This article explains how Managed Apple ID sign‑in works on Apple devices that are managed with Swif MDM, and how it relates to the Managed Devices only and Supervised Devices only options in Apple Business Manager (ABM) / Apple School Manager (ASM).
It’s written for admins who manage Apple devices with Swif and want to understand what happens when users sign in with Managed Apple IDs on corporate devices.
What is Managed Apple ID Sign‑in?
A Managed Apple ID is an Apple ID that your organization creates and controls in Apple Business Manager or Apple School Manager. Users typically use these IDs for:
iCloud Drive and iCloud Keychain
App Store and Apple Books (where supported)
iCloud backup and other Apple services tied to a work account
When a user signs in with a Managed Apple ID on a device, Apple needs to check whether the device is:
Assigned to your organization, and
Properly managed by your MDM (Swif).
That check is what connects Managed Apple ID sign‑in to your MDM configuration and the device’s supervision/management status.
How Swif Works with “Managed Devices only” and “Supervised Devices only”
In Apple Business Manager / Apple School Manager, you can limit where Managed Apple IDs can be used by selecting options such as:
Managed Devices only
Supervised Devices only
Swif fully supports these Apple‑side restrictions, with the following behavior:
1. Managed Devices only
If you configure Managed Apple IDs to be allowed on Managed Devices only:
Users can sign in with their Managed Apple ID on devices that:
Are assigned to your ABM/ASM account, and
Are enrolled and managed by Swif MDM (for example, via Automated Device Enrollment / DEP).
Users cannot sign in with their Managed Apple ID on:
Personal devices that are not enrolled in Swif, or
Devices that are not associated with your ABM/ASM account.
What Swif does in this case
When the user tries to sign in:
The user enters their Managed Apple ID on the device.
Apple’s servers determine that the device is associated with your organization and should be managed.
Apple contacts Swif’s MDM server and requests a token from Swif (via Apple’s internal “Get Token” mechanism).
If Swif returns a valid response, Apple confirms that:
The device is indeed managed by Swif for your organization.
Apple allows the Managed Apple ID sign‑in to complete successfully.
All of this happens automatically and silently in the background; there’s nothing additional you need to configure on the Swif side beyond your normal ABM + ADE setup.
2. Supervised Devices only
If you configure Managed Apple IDs to be allowed on Supervised Devices only:
Users can sign in with their Managed Apple ID on devices that:
Are enrolled with Swif, and
Are in Supervised state (for example, Macs and iOS/iPadOS devices enrolled through ADE/DEP with supervision enabled).
Users cannot sign in with their Managed Apple ID on:
Non‑supervised devices, even if they are technically managed or enrolled, or
Personal devices not managed by your organization.
What Swif does in this case
The flow is very similar to the “Managed Devices only” case, with an extra expectation from Apple:
The user attempts to sign in with a Managed Apple ID.
Apple’s backend verifies:
That the device is linked to your organization in ABM/ASM, and
That the device is Supervised and managed by your MDM.
As part of this, Apple calls Swif’s MDM server and requests a token (Get Token flow).
Swif’s MDM responds with a valid token/response if:
The device is enrolled via ADE and in Supervised state under your account.
If the conditions are met, Apple allows the Managed Apple ID sign‑in; otherwise, sign‑in is blocked according to your ABM/ASM settings.
Again, this is completely transparent to the user and to admins; supervision state and ADE enrollment are what matter.
What Admins Need to Configure
You do not need to configure or call any special “Get Token” API in Swif. The Get Token interaction is Apple ↔ Swif internal plumbing that is already handled by our MDM integration.
To ensure Managed Apple ID sign‑in behaves correctly with your chosen restriction:
In Apple Business Manager / Apple School Manager
Configure the Managed Apple ID restrictions:
Choose Managed Devices only or Supervised Devices only, depending on your policy.
Make sure the devices are:
Assigned to your Swif MDM server, and
Set to enroll via Automated Device Enrollment (ADE/DEP).
In Swif
Complete your ABM integration and Automated Device Enrollment setup as described here: How does Swif DEP (ADE automated device enrollment) work?
Confirm devices:
Enroll successfully via ADE/DEP, and
Show as Managed (and Supervised, if required) in the Swif admin console.
Once those pieces are in place, Apple’s Managed Apple ID policies (“Managed Devices only” / “Supervised Devices only”) will work as expected on Swif‑managed devices.
Behind the Scenes: How Apple Confirms Swif Management
For completeness (primarily for security/IT reviewers):
When a user signs in with a Managed Apple ID on an ADE‑enrolled device, Apple’s servers contact Swif’s MDM and request a token.
If Swif’s MDM server returns a valid token/response, Apple:
Confirms that the device is managed by Swif for your organization.
Applies your Managed Apple ID restriction setting (Managed Devices only / Supervised Devices only) accordingly.
If the response is invalid or the device is not recognized as properly managed/supervised:
Apple may block Managed Apple ID sign‑in, depending on your ABM/ASM configuration.
This token exchange is automatic and is not something you call directly or need to implement on your side.
Troubleshooting Tips
If users cannot sign in with Managed Apple IDs as expected:
Check ABM/ASM settings
Confirm whether Managed Apple IDs are restricted to Managed Devices only or Supervised Devices only, and whether the affected device meets that requirement.
Verify assignment and enrollment
Ensure the device:
Is assigned to your Swif MDM server in ABM/ASM, and
Was enrolled via Automated Device Enrollment (not just user‑initiated MDM enrollment).
Confirm supervision state
For Supervised Devices only, verify in Swif that the device appears as Supervised.
Re‑enroll if needed
If the device is not supervised or not correctly assigned, consider:
Reassigning it to Swif in ABM/ASM, and
Wiping and re‑enrolling via ADE/DEP so that supervision and management state are correct.