Managed Apple IDs, iCloud, and the shadow IT connection

Apple is continuing its expansion of Managed Apple IDs for business customers, giving them increased access to iCloud services and Apple Continuity features. Companies get iCloud backup and new syncing options (particularly for passwords, passkeys, and other enterprise credentials) — along with access to business-friendly Continuity features such as Universal Control.

But they could also lead to increased data sprawl and siloing. Ironically, those issues are typically related to shadow IT, even though they’re enterprise features. Let’s look at what’s going on and how enterprises can take advantage of these features and services without running into trouble.

First, a quick recap of Managed Apple IDs is needed. Apple introduced them a few years ago as part of Apple Business Manager and Apple School Manager. 

In the consumer world, an Apple ID is a user’s central credential for all things Apple; it’s used for App Store purchases, services such as Apple Music and Apple TV+, FaceTime, device activation, Apple’s Find My network, Activation Lock for lost/stolen devices, Continuity features for working across multiple devices, and any feature related to iCloud.

iCloud features let a user sync almost anything — contacts, appointments, reminders, photos, passwords and app-specific data — across all their Apple devices. Users can also make backups using iCloud and can access much of that data via the web using iCloud.com.

It’s a powerful combination of services and tools. (Apple expanded its enterprise offerings even further at this year’s WWDC 23.)

Managed Apple IDs allow businesses to support some of these functions on managed Apple devices using an account created and controlled by an employer. This is partially how Apple creates a bright line between work and personal use on a device. Anything personal that requires an Apple ID occurs using the personal Apple ID; anything business-related, such as the mass deployment of  business apps, depends on the device’s enrollment status and an associated Apple ID.

Apple IDs are created in Apple Business Manager (or Apple Business Essentials for small businesses). Because Apple Business Manager supports federation with most cloud-based enterprise identity providers such as Azure AD and Google Workspace or  solutions using oAuth or Okta (full Okta support is coming later this year), the creation of managed Apple IDs can be completely automated with the IDs matched to each user’s enterprise credentials.

Like Apple Business Manager, Managed Apple IDs are also connected to an organization’s mobile device management (MDM) software and can be used with personal or company-owned Apple devices. (When used, they appear in System Settings on a device as a second Apple ID.)

Apple IDs offer access to core iCloud services and Continuity features that work only when the same ID is associated with two or more devices. The two biggest iCloud capabilities are data backups and syncing across multiple devices. Until now, Managed Apple IDs haven’t had full access to these features. But with iOS 17 and macOS Sonoma (due out this fall), Apple is changing that.

The most consequential addition will be the ability to sync iCloud Keychain, Apple’s de facto password and passkey management utility. It’s somewhat hidden in the Passwords section of System Settings and it works with most iOS and macOS apps, web browsers, and other tools that require authentication. (It also integrates with Apple’s biometric services, Touch ID and Face ID.)

This is a major potential boon for enterprises, particularly those adopting passkeys to replace passwords.

Shadow IT is traditionally thought of as managers and users adopting technology on their own without the knowledge or involvement of the IT team. This can include anything from personal devices to external email accounts to consumer cloud plans and collaboration services. The main challenges shadow IT poses involve security and data siloing.

The security concern involves data that can move beyond IT’s ability to monitor and secure it. Since Managed Apple IDs are organization-owned and IT-managed, the security risks of using iCloud with Managed Apple IDs are basically a non-issue. But even with Managed Apple IDs, data can still get siloed, lost or inaccessible to users.

This happens in multiple ways. On-device data gets backed up to iCloud; data can be synced across multiple devices unevenly; and data can be shared via iCloud across multiple users. Should an employee leave a company, there’s little concern about them taking corporate data with them; their access to it through their Managed Apple ID is terminated along with access to other enterprise accounts.

But if that departing worker is the only one who had that data, others might not know it exists or be able to access it.

As users become more trusting of cloud solutions in general, and iCloud in particular, data could gradually move from central repositories (file servers, cloud storage, and email) to existing only on user devices and in iCloud storage. The result: that data becomes more personal, because its associated with the person doing the job as opposed to the job itself. This has the potential to create an array of new data silos just as companies are trying to break down the entrenched data silos of old. It also exacerbates the loss of institutional knowledge, especially when the person leaving is more an expert than other members of the team, department, or company.

These might not seem like immediate concerns, but they’re the kind of problems that can grow like weeds if not tended to early and regularly.

The simplest solution would be to prevent users from being able to backup, sync, and share work content using iCloud. Managed Apple IDs do support this — and at a pretty granular level. IT admins can allow people to sync contacts, but not their reminders,  passwords, but not calendars or any other combination from the available iCloud functions.

The question becomes: would you want to set those kinds of limits?

Although data sprawl is a concern with what are essentially business iCloud accounts, there are important advantages. The biggest, as noted, is the ability to sync passwords and passkeys.

If a company uses passkeys for security, allowing password/passkey syncing is almost essential for workers with Apple devices (unless IT uses some other utility to perform a similar function). Even at companies still using passwords, a secure password option that works across devices improves usability and workflows and can secure access to internal and external cloud services and resources.

While internal resources can be part of a single sign-on process (which Apple also supports), most users likely need access to multiple accounts or credentials. This is particularly true for people who access services outside an organization such as parts suppliers, government websites, and education content providers.

Without a corporate password management solution in place, users will either rely on insecure ways of remembering passwords (passwords on Post-Its is still a thing) or turn to a personal password manager IT has no control over. A user relying on their personal iCloud account can take passwords to external partners with them, even if you disable their access to internal resources. But if admins use Managed Apple IDs with iCloud Keychain support, access to those passwords can be easily revoked (along with access to their internal account).

Since iCloud services can be limited, IT admins can be very narrow in their focus and enable iCloud Keychain syncing without turning on other services.

What about other services? The most concerning — think shadow IT again — is allowing users to make full use of iCloud Drive (or any apps that store files and data in iCloud by default). Although this can be convenient, it creates headaches when users can’t  remember where things are stored or how to share them. Although iCloud supports these functions, most companies have other dedicated systems they want workers to use.

It’s also worth noting that iCloud is a bit of mess as a repository for data. Apple has changed what can be stored, where it gets placed, and how a user’s storage space is organized many times over the years; it isn’t a simple empty container like most cloud solutions.

Syncing items such contacts and calendars, for instance, is a no-brainer and has been for years. This saves a lot of hassle for users and gives IT the ability to cut off access if necessary. It also discourages users from mixing business contacts and events with their personal account/Apple ID. (Apple’s new NameDrop feature is a data sync tool companie can and should support.)

Device backup represents a mixed bag. It does make restores a self-service process, which can be helpful when swapping out older devices or when users buy a new iPhone or iPad. Whether you support this feature or not, Apple’s MDM architecture creates a secure separation between personal and business apps and contents.

AirDrop has always been a slightly awkward option for business. The ubiquity of iOS devices and Macs makes AirDrop a better option for exchanging information than an enterprise storage solution — especially when users are not part of the same company or network. Therein also lies the concern. Since AirDrop leverages iCloud to transfer files via the Internet (rather than ending the transfer because of proximity), data could leak out or wind up siloed.

AirDrop can be a concern because any data transferred isn’t necessarily stored anywhere other than on individual user devices. There’s no real way to audit or track it as it moves through AirDrop or even ensure people are working with the same version of any given piece of information.

This would be a good time for IT to review how AirDrop figures into the corporate security posture.

Continuity isn’t directly tied to iCloud, it’s tied to a user’s Apple ID, which now can include a Managed Apple ID. Although business data can be accessed across a user’s devices with Continuity, it is generally user-specific information and actions occur across the devices supported for each individual. It simply extends the user experience so that all of a user’s devices can be thought of as a single device.

Because there’s less chance of data being siloed or drifting outside the organization, supporting Continuity with Managed Apple IDs can also be a good way to build social capital with users. It’s just that useful.

On the whole, the extension of Managed Apple IDs and related iCloud functions in iOS 17 and macOS Sonoma should be a net positive for IT. The changes can improve security, flexibility, and overall workflows for users (and to some extent IT admins). But there remain challenges. Flinging the gates wide open isn’t advisable for most organizations,at lest for now. But enabling specific pieces of the puzzle is appropriate.

Just be sure to pick and choose wisely.

http://www.computerworld.com/category/security/index.rss