Apple Business
apple.com705 points by soheilpro a day ago
705 points by soheilpro a day ago
I recently tried setting Apple Business Manager for our ≈20 people SME.
The first step was "Domain Lock/Capture" which takes over all Apple accounts for a specific domain.
I've never had a worse experience from Apple.
The process is buggy, filled with foot-guns and dead ends. It expects huge amounts of work from users who have had their account for more than a few weeks and are expected to remove a lot of their personal data before their account can be migrated (e.g. do you know how to delete all your Health data?). The process is also impossible to cancel.
Phone support was par for the course, e.g. tickets escalated to the abyss, suggestions to restore workstations to factory settings, etc.
Be warned.
I had a "wonderful" experience as well.
I wanted to evaluate it for MDM purposes so I applied for an ABM account for a company I work for, got soft-approved, created an entirely new Apple ID (as required by the ABM), used it to log on a test device I intended to manage, then sort of forgot about it while awaiting for Apple to conclude their hard-approval for the ABM account creation.
Apple was supposed to contact the business owner to verify company details and finalize the process over the next few days, but they never did.
30 days later they canceled the ABM company account and deleted all the associated users along with the Apple ID which I used to log into a testing device, which now became a fairly expensive paperweight.
I had very little expectations about the experience and I was still disappointed.
This is the kind of failure mode that makes people nervous about tightly coupled identity + device management
The domain lock process was an absolute fiasco at our company. I think this could work if you did this at the time your company launched, but the moment you have employees who have Apple IDs tied to their work email that aren't from the Business Essentials system you are stuck in an impossible-to-mange place.
There are several cheap MDM solutions for Apple devices that I would rather pay for than be dependent on this. (We've used SimpleMDM and love them.)
I'm currently in that hellish process too... I don't know how to get out of it. Did you know that your employees will be forbidden from downloading from the App store once you launched that migration? It's a nightmare
I did not. If I had known what would happen when we tried this we would have skipped the process entirely. Our staff (roughly 125) was so confused and it wasted a lot of time communicating about it, then trying to roll it back, etc.
Well yeah, the idea is that if you have ABM, you have an MDM you can use to purchase licenses for them and install the apps with the MDM.
It can be done that way, but it is definitely not the norm. Businesses will generally “purchase” (many for €0) apps in ABM that are to be used for business purposes and push those to devices, the user can then use an Apple ID to download any other apps they want for personal use.
If they’re using Managed Apple IDs they will have no access at all to the app store and won’t be able to download their own apps anymore. IT department will have to buy and assign any apps that anyone needs, even the $0 ones that only 1 person needs.
Yep. Truly horrid policy. Where I work our issued iPhones suck to use without App Store access; no Bitwarden was the killer for me personally. Everyone I checked with uses their personal email/Apple ID instead of the MAID, and there's a sword over your head if you ever accidently copy/paste something from internal emails to something like Notes which has iCloud sync (we're semi serious about leaker). Absolute failure of an MDM setup by Apple.
MDM can restrict pasteboard from managed apps to non-managed apps, as well as allowing iCloud sign-ins but restricting which iCloud services are allowed.
It's an absolute failure of the MDM server administrator for allowing such things, not on Apple.
If my employer did that to me, I would seriously consider sueing them.
You’ve never been issued a work computer that’s not yours to fuck around with?
I haven’t. Did have issued laptops that were company managed but I basically didn’t use and, in any case, I like many others reinstalled a clean operating system image and did my own support.