Skip to main content
All CollectionsDevice ManagementMac MDM
Set up Platform SSO for Apple devices
Set up Platform SSO for Apple devices
Updated this week

With Apple Platform SSO, employees can use a Managed Apple ID to sign in on macOS, iOS, or iPadOS devices and automatically enroll into Swif for device management. Below are two ways to integrate Swif with Apple’s Platform SSO:

  1. CNAME approach – Point your chosen domain to apple-enrollment.swifteam.com.

  2. Hosting JSON – Serve a .well-known/com.apple.remotemanagement file yourself for Apple to fetch enrollment details.

Important

  • If you need both BYOD (Bring Your Own Device) and non-BYOD (Company-Owned/ADE) enrollments, handle them differently depending on the approach.

  • CNAME approach uses one domain and differentiates BYOD vs. non-BYOD via email prefixes.

  • Hosting JSON requires two separate domains—one for BYOD JSON and one for non-BYOD JSON.

  • Make sure to add each user’s Managed Apple ID to their Employee record in the Swif portal (see Section 2) so Swif recognizes them during enrollment.


1. Prerequisites

(Same as in the original article.)

  1. Admin access in Swif and Apple Business Manager (ABM) or Apple School Manager (ASM).

  2. Ability to configure DNS (for CNAME) or upload files to your domain (for JSON hosting).

  3. Managed Apple IDs set up in ABM/ASM for your employees.


2. Set Up Employee’s Managed Apple ID

Each employee who will use Apple Platform SSO needs a Managed Apple ID in your ABM/ASM.

  1. Create or Update the Managed Apple ID in ABM/ASM.

  2. In Swif, edit the employee’s profile and add the Managed Apple ID to the Managed Apple ID field. This ensures Swif matches the user to their device enrollment.

2.1 Differentiating BYOD vs. Non-BYOD

  • CNAME approach:

    • You have one domain, e.g. mdm.yourcompany.com, pointed to apple-enrollment.swifteam.com.

    • Separate employees’ IDs by prefix or suffix, e.g.

      • BYOD: username.byod@swif.yourdomain

      • Non-BYOD: username@swif.yourdomain

  • Hosting JSON:

    • You need two different domains or subdomains (one for BYOD JSON, one for non-BYOD JSON).

    • Match each user’s Managed Apple ID domain to the correct enrollment flow.

      • employee@byod.yourcompany.com → fetches BYOD JSON

      • employee@company.yourcompany.com → fetches non-BYOD JSON


3. Method 1: CNAME to Swif

  1. Pick a subdomain

    • For example, mdm.yourcompany.com.

  2. Create a CNAME record

    • Point mdm.yourcompany.comapple-enrollment.swifteam.com.

  3. Verify

    • Check via a DNS lookup tool.

  4. Set Your Domain to Swif
    In the Swif admin console, set the domain you want to use for Platform SSO.

    You can also set it on the Device Enrollment page.

  5. Enrollment (Optional, you can test enrollment at #6)

    • On an Apple device, go to System Settings (macOS) or Settings (iOS/iPadOS) → GeneralDevice Management (or VPN & Device Management).

    • Tap or click Sign in to Work or School Account.

    • If prompted for a domain, enter mdm.yourcompany.com.

    • User enters their Managed Apple ID (e.g., username@swif.yourdomain).

    • Swif will automatically enroll the device as BYOD or non-BYOD based on the user’s ID prefix/suffix.

    • No separate Swif login prompt is required; the Managed Apple ID sign-in triggers the entire SSO flow.


4. Method 2: Host the JSON on Your Own Domain(s)

4.1 Two Domains for BYOD and Non-BYOD

  • Each domain can only serve one JSON at /.well-known/com.apple.remotemanagement.

  • If you need both BYOD and non-BYOD, create two domains or subdomains, e.g.:

    • byod.yourcompany.com → BYOD JSON

    • company.yourcompany.com → Non-BYOD JSON

4.2 Obtain the Correct JSON

Swif provides:

Non-BYOD (Company-Owned / ADE)

{ "Servers": [ { "Version": "mdm-adde", "BaseURL": "https://mdm.swifteam.com/api/v1/sso/enroll?team-identifier={{IDENTIFIER}}" } ] }

BYOD

{ "Servers": [ { "Version": "mdm-byod", "BaseURL": "https://mdm.swifteam.com/api/v1/sso/enroll?team-identifier={{IDENTIFIER}}&isbyod=true" } ] }

The {{IDENTIFIER}} is your Swif team identifier.

4.3 Serve the JSON Immediately at /.well-known/com.apple.remotemanagement

  1. Create the .well-known folder

    • For example:

      • byod.yourcompany.com/.well-known/com.apple.remotemanagement

      • company.yourcompany.com/.well-known/com.apple.remotemanagement

  2. Return the JSON

    • The URL must serve only this JSON text—no .json filename, no extra HTML.

  3. Enrollment Flow (Optional, you can test enrollment at #6)

    • On the Apple device

      1. Open System Settings (macOS) or Settings (iOS/iPadOS) → GeneralDevice Management (or VPN & Device Management).

      2. Tap or click Sign in to Work or School Account.

    • Enter Your Managed Apple ID

      1. Apple prompts the user for the Managed Apple ID to proceed with Platform SSO.

      2. If the user’s ID domain is byod.yourcompany.com, Apple fetches the BYOD JSON; for company.yourcompany.com, it fetches the non-BYOD JSON.

    • No Extra Sign-In

      1. Once Apple validates the Managed Apple ID, the device automatically follows Swif’s enrollment—no separate Swif credentials are required.


5. Add Managed Apple ID to Apple Business Manager and Swif

  1. Add a new managed domain, eg. swif.<yourdomain> or {{DOMAIN}} to Apple Business Manager (ABM) -> Managed Apple Accounts. You need to create a TXT record on your DNS server to verify the newly added managed domain.

    1. After the domain is verified and added to ABM, please remove the TXT record from your DNS server.

  2. Create a managed Apple ID for the employee (device user) on Apple Business Manager with these managed Apple ID formats:

    1. CNAME:

      1. For BYOD (Bring your own device) users: xxx.byod@swif.{yourdomain}

      2. For Non-BYOD users: xxx@swif.{yourdomain}

    2. JSON Hosting:

      1. For BYOD (Bring your own device) users: xxx@byod.yourcompany.com

      2. For Non-BYOD users: xxx@company.yourcompany.com

  3. After creating, please send an email to inform the user to finish signing on ABM.


6. Test Enrollment

To enroll a device via Platform SSO, please follow the steps here.

  • On the Apple Device

    • Go to System Settings (macOS) or Settings (iOS/iPadOS) → GeneralDevice Management (or VPN & Device Management).

    • Tap or click Sign in to Work or School Account.

  • Enter Your Managed Apple ID

    • Apple will prompt the user for the Managed Apple ID to proceed with Platform SSO.

  • Swif Enrollment

    • If the system finds a valid JSON in the domain of the managed Apple ID ({{DOMAIN}}/.well-known/com.apple.remotemanagement), it will trigger the Swif enrollment flow.

  • Enrollment Completes

    • The device finalizes MDM enrollment with Swif. Users will see confirmation of a “Work or School” account added.


7. Troubleshooting & FAQs

  1. DNS Checks

    • For the CNAME approach, confirm mdm.yourcompany.comapple-enrollment.swifteam.com.

    • For JSON, ensure /.well-known/com.apple.remotemanagement is publicly accessible and returns only the JSON.

  2. Managed Apple ID Setup

    • Make sure each employee’s Managed Apple ID is also updated in Swif’s Employee settings. Without this, Swif cannot match the user during enrollment.

  3. BYOD vs. Non-BYOD

    • CNAME: Use email suffixes like .byod vs. no suffix.

    • JSON: Use separate domains for each scenario.

  4. One JSON per Domain

    • Apple only supports a single JSON response at /.well-known/com.apple.remotemanagement per domain.

  5. No Additional Authentication

    • Platform SSO handles enrollment with the Managed Apple ID, so employees do not sign in separately to Swif.

  6. Contact Support

    • If enrollment fails, check device logs and your domain setup. Contact Swif Support if you need more assistance.


That’s it! By setting up your domain and JSON (or CNAME) and assigning each employee’s Managed Apple ID in Swif, you’ll enable a seamless Apple Platform SSO flow. Users simply sign in with their Managed Apple ID on the device, and enrollment completes automatically—no separate Swif login is required. For more details, see Swif’s Knowledge Base or contact our Support team.

Did this answer your question?