Skip to main content

Get an alert for iCloud account email domains in Device Health notification rules

Updated over a week ago

You can target Device Health notifications in Swif using the signed‑in iCloud account email domain. This lets you send different notifications based on which iCloud account a device is using (for example, to differentiate personal vs. corporate iCloud accounts).

There is currently no built-in mechanism (i.e. MDM Profile setting) to restrict an Apple ID to a specific domain to enforce use of a Managed Apple ID. File feedback with Apple that this is required for adoption of Managed Apple IDs for your organization.

Because of this limitation, monitoring via Device Health notifications using iCloud account email domains is currently the only way in Swif to be notified when a personal iCloud / Apple ID is being used on a managed device.

What this feature does

When you create or edit a Device Health unified notification rule, you can add a condition for:

iCloud account email domain

You can then:

  • Enter one or more domains, such as:

    • company.com

    • subsidiary.co

  • Choose how those domains are evaluated:

    • In domain list – only match devices whose signed‑in iCloud account email ends with one of the specified domains

    • Not in domain list – only match devices whose signed‑in iCloud account email does not end with any of the specified domains

This condition can be combined with any other Device Health rule conditions using the normal AND/OR grouping in the rule builder.

When to use iCloud account email domain rules

Common use cases:

  • Detect personal iCloud / unmanaged Apple IDs on managed devices
    Configure a rule to alert when a device is not using your corporate or managed Apple ID domain:

    • Operator: Not in domain list

    • Domains: your allowed domains, e.g. company.com

    • Result: you get notified when the iCloud account email is anything other than your corporate domain (i.e., likely a personal Apple ID).

  • Separate personal vs. corporate iCloud accounts

    • Notify only when a corporate iCloud account is in use:

      • Operator: In domain list

      • Domains: company.com, subsidiary.co

  • Target specific business units or subsidiaries

    • Only send certain Device Health alerts to devices signed in with:

      • subsidiary.co

      • partner.org

  • Gradual rollout / pilot groups

    • Create a rule that only targets beta.company.com domains for early testing.

How to add an iCloud account email domain condition

  1. Open unified notifications

    • Go to the Swif web app.

    • Navigate to your Settings > Notifications settings.

  2. Create or edit a Device Health rule

    • Create a new unified notification config and choose DEVICE_HEALTH events; or

    • Edit an existing DEVICE_HEALTH notification config.

  3. Add the iCloud account email domain condition

    • In the rule builder, add a new condition under Device Health fields.

    • Select iCloud account email domain (the label may appear as “iCloud account domain” or similar in the UI).

  4. Choose the operator

    • Select one of:

      • In domain list

      • Not in domain list

  5. Enter one or more domains

    • Type each domain in the input field. Examples:

      • company.com

      • subsidiary.co

    • Add additional domains as separate entries if needed.

    Format requirements:

    • Don’t include http:// or https://

    • Don’t include spaces

    • Use only the domain (e.g. company.com, not user@company.com)

  6. Save the rule

    • Complete any other conditions you need.

    • Save or update the unified notification config.

Editing or removing the condition

If a config already contains an iCloud account email domain condition:

  • When you open it, you’ll see:

    • The existing operator (In domain list / Not in domain list)

    • The list of domains that were previously configured

  • You can:

    • Add or remove domains

    • Change the operator

    • Remove the condition entirely

Changes to this condition will not affect any of your other rule groups or conditions.

Validation and error handling

The UI performs basic checks to help prevent invalid configs:

  • At least one domain required
    If you enable the iCloud account email domain condition, you must specify at least one domain.

  • Domain format checks

    • Domains are trimmed of leading/trailing spaces.

    • Entries with spaces or with http:// or https:// are rejected with an inline error.

  • Inline errors
    Any issues appear next to the field, consistent with other rule validation errors.

You must fix any validation errors before you can save or update the notification rule.

How this interacts with other rules and APIs

  • The iCloud account email domain condition:

    • Uses the same AND/OR grouping logic as your other Device Health conditions.

  • Existing Device Health notification configs that don’t use this condition:

    • Continue to display and save as before.

    • Are not affected by this new option.

Related Articles
Set up Enrollment SSO for Apple devices
Enrollment SSO with Managed Apple ID - Device-side experience
Managing Shared iOS/iPadOS Devices in Swif
Set up Apple Managed ID federation with Google Workspace
Using Automatic Device Account Provisioning with Smart Groups for ADE‑Enrolled macOS Devices
Did this answer your question?