Extremely helpful. Thank you very much for making this video. I was able to Federate my domain and setup MDM with absolutely no headaches. It's always nice to get a visual on these things. Cheers!
Hi, Thank you for the video its very helpfull. However i have a question after enableling the federation, if AAD have around 2000 user so all 2000 will be visible in ABM portal or only users trying to login to the Mac devices will be visible into the ABM?
Hi Nick, thanks for the video, very helpful. Like a few other people on here, we already have users who have had devices set up (in a different MDM platform) using the @domain as their apple id. We now want to federate with Azure AD as per this video. My question is two-part, firstly is the conflict checking based upon accounts that are in the Apple Business Manager portal or checked against all Apple ID's that Apple knows about. Secondly, what happens if the user doesn't change their Apple ID before the 60 days?
Hi Nick, this was very helpful but still Im stuck with one question! What if I had users already using a apple id that was not managed and I still want to use the same apple id’s(but managed) after claiming the domain after 60 days? They are not able to fill in the claimed apple id... I’m stuck here…
Hello, thanks for this content, just a question, what would happen if the email notification it's not sent to the conflicting accounts or if users don't update the old apple id account with a personal email within the given period?
Hi There, great video. Do you maybe know what will happen to the iCloud/notes/contacts data if the user won't reclaim apple account ownership ? Will the data be deleted ? Thank you!!!
Hello, Thank you very much for the video. I have one question: what happens to the managed devices where the users are already using company email address as an apple id? I mean at the first start up they have created an apple id using their company credentials?
Hi - Great video. As I have created the main account with my company email address, it's telling me in activity 0 of 1 Account Federated, There is 1 issue federating existing accounts. Download logs to see the details. If I open the log it's the email I am using to login to the ABM. What do I do about this?
Great video. It filled in a bunch of documentation gaps. You mentioned enabling iCloud for users a couple of times, can iCloud be turned off for all users within the ABM? or is that only done at the MDM level?
As far as Apple ID conflicts, Is there a more graceful way to handle them? I have several users using personal AppleIDs that we plan to claim. My understanding is that all apps and data will remain on the old account. Is there any way for users to claim their old email address so that we don't lose management of corporate apps and data?
Thanks for the very helpful video. In terms of the notifications and emails to notify users to change their email addresses... Is this automatic once Federation is enabled or can be delay this in order to do some testing? In other words, do the 60 days start ticking the second you turn on Federation?
What does this look like in a real world existing enterprise organization that isn’t currently using managed id’s with federation but they have hundreds or thousands of Apple ids in use already using their company email address/domain? What is the real world experience like when migrating to managed Apple ids with federation? It sounds almost like it isn’t possible in the real world without major disruption.
Could you explain what needs to be set to force an ABM / Intune enrolled device to require a federated Apple ID on first boot? It seems desirable to have corporate devices use federated Apple IDs, I just can’t figure out how to drive users to ‘use’ their federated accounts. The company portal Features / Restrictions are all working fine.
Hey Mark, i think i answered this in the comment of another video but again for visibility on this video, to my knowledge there is not a way to present the user with their federated account upon first boot.
Seems like this is for schools, or BYOD, but not businesses with company-owned ADE (formerly DEP) devices. You won’t want to use a federated login for the main account on an iPhone or iPad, as you can’t download any apps. Apps can only be installed via VPP otherwise. Correct?
correct, its how the company i do IT for does it. No federation and all apps are pushed via VPP to the users phone and apple store is not allowed to be used.
Nick- I want to say "Thank You" very much for these videos. I am currently exploring options for my company to manage iOS devices (mostly iPhones) to keep from losing money with devices that get inadvertently or maliciously "bricked" when an employee leaves the company. Just trying to wade through the necessary programs to set up an effective MDM for the iPhones and could use some insights if you are open to further questions outside of this mode of communication. Let me know which options would work for further follow-up communications.
Hi, Thank you for this demo video. I try to follow your instructions. I can add and verify my domain to Business Apple Manager. However, in the Federated Authentication step, I always get the failed authentication, when I try to sign in to my Azure AD. The error is "Selected user account does not exist in tenant 'Apple Inc.' and cannot access the application 'fc67d51f-bf39-4530-8155-3714f897281b' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account.". Cloud you please suggest to fix it. Very appreciate.
Hi When I enable Federation it fails with the following message: "Another organization is using this domain" Is there anything I can do or, is the only option to contact Apple support?
I think your best option is to contact apple support, i would call them, they are pretty quick to respond and get a live person on the phone to help from my experiences.
Hi Nick, This was a great video. I am setting up ABM MDM for our organization. At the current moment we are applying the MDM solution to one of our AAD labs before set it up for our actual production environment. If I federate my ABM account to the lab is there a way to reverse it? Will this leave any residual issues in the long run? Thank you, Alan Wu
Hey Alan, i personally would not federate it to your lab environment in AzureAD. The only reason in which I would do that is if you have a test ABM account on the opposite end, not one you intend to use in production
I am in a company of about 1600 people, we have about 300-500 AppleID's that use our domain. We want to federate with Azure, but are wary as it seems like even though they are signed in with our "@domain.com" AppleID, they'd have to basically sign out and sign back into a "new" account with the same email. Do you have any ideas on how to rectify this?
Hey Rory, this is the biggest pain point with the federation i would say. I've talked to apple support about it and they do not have any really good solution. Essentially, you would have to plan out a migration strategy for all of their existing icloud data. They would have to first convert their existing appleID to a third party domain and then sign into an apple device with their Microsoft credentials to have the ID fully managed. This piece and migrating all of their data is a huge pain. May not want to do that yet until there is a better solution in the future. Tough call for sure.
@@t-minus365 Thank you for the great video content and responses. I see this question and reply are from three years ago. Do you know if this situation with Apple has improved much since, and if so, do you have any guidance or can you point me/us in the right direction toward more information? Thanks so much for your work and the super clear instruction video.
Is it possible to set this up but only apply it to a subset of our users? We would like to conduct some initial testing before our entire user base starts receiving notifications to change their Apple ID's. We would like to test it out first and verify this is the direction we want to move company wide.
Hey Jon, it is not possible to set up the federation with a subset of users with the same domain. What i would recommend is spinning up a dummy domain in their tenant to test the federation with fake accounts. You can buy a cheap domain name just for this testing.
This is excellent information. I encourage everyone to read the questions/comments below, as they likely answer all or most of your questions. My question: Our users have several aliases, but they currently use corporate email when they need to setup an Apple ID (unmanaged). For anyone with conflicts, can they be directed to use one of our aliases to move their current account to it, then we take ownership of the primary email address as a managed Apple ID? Thanks for the help!
Hey Joel, They can do this, i think you would just be worried about if they have an corporate data on those existing accounts and having a migration plan aligned
So it’s not possible to have multiple domains federated to one AD tenant, for example multiple country domains? But is it possible to seperate the different domains into multiple ABM and federate to the same AD tenant?
Correct, you can only have one federated domain in ABM. And while that would make things cumbersome, i dont see why that wouldnt work in the sense of having multiple ABM accounts. You'd have to create an enrollment program token for each ABM account too.
Well done! Question: If our Apple Business Manager account has multiple domains loaded and verified that belong to the same Microsoft InTune Tenant such as exampleQXYZ.com and exampleABCD.com , can you select which one of those domains to federate with and importantly ** not federate with the other? I really want to federate with one of the domains to automatically create manage apple ID's but the other I Don't because I have thousands of apple id's in use that I don't want to be forced to change. No one has been able to weigh in with confidence yet.
Wish this was available a few months ago. I federated my domain with ABM and i have 27 upset people that used their company email for their personal devices. Setting up the MDM was also confusing. The push cert and everything was set up but actually configuring the polices was a bit confusing. Is Jamf easier in that regards?
Does content transfer over from gaining ownership? Say John Doe already has an apple id setup with our domain, when we turn on and make the transfer of ownership to us do they lose access to all of their icloud content or does it transfer over to the new managed apple id?
@@t-minus365 Hey There, Great Video! This is probably my main concern right now as we have about 200 company owned iPhones setup with our domain. How easy is it to migrate the data like contacts and photos? Is there any 3rd party software that might make this easier?
Hi. Thanks for the video. QQ. When you set federation up, can a user log into their iOS device with their AD credentials, in place of the password that is required from our MDM server?
Hi, Is it possible to use Apple ID as Login Method in Mac Catalina ? Wondering if making apple IDs federated with Azure and make mac to login with Apple ID which can provide seamless login experience for device and other SSO apps.
You can’t Azure AD Join a Mac. In order to manage user profiles/accounts on a Mac that uses Azure Ad and Intune you need to join the Mac to a domain first. You could join Macs to active directory that is hosted on an azure VM. Then use Azure AD Sync to sync Ad credentials to azure Ad and O365. More complex!
Hi. Thanks for providing all of the video content as it's extremely helpful. When the domain gets federated, does every single user in the organization that has a domain name conflict get signed out of their device right away or does that happen after 60 days from that point or does it happen when we trigger the notification to them? If this federation can be done in stages for the company and not all at once, it would be a lot easier to manage but I am trying to understand the order of events better and what the user experiences during this time for a better migration. Also, I was informed that if we already have consumer grade email accounts set up and linked to everyone's iPhones which happen to be our company email address, they cannot be migrated to managed IDs for a seamless Azure/ABM migration. Is this true? If it is, would they need to sign in with the alternate domain or can they use their AD credentials like you mentioned?
The switch to turn on federation is binary and uses have 60 days after that point in time to change. If you chose to send them an email about it makes no difference. It is all or nothing is the sense of switching over. You are correct in the fact that there is no seamless migration path to convert them to managed apple IDs. They would have to change their existing appleID to something without the companies domain and then sign into the device with their azure ad creds to create the managed domain in ABM.
@@t-minus365 So does this mean that as the moment as the switch to turn on federation occurs, everyone is immediately signed out of their devices or does the actual sign out occur after the 60 day period? Please elaborate more. Thanks.
@@t-minus365 So to clarify in my head.. if i configure the Federated Authentication, but NOT enable it, can i view all the conflicts (like at 10:44) without the 60 day countdown ticking? Its only when i enable the federation that the count down clock ticks.. And is federation easily removed?
Nice video! I have two questions. 1) Once we complete the federation of the domain then it will show how many conflicts are there right? will the user gets notified immediately or can we choose when to trigger the notification? we would like to inform ahead to avoid any surprises. 2) what would happen to the account we are using with the company domain for other process EX: to enable APNS cert or ABM or to access apple developer program. Do we need to change that as well or those accounts will not be impacted.
1) It will show the number of conflicts but unfortunately it doesn't provide the exact users. The users will get prompted pretty much immediately after you decide to turn that on and give them a notification. There is no way to time the comms. They also get a notification every 7 days i think 2) Those accounts will have to be changed as well. Not an ideal process.
Hi, Thanks for the video. It really does fill in the many gaps from Apple's documentation. Is Microsoft Azure Active Directory required to setup ABM federated authentication? Apple's documentation doesn't really say what to do if you are using a different product or if it's even allowed. Many thanks!
I have tested a hybrid environment and a cloud only environment, not ADFS. I dont like to say things with 100% certainty until testing but my assumption is that this would work just fine because its just a SAML connection that's being created support.apple.com/en-in/guide/apple-business-manager/apdb19317543/web
@@t-minus365 Thanks yes I've seen that article, and I agree it should technically work as Apple should just send SAML against Azure as defined in whatever relying trust they have on their end, however since my domains already say "federated" within Azure/O365, I just wasn't sure whether it's supported, or worse, break the existing trust against our on prem ADFS which would result in 500 remote workers screaming at me lol.. I may have to open a ticket to confirm, as my lab environment can't replicate this scenario easily.
How Managed Apple IDs are created in ABM? Does it Sync each and every user from Azure AD or Only when the user logs into the device with AzureAD Creds. Please let me know. Thanks in Advance.
@@t-minus365 Thanks for the good video. Everything seems to be set up properly. Only issue is when a user signs into icloud from a device with their Azure AD credentials, the user does not appear in ABM. I do have 14 conflicts when enabling Federation for our Domain. Do these need to be resolved before the users start appearing?
@@t-minus365 I guess I was just being inpatient. When I checked again today, the users were listed in ABM. Now, I'm assuming the Macbook needs to be enrolled in order to appear in intune?
There is no direct conversion/migration to a managed apple id. Existing apple ids with the corporate domain will have 60 days to change their appleID after you turn on federation. It stinks but ive talked to apple support about it recently and nothing has changed
Great question and one of my frustrations! They do not allow you to export the client list I suppose you might be able to get it if you call apple support since they have the metadata but you cant get it from the UI
@@t-minus365 I called Apple support and was refused the information as the accounts are "private", regardless of the fact we own the domain and it is verified in ABM. We would like to communicate it to affected users using our Service Desk email and attach screenshots etc., so the only thing that comes to mind is to intercept the emails from appleid@apple.com via EXO flow rule (prevent delivery to users) and identify users via Message Trace. We can probably even turn federation on an off to extend the time. Unfortunately, one of the conflicting accounts will be the one used for the push cert, so not sure if the email address used for the account will matter when renewing or some internal account identifier. Any ideas?
Yes if its a mix like that, i might recommend that you have a separate profile on the device for the work account and have them connect to a managed apple ID there. This would at least help with data loss prevention to unmanaged apps like their personal iCloud. That may not be a concern for you though.
Great video. We currently use Intune for our macs and ios devices. Manual enrollment, we do not use ABM but I want to implement it. We currently have our iOS push certificate registered to an Apple ID company@example.com. If that domain is federated with ABM, would I also need to change that Apple ID email? I’m concerned that if I have to do that it will break the Apple push certificate that’s already being used by devices. Also, with ABM are users able to login at the Mac login screen with their azure credentials? Would they be able to type in their normal company azure email e.g., user@company.com, or would they have to use the federated one like user@company.appleid.com
Extremely helpful. Thank you very much for making this video.
I was able to Federate my domain and setup MDM with absolutely no headaches. It's always nice to get a visual on these things. Cheers!
Glad it was helpful!
Thank you for this! We're just starting to experiment with ABM and this helps clarify things a LOT.
Glad it was helpful!
Hi Nick, thank you so much. I was halfway through the process because I was learning on my own, but you are saving me a lot of time.
Hi,
Thank you for the video its very helpfull.
However i have a question after enableling the federation, if AAD have around 2000 user so all 2000 will be visible in ABM portal or only users trying to login to the Mac devices will be visible into the ABM?
Hi Nick, thanks for the video, very helpful. Like a few other people on here, we already have users who have had devices set up (in a different MDM platform) using the @domain as their apple id. We now want to federate with Azure AD as per this video. My question is two-part, firstly is the conflict checking based upon accounts that are in the Apple Business Manager portal or checked against all Apple ID's that Apple knows about. Secondly, what happens if the user doesn't change their Apple ID before the 60 days?
Hi Nick, this was very helpful but still Im stuck with one question! What if I had users already using a apple id that was not managed and I still want to use the same apple id’s(but managed) after claiming the domain after 60 days? They are not able to fill in the claimed apple id... I’m stuck here…
Hello, thanks for this content, just a question, what would happen if the email notification it's not sent to the conflicting accounts or if users don't update the old apple id account with a personal email within the given period?
Hi There, great video. Do you maybe know what will happen to the iCloud/notes/contacts data if the user won't reclaim apple account ownership ? Will the data be deleted ? Thank you!!!
Hello, Thank you very much for the video. I have one question: what happens to the managed devices where the users are already using company email address as an apple id? I mean at the first start up they have created an apple id using their company credentials?
Hi - Great video. As I have created the main account with my company email address, it's telling me in activity 0 of 1 Account Federated, There is 1 issue federating existing accounts. Download logs to see the details. If I open the log it's the email I am using to login to the ABM. What do I do about this?
what happens is the user doesn't add a second email to the appleID in 60 days?
Great video. It filled in a bunch of documentation gaps. You mentioned enabling iCloud for users a couple of times, can iCloud be turned off for all users within the ABM? or is that only done at the MDM level?
Thanks! Its done at the MDM level. Device restriction profile within Inutne
Thank you ffor the video, however i did nto recieve the email ot claim the id, do you knwo what i can do int his case.
As far as Apple ID conflicts, Is there a more graceful way to handle them? I have several users using personal AppleIDs that we plan to claim. My understanding is that all apps and data will remain on the old account. Is there any way for users to claim their old email address so that we don't lose management of corporate apps and data?
Thanks for the very helpful video. In terms of the notifications and emails to notify users to change their email addresses... Is this automatic once Federation is enabled or can be delay this in order to do some testing?
In other words, do the 60 days start ticking the second you turn on Federation?
it starts ticking the second you start
What does this look like in a real world existing enterprise organization that isn’t currently using managed id’s with federation but they have hundreds or thousands of Apple ids in use already using their company email address/domain? What is the real world experience like when migrating to managed Apple ids with federation? It sounds almost like it isn’t possible in the real world without major disruption.
Could you explain what needs to be set to force an ABM / Intune enrolled device to require a federated Apple ID on first boot? It seems desirable to have corporate devices use federated Apple IDs, I just can’t figure out how to drive users to ‘use’ their federated accounts. The company portal Features / Restrictions are all working fine.
Hey Mark, i think i answered this in the comment of another video but again for visibility on this video, to my knowledge there is not a way to present the user with their federated account upon first boot.
This video shows the synchronization of one domain. Any idea what if there are multiple email domain in the same Azure tenant?
you can add multiple in ABM as alias records
Thanks for this, handy to see the experience before implementing!
Seems like this is for schools, or BYOD, but not businesses with company-owned ADE (formerly DEP) devices. You won’t want to use a federated login for the main account on an iPhone or iPad, as you can’t download any apps. Apps can only be installed via VPP otherwise. Correct?
correct, its how the company i do IT for does it. No federation and all apps are pushed via VPP to the users phone and apple store is not allowed to be used.
Nick- I want to say "Thank You" very much for these videos. I am currently exploring options for my company to manage iOS devices (mostly iPhones) to keep from losing money with devices that get inadvertently or maliciously "bricked" when an employee leaves the company. Just trying to wade through the necessary programs to set up an effective MDM for the iPhones and could use some insights if you are open to further questions outside of this mode of communication. Let me know which options would work for further follow-up communications.
hey Casey, you can email me at msp4msps@tminus365.com
@@t-minus365 Not sure if you have received my email from my work email account, just want to ensure there was no mistake or disconnect
Hi, Thank you for this demo video. I try to follow your instructions. I can add and verify my domain to Business Apple Manager. However, in the Federated Authentication step, I always get the failed authentication, when I try to sign in to my Azure AD.
The error is "Selected user account does not exist in tenant 'Apple Inc.' and cannot access the application 'fc67d51f-bf39-4530-8155-3714f897281b' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account.".
Cloud you please suggest to fix it. Very appreciate.
Hi
When I enable Federation it fails with the following message: "Another organization is using this domain"
Is there anything I can do or, is the only option to contact Apple support?
I think your best option is to contact apple support, i would call them, they are pretty quick to respond and get a live person on the phone to help from my experiences.
Another great video, yet again you have helped me
Glad to hear it!
Hi Nick,
This was a great video. I am setting up ABM MDM for our organization. At the current moment we are applying the MDM solution to one of our AAD labs before set it up for our actual production environment. If I federate my ABM account to the lab is there a way to reverse it? Will this leave any residual issues in the long run?
Thank you,
Alan Wu
Hey Alan, i personally would not federate it to your lab environment in AzureAD. The only reason in which I would do that is if you have a test ABM account on the opposite end, not one you intend to use in production
Amazing video man, very easy to follow. Hope you get more views!
Glad you enjoyed it!
can you federate with a GCCH tenant?
Hi, when I click on azure and I put my credential, I have a message Forbidden 403. Do you know what's the issue ?
Are you using global admin credentials?
@@t-minus365 We receive forbidden message as well, how did you fix? I have tried two different global admin accounts.
@@jarshamoss This was a service health issue this week - it should be fixed now
This is excellent video. not easily available and great work.
Glad you liked it!
I am in a company of about 1600 people, we have about 300-500 AppleID's that use our domain. We want to federate with Azure, but are wary as it seems like even though they are signed in with our "@domain.com" AppleID, they'd have to basically sign out and sign back into a "new" account with the same email. Do you have any ideas on how to rectify this?
Hey Rory, this is the biggest pain point with the federation i would say. I've talked to apple support about it and they do not have any really good solution. Essentially, you would have to plan out a migration strategy for all of their existing icloud data. They would have to first convert their existing appleID to a third party domain and then sign into an apple device with their Microsoft credentials to have the ID fully managed. This piece and migrating all of their data is a huge pain. May not want to do that yet until there is a better solution in the future. Tough call for sure.
@@t-minus365 Thank you for the great video content and responses. I see this question and reply are from three years ago. Do you know if this situation with Apple has improved much since, and if so, do you have any guidance or can you point me/us in the right direction toward more information? Thanks so much for your work and the super clear instruction video.
Is it possible to set this up but only apply it to a subset of our users? We would like to conduct some initial testing before our entire user base starts receiving notifications to change their Apple ID's. We would like to test it out first and verify this is the direction we want to move company wide.
Hey Jon, it is not possible to set up the federation with a subset of users with the same domain. What i would recommend is spinning up a dummy domain in their tenant to test the federation with fake accounts. You can buy a cheap domain name just for this testing.
This is excellent information. I encourage everyone to read the questions/comments below, as they likely answer all or most of your questions.
My question: Our users have several aliases, but they currently use corporate email when they need to setup an Apple ID (unmanaged). For anyone with conflicts, can they be directed to use one of our aliases to move their current account to it, then we take ownership of the primary email address as a managed Apple ID?
Thanks for the help!
Hey Joel,
They can do this, i think you would just be worried about if they have an corporate data on those existing accounts and having a migration plan aligned
So it’s not possible to have multiple domains federated to one AD tenant, for example multiple country domains? But is it possible to seperate the different domains into multiple ABM and federate to the same AD tenant?
Correct, you can only have one federated domain in ABM. And while that would make things cumbersome, i dont see why that wouldnt work in the sense of having multiple ABM accounts. You'd have to create an enrollment program token for each ABM account too.
Well done! Question: If our Apple Business Manager account has multiple domains loaded and verified that belong to the same Microsoft InTune Tenant such as exampleQXYZ.com and exampleABCD.com , can you select which one of those domains to federate with and importantly ** not federate with the other? I really want to federate with one of the domains to automatically create manage apple ID's but the other I Don't because I have thousands of apple id's in use that I don't want to be forced to change. No one has been able to weigh in with confidence yet.
I demoed this out when i did this any you CAN federate 1 domain at a time.
@@t-minus365 any way we can contact you directly to discuss?
Wish this was available a few months ago. I federated my domain with ABM and i have 27 upset people that used their company email for their personal devices. Setting up the MDM was also confusing. The push cert and everything was set up but actually configuring the polices was a bit confusing. Is Jamf easier in that regards?
Jamf is the preferred mdm provider for apple but its just a different UI really. Some of the policies and profiles you create are more intuitive.
Does content transfer over from gaining ownership? Say John Doe already has an apple id setup with our domain, when we turn on and make the transfer of ownership to us do they lose access to all of their icloud content or does it transfer over to the new managed apple id?
Unfortunately it does not. They would have to migrate the content.
@@t-minus365 Hey There, Great Video! This is probably my main concern right now as we have about 200 company owned iPhones setup with our domain. How easy is it to migrate the data like contacts and photos? Is there any 3rd party software that might make this easier?
@@Yipez92 did you find an easy way to migrate data?
how can i distribute my custom private app to my company?
Hi. Thanks for the video. QQ. When you set federation up, can a user log into their iOS device with their AD credentials, in place of the password that is required from our MDM server?
As far as my knowledge goes, that would not be possible.
Hi, Is it possible to use Apple ID as Login Method in Mac Catalina ? Wondering if making apple IDs federated with Azure and make mac to login with Apple ID which can provide seamless login experience for device and other SSO apps.
You can’t Azure AD Join a Mac. In order to manage user profiles/accounts on a Mac that uses Azure Ad and Intune you need to join the Mac to a domain first. You could join Macs to active directory that is hosted on an azure VM. Then use Azure AD Sync to sync Ad credentials to azure Ad and O365. More complex!
Hi. Thanks for providing all of the video content as it's extremely helpful.
When the domain gets federated, does every single user in the organization that has a domain name conflict get signed out of their device right away or does that happen after 60 days from that point or does it happen when we trigger the notification to them? If this federation can be done in stages for the company and not all at once, it would be a lot easier to manage but I am trying to understand the order of events better and what the user experiences during this time for a better migration.
Also, I was informed that if we already have consumer grade email accounts set up and linked to everyone's iPhones which happen to be our company email address, they cannot be migrated to managed IDs for a seamless Azure/ABM migration. Is this true? If it is, would they need to sign in with the alternate domain or can they use their AD credentials like you mentioned?
The switch to turn on federation is binary and uses have 60 days after that point in time to change. If you chose to send them an email about it makes no difference. It is all or nothing is the sense of switching over.
You are correct in the fact that there is no seamless migration path to convert them to managed apple IDs. They would have to change their existing appleID to something without the companies domain and then sign into the device with their azure ad creds to create the managed domain in ABM.
@@t-minus365 So does this mean that as the moment as the switch to turn on federation occurs, everyone is immediately signed out of their devices or does the actual sign out occur after the 60 day period? Please elaborate more. Thanks.
@@dannycvijic8317 After the 60 day period
@@t-minus365 So to clarify in my head.. if i configure the Federated Authentication, but NOT enable it, can i view all the conflicts (like at 10:44) without the 60 day countdown ticking? Its only when i enable the federation that the count down clock ticks.. And is federation easily removed?
@@teaseler You are correct, and you can toggle it back off at any time to roll it back and not worry about the changes
Can we connect our mac and linux machines with azure ad dc for authentication and policy's etc
This type of architecture is only supported if you set up Azure AD domain services and actually have the devices joined to a server as well.
Nice video! I have two questions.
1) Once we complete the federation of the domain then it will show how many conflicts are there right? will the user gets notified immediately or can we choose when to trigger the notification? we would like to inform ahead to avoid any surprises.
2) what would happen to the account we are using with the company domain for other process EX: to enable APNS cert or ABM or to access apple developer program. Do we need to change that as well or those accounts will not be impacted.
1) It will show the number of conflicts but unfortunately it doesn't provide the exact users. The users will get prompted pretty much immediately after you decide to turn that on and give them a notification. There is no way to time the comms. They also get a notification every 7 days i think
2) Those accounts will have to be changed as well. Not an ideal process.
Thanks for the video,
But how do I enroll a Iphone for example
Hey Jonathan, i made a couple videos for this ruclips.net/video/Gogn8KkuBhA/видео.html ruclips.net/video/JhDbxfFTOVg/видео.html
Great video! Thank you.
Glad you liked it!
Hi, Thanks for the video. It really does fill in the many gaps from Apple's documentation. Is Microsoft Azure Active Directory required to setup ABM federated authentication? Apple's documentation doesn't really say what to do if you are using a different product or if it's even allowed.
Many thanks!
Hey Cory, to my knowledge, Microsoft Azure AD is the only supported AD environment for federation at this time
T-Minus 365 Thank you!
If my O365 tenant domains are federated with on prem ADFS, can I still federate Apple Business Manager against Azure?
I have tested a hybrid environment and a cloud only environment, not ADFS. I dont like to say things with 100% certainty until testing but my assumption is that this would work just fine because its just a SAML connection that's being created support.apple.com/en-in/guide/apple-business-manager/apdb19317543/web
@@t-minus365 Thanks yes I've seen that article, and I agree it should technically work as Apple should just send SAML against Azure as defined in whatever relying trust they have on their end, however since my domains already say "federated" within Azure/O365, I just wasn't sure whether it's supported, or worse, break the existing trust against our on prem ADFS which would result in 500 remote workers screaming at me lol.. I may have to open a ticket to confirm, as my lab environment can't replicate this scenario easily.
Can I hire you to do this for my company?
How Managed Apple IDs are created in ABM? Does it Sync each and every user from Azure AD or Only when the user logs into the device with AzureAD Creds. Please let me know. Thanks in Advance.
It adds a managed apple ID when they sign into icloud from a device with their azure active directory credentials. I show that in the video
@@t-minus365 Thanks for the good video. Everything seems to be set up properly. Only issue is when a user signs into icloud from a device with their Azure AD credentials, the user does not appear in ABM. I do have 14 conflicts when enabling Federation for our Domain. Do these need to be resolved before the users start appearing?
@@victorlozano8145 Are users seeing the federation screen after typing in their username when signing in to icloud on a managed device?
@@t-minus365 I guess I was just being inpatient. When I checked again today, the users were listed in ABM. Now, I'm assuming the Macbook needs to be enrolled in order to appear in intune?
@@victorlozano8145 Correct! Glad that worked out for you.
What if people are already using their work email account for an iCloud account for business devices?
There is no direct conversion/migration to a managed apple id. Existing apple ids with the corporate domain will have 60 days to change their appleID after you turn on federation. It stinks but ive talked to apple support about it recently and nothing has changed
Is there any chance to get a list of specific conflicting email addresses?
Great question and one of my frustrations! They do not allow you to export the client list I suppose you might be able to get it if you call apple support since they have the metadata but you cant get it from the UI
@@t-minus365 I called Apple support and was refused the information as the accounts are "private", regardless of the fact we own the domain and it is verified in ABM. We would like to communicate it to affected users using our Service Desk email and attach screenshots etc., so the only thing that comes to mind is to intercept the emails from appleid@apple.com via EXO flow rule (prevent delivery to users) and identify users via Message Trace. We can probably even turn federation on an off to extend the time.
Unfortunately, one of the conflicting accounts will be the one used for the push cert, so not sure if the email address used for the account will matter when renewing or some internal account identifier. Any ideas?
thank you so much
You're welcome!
you can't install apps with these accounts right?
You can procure apps in bulk with VPP in Apple business manager and then you can deploy them with intune
T-Minus 365 i know but we allow some devices to be used for work and personal. So better to use default apple id’s right?
Yes if its a mix like that, i might recommend that you have a separate profile on the device for the work account and have them connect to a managed apple ID there. This would at least help with data loss prevention to unmanaged apps like their personal iCloud. That may not be a concern for you though.
The UPN must match the email address in Azure AD. If not, you will not be able to use federate user accounts in ABM.
Thanks
Great video. We currently use Intune for our macs and ios devices. Manual enrollment, we do not use ABM but I want to implement it. We currently have our iOS push certificate registered to an Apple ID company@example.com. If that domain is federated with ABM, would I also need to change that Apple ID email? I’m concerned that if I have to do that it will break the Apple push certificate that’s already being used by devices.
Also, with ABM are users able to login at the Mac login screen with their azure credentials? Would they be able to type in their normal company azure email e.g., user@company.com, or would they have to use the federated one like user@company.appleid.com
Instead of all the blah blah, start with how you set up the account. STEP BY STEP...