Thanks for the video, we are new to the ABM and some of our users (Approx 15) are having personal apple ID's using our company email address. So it's better I should ask them to change their apple ID's before going forward with federated authentication?
Thanks for the video, It's very clarify. Just a cuestion. Can I federate without resolve conflits? I have Entra Id ABM scope connection for a few users but I'm afraid about what happend if I to the federation withouth resolving conflicts first. The scope users have not apple personal ID. Thanks and great job
In the first video, you mentioned something about using conditional access to setup your Apple Device user group in Entra. Anything special there? I wasn't able to create that group correctly so I just selected my test group users individually (under provisioning). Is this effectively the same thing? Also thank you for these videos. They have lightened my burden immensely lol
on the MS side, you just need an Entra tenant with Entra ID Premium P1 and some users. You should probably use the Dev program to make that 0 cost. developer.microsoft.com/en-us/microsoft-365/dev-program From the Apple side - you need an actual registered business, with a number in Dun and Bradstreet, to use Business Manager. There is no way around that.
Great video, but I’m a little confused. Don’t we want our users to sign-in to our corporate owned Apple devices with an Apple ID associated to the corporate email? Why is it prompting them to change it to a non-corporate email?
That IS what they will be doing. The video describes the process to create that ability when there has already been a personal Apple ID created before the corperate Managed Apple ID is created. The reason it is prompting the user to change their Apple ID to a non-corporate email is because personal Apple IDs can not be controlled by the corporation, and there can not be two Apple IDs that use the same email address. When the user changes their personal Apple ID to a personal email address or when the 60 day waiting period elapses, then the Corporate email address is released back to the corporation's control so that they can re-issue it in the form of a Managed Apple ID. Then the user will log out of their personal AppleID and log in with their new managed Apple ID which now sports the corperate owned and controlled email address.
Thank you, wish I saw this first before I started with ABM. :) One last question and one you probably can't answer but if you created apple MDM push certificate with an Apple ID, then claimed/federated that apple ID I'm guessing cert stays with the original apple user ID with a new email. So you may not be able to renew the cert? Guess will find out in a year when the cert expires. lol Same with any purchased apps, guess they need to re-purchase them.
Brilliantly useful, as always. One q - in a situation where IT have told the user to create an apple ID for lastcoffee, and then we need them to change it - what would be the best way to get the data from the now 'unofficial' account to the official account? I'm assuming it would be some third-party tool to move data between iCloud accounts?
Good question! There are supported methods for doing that. From Apples perspective, the users “unofficial” lastcoffee AppleID was a personal one, so they won’t help you obtain that data as you can imagine. I haven’t heard of any tools that will help you do it unofficially, but I’ll ask around!
@@DeanEllerbyMVP +1 needing to know this, we have years of Apple IDs and only planning on Federating, so there will be lots of legitimate apps, purchases, backups that need to be "re-owned" back into the corp email ID. Pretty please? Your Mac focus is SOOOO appreciated!
Yeah. big mess. That is why IT should never do that. Some of the iCloud synced services will allow you leave the data behind on the device if you turn off the sync for that feature before removing it. This way, when the Managed Apple ID logs in, it can sync that data. For anything that doesn't do that, You will probably have to transfer manually.
So if the users changes the email address as requested by Apple they would need to wipe the device and then set it back up with the company email? Seems like you might just want to tell the users not to do anything and then wait 60 days for the account to be reclaimed. So long as they don’t have any personal data on it.
I am in this situation: the company were I work has 11 accounts with microsoft 365, but they already use those email to log into apple to use their mac books and other apple devices. Now we need to federate entra Id and apple Business manager but all those accounts are in conflict. BUT if we need 11 new emails address we have 2 options: buy 11 new licenses in microsoft 365 (and this is a big problem) or change the email addresses of all the users (presuming it is possible to do, this is a much bigger problem). there is a way to solve this?
why not create an alias on each of those accounts so that any communication still arrives to the intended recipients but is under a different email address. You would need a second domain attached to your 365 tenant though.
Ok, but what if the user still wants to use their corporate account as an apple ID but already has it registered as personal? He has to change the email on the existing account to release the email, log out on the iPhone with the apple ID and log in again with the same company email and sync everything to iCloud again?
So if Jenny doesn't change her mail adress in her icloud account, the conflict will not disappear ? I don't understood what is the good solution exactly
If Jenny doesn’t change the email address associated with the appleid within 60 days, it will be released to the ABM organisation anyway. At that point, I think, she will be forced to update it next time she signs in.
You skipped over what happens if you _don't_ reclaim it. Does it not do federation at all at that point? If you leave at that state, does it prevent new Apple IDs from being created with that domain name? (The use case I'm curious about, is if a company doesn _not_ want people to use the company email for Apple IDs, would like to prevent it in the future, but does _not_ want to create a huge helpdesk storm of all existing Apple IDs being changed)
That's exactly where I was, and I was concerned about moving forward. thank you!
Very happy to see a very quick response to feedback on a previous video - this was great! :)
Very helpful, now to figure out what to tell our 400+ conflicting users....
Thanks for the video, we are new to the ABM and some of our users (Approx 15) are having personal apple ID's using our company email address. So it's better I should ask them to change their apple ID's before going forward with federated authentication?
Thanks for the video, It's very clarify. Just a cuestion. Can I federate without resolve conflits? I have Entra Id ABM scope connection for a few users but I'm afraid about what happend if I to the federation withouth resolving conflicts first. The scope users have not apple personal ID. Thanks and great job
In the first video, you mentioned something about using conditional access to setup your Apple Device user group in Entra. Anything special there? I wasn't able to create that group correctly so I just selected my test group users individually (under provisioning). Is this effectively the same thing? Also thank you for these videos. They have lightened my burden immensely lol
Hello and thank you for putting this together. If I wanted to setup something like this in a lab setting, what would be required on the MS side?
on the MS side, you just need an Entra tenant with Entra ID Premium P1 and some users. You should probably use the Dev program to make that 0 cost. developer.microsoft.com/en-us/microsoft-365/dev-program
From the Apple side - you need an actual registered business, with a number in Dun and Bradstreet, to use Business Manager. There is no way around that.
Great video, but I’m a little confused. Don’t we want our users to sign-in to our corporate owned Apple devices with an Apple ID associated to the corporate email? Why is it prompting them to change it to a non-corporate email?
That IS what they will be doing. The video describes the process to create that ability when there has already been a personal Apple ID created before the corperate Managed Apple ID is created. The reason it is prompting the user to change their Apple ID to a non-corporate email is because personal Apple IDs can not be controlled by the corporation, and there can not be two Apple IDs that use the same email address. When the user changes their personal Apple ID to a personal email address or when the 60 day waiting period elapses, then the Corporate email address is released back to the corporation's control so that they can re-issue it in the form of a Managed Apple ID. Then the user will log out of their personal AppleID and log in with their new managed Apple ID which now sports the corperate owned and controlled email address.
@@wmuelver Perfect! Thanks for the reply and clarification, really appreciate it. 😊
Thanks!
🤯
Thank you, wish I saw this first before I started with ABM. :) One last question and one you probably can't answer but if you created apple MDM push certificate with an Apple ID, then claimed/federated that apple ID I'm guessing cert stays with the original apple user ID with a new email. So you may not be able to renew the cert? Guess will find out in a year when the cert expires. lol Same with any purchased apps, guess they need to re-purchase them.
very good questions! I'll look at this and let you know what I find!
Brilliantly useful, as always. One q - in a situation where IT have told the user to create an apple ID for lastcoffee, and then we need them to change it - what would be the best way to get the data from the now 'unofficial' account to the official account? I'm assuming it would be some third-party tool to move data between iCloud accounts?
Good question!
There are supported methods for doing that. From Apples perspective, the users “unofficial” lastcoffee AppleID was a personal one, so they won’t help you obtain that data as you can imagine.
I haven’t heard of any tools that will help you do it unofficially, but I’ll ask around!
Thank you! Thought that might be the case. @@DeanEllerbyMVP
@@DeanEllerbyMVP +1 needing to know this, we have years of Apple IDs and only planning on Federating, so there will be lots of legitimate apps, purchases, backups that need to be "re-owned" back into the corp email ID. Pretty please? Your Mac focus is SOOOO appreciated!
Yeah. big mess. That is why IT should never do that. Some of the iCloud synced services will allow you leave the data behind on the device if you turn off the sync for that feature before removing it. This way, when the Managed Apple ID logs in, it can sync that data. For anything that doesn't do that, You will probably have to transfer manually.
So if the users changes the email address as requested by Apple they would need to wipe the device and then set it back up with the company email? Seems like you might just want to tell the users not to do anything and then wait 60 days for the account to be reclaimed. So long as they don’t have any personal data on it.
I think the outcome would be the same? Except if the user changes the email address they are in control of when that happens?
I am in this situation: the company were I work has 11 accounts with microsoft 365, but they already use those email to log into apple to use their mac books and other apple devices. Now we need to federate entra Id and apple Business manager but all those accounts are in conflict. BUT if we need 11 new emails address we have 2 options: buy 11 new licenses in microsoft 365 (and this is a big problem) or change the email addresses of all the users (presuming it is possible to do, this is a much bigger problem). there is a way to solve this?
why not create an alias on each of those accounts so that any communication still arrives to the intended recipients but is under a different email address. You would need a second domain attached to your 365 tenant though.
Ok, but what if the user still wants to use their corporate account as an apple ID but already has it registered as personal? He has to change the email on the existing account to release the email, log out on the iPhone with the apple ID and log in again with the same company email and sync everything to iCloud again?
Correct.
So if Jenny doesn't change her mail adress in her icloud account, the conflict will not disappear ?
I don't understood what is the good solution exactly
If Jenny doesn’t change the email address associated with the appleid within 60 days, it will be released to the ABM organisation anyway. At that point, I think, she will be forced to update it next time she signs in.
You skipped over what happens if you _don't_ reclaim it. Does it not do federation at all at that point? If you leave at that state, does it prevent new Apple IDs from being created with that domain name? (The use case I'm curious about, is if a company doesn _not_ want people to use the company email for Apple IDs, would like to prevent it in the future, but does _not_ want to create a huge helpdesk storm of all existing Apple IDs being changed)
In my experience, once the domain is verified in ABM, no further "personal" Apple ID's can be created with the business domain address.