple watch, use apple wallet and some other quite useful features. Please bear that in mind.

@DeanEllerbyMVP

5 ай бұрын

great info! thanks!

Great video thank you. We use federated Apple IDs and they are a few limits such as things like ‘find my’ won’t work and a few other native Apple features. Apple VPP tokens mean we can use company portal as our App Store instead of the native one.

@DeanEllerbyMVP

6 ай бұрын

Thanks for the info!

Thank you for this! I'm curious if it's possible to include the domain on an iPad, enabling users to sign into a shared device with their Apple ID/Azure accounts by simply typing the initial part, abit like users log into Windows devices?

@DeanEllerbyMVP

5 ай бұрын

yep! well, almost... support.apple.com/en-gb/guide/deployment/dep9a34c2ba2/web

@DeanEllerbyMVP is it possible to block adding Corp and Personal Outlook Or OneDrive account on a iOS BYOD device. Please advise how THanks

This is really great video. Do you have any idea how to manage the BYOD mac device via ABM with JAMF without DEP it’s all User initiated enrollment device

@DeanEllerbyMVP

5 ай бұрын

A BYOD mac wouldn't go via ABM. You just need to enrol the device into Intune or Jamf using one of the enrollment methods

@mani2care

5 ай бұрын

@@DeanEllerbyMVP Yaa o used it user initiated enrollment to JAMF but I have company device as well just want to mange like BYOD device applications they simply removing the mdm and all’s the apps are stay on there mac I want to auto remove it when mdm is not

Just an FYI you didn't mention the big gotcha's with apple/ABM. To add existing devices to ABM they need to be wiped. If an account already exists on the domain you are federating use the user will be forced to setup a new email/apple ID and there's no way to migrate(easily) from an existing account to the new one. Additionally, ABM won't tell you who those users are only gives you a number of accounts effected. I ended up search to thru everyone's email to find the effected users. :)

@DeanEllerbyMVP

6 ай бұрын

Agreed. It is more complicated than I made it sound, especially for existing organisations. I wasn't trying to oversimplify, just show the 'ideal'. On the note of the accounts affected, I managed to get a list of affected users by downloading the failed synchronised activity from ABM. It wasn't easy to find though!

Hi, you create a managed Apple ID for Lucy. Question 1: But what if she create the apple of by her self? Is it also give a conflict? Question 2: And if she change here e-mail adres here self inside her Apple ID? Is the conflict also be solved?

@MrSam_Derp_Man

3 ай бұрын

As soon as you federate the domain, the user will be promted if they already have a appleID to change there appleID to something else that they like, within 60 days. After the 60 days (starting from the moment that you as the admin click the button) nobody will be able to create an appleID with that domain because you as an business owner/IT Admin restricted usage of that domain over the whole apple ecosystem. Now a user needs to be synced back from entra id to ABM to be able to sign-in with there appleID via EntraID (redirected login to microsoft) If you create a user account manually from within apple business manager, or you give admin roles to that user, all redirects to microsoft will be removed and you will need to manually create a sign in and set up 2FA via SMS to Apple. (so only synced "staff" members can benefit from the federation)

Great video. It would be good to do a part 2 of this video. To show if user gets an email notification after their account is auto synced to ABM and what does the email say?. Also if they already have a personal Apple ID with work email address, what happens? and is the user enrolment experience on a new device any different if user has federated Apple ID? Lastly, what are the limitations, gotchas? Can they download apps from apps store or only company portal?, is iCloud backup available for them?

@DeanEllerbyMVP

6 ай бұрын

You're right, there is much more to talk about on this topic and I will definitely cover it - or try to! I had already broken my 8 minute length rule on this one, so going any deeper on the topic was getting tricky. I'll make a follow up shortly!

@Mkt6040

6 ай бұрын

Thank you. Great content as always

Hi Dean, great video. Nice and easy. I do have one question though. When I setup our domain, and activate federate. It pops up and says that there are 114 name conflicts. So what happens to all of those accounts if I actually start to federate. :) I can see Apple will give the users 60 days to choose a new apple-id so I can claim the e-mail address used. But how will this look from a users perspective, and I do not know who it is. Do they keep all their apps and photos and stuff. What if they are supposed to use the company e-mail as apple-id? At the moment I do not dare to switch it on :)

@jonlyons3601

6 ай бұрын

On the original account it's basically just changing the email, all the data/apps stay with that new account email. When they go to use the new federated account it's blank/new. So basically, the user is starting over.

@mortenwiingreen9748

6 ай бұрын

@@jonlyons3601 Well i kind of thought so. This might be why it could be difficult for us to implement now after so many users have used our domain name privately. I just have to hope for Apple to give us an option to keep user settings..

@UnforgivingEnd

6 ай бұрын

@@mortenwiingreen9748 I have worked with clients where we encountered 300+ conflicts - the "claiming" of the conflicts wont claim any data, just the username - the issue is that a lot of users end up (either knowingly or not) using their "corporate" domain account for private stuff over a long periode. If you are deploying this as internal IT, you should expect a fair bit of hand holding for the users - if you are an MSP, consider informing the customers service desk. Handling it wont be difficult for the most part, it's just a lot of calls - and the end users usually get very defensive about potentially personal data being involved.

@DeanEllerbyMVP

5 ай бұрын

Hey. Hopefully you saw my updated video responding to your question - for anyone else: kzread.info/dash/bejne/n42O28yxg820nbw.html

I've been meaning to do this at my organisation for some time but I've always been concerned what it will do to the existing organisation apple ID accounts

@surfacing

6 ай бұрын

Good question. We have the same, we created in the past apple ids directly on the iPhones. Additional question: when the apple ids created via the ABM. Could the users download any free app by themselves or is it not allowed. As I remember the ABM is a little bit restricted

@DeanEllerbyMVP

6 ай бұрын

When you choose the domain, it checks for existing "personal" Apple IDs and gives you the information you need to resolve them. I'll put a video together showing how that looks!

@DeanEllerbyMVP

6 ай бұрын

I believe they can download any free app they like.

@CGRealStudios

6 ай бұрын

@@DeanEllerbyMVP Thanks Dean!

@jonlyons3601

6 ай бұрын

@@DeanEllerbyMVP Following this as I'm in the same boat, especially how/if you can transfer the data from the old account to the new account.