Apple Platform Deployment
- Welcome
- Intro to Apple platform deployment
- What’s new
-
-
- Declarative status reports
- Declarative app configuration
- Authentication credentials and identity asset declaration
- Background task management declarative
- Calendar declarative configuration
- Certificates declarative configuration
- Contacts declarative configuration
- Exchange declarative configuration
- Google Accounts declarative configuration
- LDAP declarative configuration
- Legacy interactive profile declarative configuration
- Legacy profile declarative configuration
- Mail declarative configuration
- Math and Calculator app declarative configuration
- Passcode declarative configuration
- Passkey Attestation declarative configuration
- Safari extensions management declarative configuration
- Screen Sharing declarative configuration
- Service configuration files declarative configuration
- Software Update declarative configuration
- Software Update settings declarative configuration
- Storage management declarative configuration
- Subscribed Calendars declarative configuration
-
-
- Accessibility payload settings
- Active Directory Certificate payload settings
- AirPlay payload settings
- AirPlay Security payload settings
- AirPrint payload settings
- App Lock payload settings
- Associated Domains payload settings
- Automated Certificate Management Environment (ACME) payload settings
- Autonomous Single App Mode payload settings
- Calendar payload settings
- Cellular payload settings
- Cellular Private Network payload settings
- Certificate Preference payload settings
- Certificate Revocation payload settings
- Certificate Transparency payload settings
- Certificates payload settings
- Conference Room Display payload settings
- Contacts payload settings
- Content Caching payload settings
- Directory Service payload settings
- DNS Proxy payload settings
- DNS Settings payload settings
- Dock payload settings
- Domains payload settings
- Energy Saver payload settings
- Exchange ActiveSync (EAS) payload settings
- Exchange Web Services (EWS) payload settings
- Extensible Single Sign-on payload settings
- Extensible Single Sign-on Kerberos payload settings
- Extensions payload settings
- FileVault payload settings
- Finder payload settings
- Firewall payload settings
- Fonts payload settings
- Global HTTP Proxy payload settings
- Google Accounts payload settings
- Home Screen Layout payload settings
- Identification payload settings
- Identity Preference payload settings
- Kernel Extension Policy payload settings
- LDAP payload settings
- Lights Out Management payload settings
- Lock Screen Message payload settings
- Login Window payload settings
- Managed Login Items payload settings
- Mail payload settings
- Network Usage Rules payload settings
- Notifications payload settings
- Parental Controls payload settings
- Passcode payload settings
- Printing payload settings
- Privacy Preferences Policy Control payload settings
- Relay payload settings
- SCEP payload settings
- Security payload settings
- Setup Assistant payload settings
- Single Sign-on payload settings
- Smart Card payload settings
- Subscribed Calendars payload settings
- System Extensions payload settings
- System Migration payload settings
- Time Machine payload settings
- TV Remote payload settings
- Web Clips payload settings
- Web Content Filter payload settings
- Xsan payload settings
-
- Glossary
- Document revision history
- Copyright
Intro to Apple identity services
Apple provides your organization with various identity services, to help you manage passwords and user names securely—both across your workplace and in the cloud. Apple uses security measures like authentication, authorization, and identity federation, so that individual users can access their favorite apps and other resources without, for example, the additional hardship of setting up user names and passwords for each one.
Below is an overview of the key identity service methods—authentication, authorization, and identity federation—along with examples of how Apple uses them in identity services.
Authentication and associated Apple services
The first step in a security process is authentication. Authentication verifies the identity of the user to make sure it’s legitimate.
Apple uses many methods of authentication. With single sign-on and Apple services such as a personal Apple Account, Managed Apple Account, iCloud, iMessage, and FaceTime, users communicate securely, create documents online, and back up their personal data—all without compromising their organization’s data. Each service uses its own security architecture. In this way, Apple ensures secure handling of data (whether it’s on an Apple device or in transit over a wireless network), protects users’ personal information, and defends against malicious or unauthorized access to information and services. In addition, Apple has a built-in mobile device management (MDM) solution framework that supports MDM solutions to restrict and manage access to specific services on Apple devices.
Authorization and associated Apple services
Whereas authentication proves who you are, authorization defines what users are allowed to do. For authorization to work, you provide a user’s name and password to an identity provider (IdP). In conceptual terms, the IdP is the “authority,” the user name and password is the “assertion” (because that person “asserts” their identity), and the data a user receives after successfully signing in is the “token.”
Apple employs many types of tokens, and many types of assertions. Some assertions that can be used include certificates, smart cards, and other multifactor devices.
Identity federation
Identity federation is the process of establishing trust between IdPs across security domains, so users can then move freely between systems while maintaining security. For identity federation to work, administrators must set up domains that trust each other, and they must agree on a single method to identify users.
A common example of identity federation is using your enterprise account to sign in to an IdP. For example, to help streamline the creation of Managed Apple Accounts for an organization, Apple has enabled federation between an IdP, Google Workspace, and Microsoft Entra ID and Apple School Manager or Apple Business Manager. Users can then use their existing IdP, Google Workspace, or Microsoft Entra ID accounts to sign in to iCloud or to sign in on Apple devices associated with Apple School Manager or Apple Business Manager. If a user isn’t challenged to assert their identity again, then federation is performed using single sign-on or a Kerberos Single Sign-on extension.