Identity

Create and manage Managed Apple Accounts

Managed Apple Accounts are the organization-owned identities that power Shared iPad, account-driven enrollment, iCloud for work, and federated sign-in to Apple services. They look like Apple IDs, but the org — not the employee — is the owner of record. Here’s the complete primer: what they can and can’t do, how to create them, the roles, the 2FA rules, and the lifecycle work every Apple admin hits in the first month.

Published April 21, 2026 11 min read By Arclion Managed Services

In this guide

“Managed Apple ID” is now “Managed Apple Account”
What works and what doesn’t
Three ways to create them
Manual creation click path
Bulk CSV upload
First-time sign-in and mandatory 2FA
Roles and permissions
Password resets, deactivation, deletion
Common pitfalls

Naming clarification

“Managed Apple ID” is now “Managed Apple Account”

Apple retired the “Managed Apple ID” label during the iOS 18 / macOS 15 release cycle in fall 2024. All current Apple documentation uses Managed Apple Account (MAID). If you still see “Managed Apple ID” in older docs, MDM vendor UI, or your own runbooks, it means the same thing.

The April 14, 2026 launch of Apple Business (replacing Apple Business Manager, Apple Business Essentials, and Apple Business Connect) did not change the account model — the underlying Managed Apple Account and every lifecycle rule below carried over unchanged.

What a MAID is

An Apple Account the organization owns

A personal Apple ID belongs to the employee. A Managed Apple Account belongs to the organization. The account is created inside Apple Business, the domain is locked down so employees can’t create personal Apple IDs on it, and an admin can reset the password or deactivate the account at any time.

Org controls that a personal Apple ID doesn’t have

Admin-driven password reset, deactivation, deletion, and domain capture. Two-factor authentication is mandatory and cannot be turned off.

Works with

Shared iPad, account-driven Device Enrollment and User Enrollment, iCloud Drive, iCloud Backup, Contacts, Calendar, Reminders, Notes, iCloud Keychain and passkeys, Continuity (Handoff, AirDrop, Universal Clipboard), Find My for managed devices, and iWork collaboration.

Blocked or restricted

App Store / iTunes / Book Store purchases with personal payment, Apple Pay, Apple Music / Arcade / TV+ / Fitness+ / iCloud+ personal upgrades, iCloud Mail, Family Sharing, HomeKit, Find My Friends. FaceTime and iMessage are off by default and must be enabled per account by an admin.

On BYOD devices

A MAID will sign in on personal hardware, but many services are reduced or off. It is not a drop-in replacement for a personal Apple ID on a BYOD Mac or iPhone. Communicate this to users ahead of time.

Provisioning

Three ways to create MAIDs

Manually, one at a time

Best for small teams, admin-only accounts, service accounts, or break-glass admins that must live on a non-federated domain.

Bulk via CSV upload

A web-UI CSV upload for environments that don’t federate. Historically there was an SFTP path too, but SFTP is Apple School Manager only — in Apple Business the CSV is the non-IdP bulk mechanism.

Federated + directory sync (recommended)

Auto-provision from Microsoft Entra ID or Google Workspace. Apple explicitly promotes this path. Once federation is on, you rarely touch the Users pane to create accounts — they appear as Workspace or Entra users land in scope.

Walkthrough 1

Manual creation

Step 1 — Users → Add → Add Account

Sign in to business.apple.com as Administrator or People Manager. In the sidebar open Users (older tenants still label it “People”). Click Add, then Add Account.

Step 2 — Fill the required fields

First name, Last name, Managed Apple Account (typically first.last@yourcompany.com, must be globally unique and on a verified or captured domain), at least one Role, and at least one Location.

Step 3 — Save

Apple Business generates a 90-day temporary password. Deliver it via the downloadable PDF or CSV, or email the user directly from Apple Business. Treat the PDF as a sensitive artifact.

Step 4 — User signs in

On first sign-in (at account.apple.com or during device sign-in) the user is forced to change the password, accept Apple’s terms, and enroll in two-factor authentication. Until that happens the account is Pending.

Walkthrough 2

Bulk CSV upload

Step 1 — Download Apple’s template

Users → Add → Sign-in with Apple Account upload. Inside the upload dialog, download Apple’s CSV template. Do not rename the file or alter the header row.

Step 2 — Fill the template

Required columns include Person ID, First Name, Last Name, Email Address, Password Policy, Location ID, and Managed Apple ID. Empty columns must remain present.

Step 3 — Upload and validate

Apple Business validates before committing. Common errors: duplicate Managed Apple Account values, address on an unverified or unlocked domain, invalid Location ID, invalid role name, renamed header, or a MAID that collides with a personal Apple ID in the 30-day rename grace period.

Step 4 — Distribute credentials

Each created account gets a 90-day temporary password. Download the 5-column delivery CSV (Managed Apple Account, first, middle, last, temporary password) or email users directly from Apple Business.

Sign in

First-time sign-in and mandatory 2FA

Non-federated MAIDs

User enters the Managed Apple Account and temporary password, is forced to change the password, accepts Apple’s terms, and enrolls a trusted phone number for 2FA. A six-digit code is required on every new device thereafter. There is no way to turn 2FA off.

Federated MAIDs

Temporary password step is skipped entirely. Sign-in redirects to Entra ID or Google Workspace; the IdP owns the password and MFA policy. Apple honors whatever the IdP enforces.

Trusted phone numbers

For non-federated MAIDs, encourage users to register two numbers so a lost phone doesn’t lock them out. Admin can reset the MAID password to unblock, but the 2FA enrollment has to be redone.

Access control

Roles and permissions

Administrator

Full control. Only Administrators can accept new Apple Terms & Conditions — when Apple updates them, MDM sync can silently fail until an Administrator signs in and accepts.

People Manager

Create, edit, deactivate users, reset passwords, assign roles and locations. Cannot touch devices or content.

Device Enrollment Manager

Add, assign, and release devices. Manages MDM server tokens. Re-downloading a token as this role avoids the role-downgrade sync failures that bite admin-heavy setups.

Content Manager

Buy and distribute apps and books. Owns the Apps and Books / VPP content tokens the MDM consumes for app licensing.

Staff (standard user)

A MAID with no administrative privileges — just consumes managed services on assigned devices. The default for most end users in Apple Business.

Roles stack

A user can hold multiple roles, scoped by Location. An MSP engineer often holds People Manager + Device Enrollment Manager + Content Manager without being a full Administrator.

Lifecycle

Reset, deactivate, delete

Reset a forgotten password

Users → select user → Reset Password. Deliver via PDF, CSV, or email. The new value is a 90-day temporary password that must be changed on next sign-in.

Administrator forgot their own password

Use iforgot.apple.com. With only one Administrator, the reset is direct. With multiple, all admins are notified; if none acts within 72 hours, a reset link goes to the verified email and phone and is valid for 7 days. Always keep at least two Administrators.

Deactivate vs. delete

Deactivate is reversible and blocks sign-in. Deactivated accounts that stay inactive more than 30 days are auto-deleted by Apple Business. Delete is immediate and irreversible.

What happens to iCloud data

Managed iCloud data tied to the MAID becomes inaccessible once the account is deleted. Devices currently signed in are signed out at next check-in. Device DEP assignments survive because they’re tied to serial number, not user.

Offboarding iWork collaboration

There is no automatic ownership transfer. Before deletion, have the departing user share Pages, Numbers, Keynote, and Notes documents to the replacement MAID so ownership moves cleanly.

Federation changes nothing about deletion

Federated MAIDs still follow the same deactivate-then-auto-delete rules. The IdP controls sign-in, but the Apple-side account still has a lifecycle of its own inside Apple Business.

When it breaks

Common pitfalls

30-day personal Apple ID rename grace

When you capture the domain, users with personal Apple IDs on work emails have 30 days (reduced from 60) to rename or transfer. Requires iOS 18 / iPadOS 18 / macOS 15.1 / visionOS 2 or later to see the prompt. Expect a ticket wave.

Using a MAID on a personal device

Signs in, but App Store purchases with personal payment, Apple Pay, iCloud Mail, and Family Sharing are all blocked. Users hit this and call support — get ahead of it with onboarding docs.

2FA breaks kiosk-style shared MAIDs

Any workflow that shared one MAID across many kiosks with a single trusted number falls over under mandatory 2FA. Shared iPad and Guest Mode still work, but re-architect kiosks around those rather than a shared human account.

Role downgrade breaks MDM server tokens

The classic “SCIM credential validation failure”: demote the admin who originally generated an MDM server token and sync stops. Fix by regenerating the token from an account that holds Device Enrollment Manager, and updating the MDM.

Unaccepted Terms and Conditions

After Apple updates T&Cs, MDM sync silently fails until an Administrator (not a Site Manager, not a Content Manager) signs in and accepts the new terms.

SCIM token expiry

Tokens used by IdP-driven sync have a finite life. Schedule a calendar reminder well before expiry — tokens rarely break at a convenient time.

Want this handled for you?

Arclion designs the MAID lifecycle as part of Foundation

Role assignments, break-glass admins, federation scope, password-reset runbooks, and the 30-day domain-capture communications are all standard work on an Arclion onboarding. If you’d rather skip learning this the hard way, Foundation includes the whole identity layer.

What to send

Your Apple Business status (new or existing)
IdP in use (Entra, Google Workspace, or none)
Rough number of Apple users

Book an environment review

Keep reading