Bemærk
Adgang til denne side kræver godkendelse. Du kan prøve at logge på eller ændre mapper.
Adgang til denne side kræver godkendelse. Du kan prøve at ændre mapper.
Note
This feature is gradually rolling out and might not yet be available in your tenant. Full availability is expected by mid-May 2026.
You can use Apple access management settings in Apple Business or Apple School Manager to control how Apple accounts are used on organization-owned devices. These settings define which devices users can sign in to with Apple accounts and which Apple apps and services are available.
Prerequisites
To configure service access for Apple accounts, ensure your environment meets the following prerequisites:
Device platform requirements
Configurations apply to the following platforms:
- iOS/iPadOS
- macOS
Roles requirements
You must have sufficient permissions in Apple Business or Apple School Manager to manage Apple account service access. For current role requirements, see Customize user access to apps and services using Apple Business (opens Apple support site).
Device configuration requirements
Devices must meet the following requirements:
- Owned by the organization in Apple Business.
- Enrolled in Microsoft Intune through automated device enrollment (ADE).
- Run a supported operating system version:
- iOS/iPadOS 17 or later
- macOS 14 or later
Important
These settings apply to all Apple accounts regardless of whether a sign in is actively happening. If the setting is changed and the device doesn't meet the requirement, the account is automatically signed out.
Configure service access
Service access settings are configured in Apple Business or Apple School Manager. Microsoft Intune doesn’t configure these settings directly. Instead, Intune issues a management token that Apple uses during device activation to confirm the device’s Intune assignment.
Available settings
In Apple Business or Apple School Manager, you can configure settings that control:
- Which devices users can sign in to with Apple accounts, such as:
- Any device
- Managed devices only
- Supervised devices only
- Whether users can sign in to organization-owned devices using:
- Managed Apple accounts only
- Any Apple account
- Which Apple apps and services are available to users, such as:
- iCloud services
- Collaboration and communication services
Note
For devices enrolled through automated device enrollment (ADE), the Managed devices only and Supervised devices only options behave the same. ADE devices are both managed and supervised by default.
These controls apply to organization-owned devices and are defined by Apple as part of their access management model. They aren't supported with bring-your-own-device scenarios. For detailed instructions and descriptions of available settings, see Service access with Managed Apple Accounts (opens Apple support site).
How service access enforcement works
Service access for Apple accounts is defined and enforced across Apple and Microsoft Intune as follows:
- An administrator configures service access settings for Managed Apple Accounts in Apple Business or Apple School Manager. These settings define which devices users can sign in to and which Apple apps and services are available.
- Devices are enrolled in Microsoft Intune through automated device enrollment.
- When a user signs in with a managed Apple account on an enrolled device, Apple validates whether the device meets the configured service access requirements.
- Microsoft Intune enforces the service access requirements on enrolled devices during device check-in and Apple account sign-in.
- If a device no longer meets the configured requirements, Apple automatically signs the user out of affected Apple services.
These controls help ensure that managed Apple accounts are used only on devices that meet your organization’s access requirements.
If a user is having trouble signing in to a device with their personal Apple account, see Apple support (opens Apple Support site).
What it doesn’t do
Configuring service access for Apple accounts doesn’t change how devices enroll in Microsoft Intune. Specifically, this configuration-
Doesn’t configure enrollment settings in the Intune admin center. Service access is configured in Apple Business or Apple School Manager, not in Intune.
Doesn’t replace device enrollment. Devices must still be enrolled in Intune using an Apple-supported enrollment method that results in a managed (or supervised) device.
Doesn't determine whether a device is marked as corporate or personal in Intune. Device ownership is determined by the enrollment method and corporate identifiers.
Doesn’t provide per-service configuration controls in Intune. Apple defines which apps and services (such as iCloud features, FaceTime, or Messages) are available to managed Apple accounts.