Apple devices rely on an Apple ID (formerly iCloud) account for various services (eg. Find My) and integrations to function, as well as to link software licenses purchased via the App Store. There are two distinct types of Apple IDs which a device may be configured/associated with:
Personal Apple ID (default)
Managed Apple ID (configured through Apple Business Manager)
Increasingly, organization-owned devices (such as MacBooks) are being taken off-site to personal residences for employees to use in a Work From Home context. This shift has resulted in a greater overlap of personal and work related activity taking place on organization-owned devices. For this reason, many organizations are reevaluating which features of macOS they wish to permit in their Acceptable Use Policy documents.
Dealing with Apple ID in a corporate environment
A common question we are asked at Kolide is to build Checks relating to the configured Apple ID on devices. This task however, comes with a number of downstream effects which you should be aware of before deciding how to proceed.
The most common form this question takes is:
"I want to find individuals using a personal email address for their Apple ID account"
Before we dive into the request, let's unpack Apple ID for a moment. As mentioned above, Apple ID is a tightly integrated component of the macOS experience and understanding how it is used can help inform the scope of your security objectives.
What capabilities does connecting an Apple ID enable?
The syncing services provided via a personal Apple ID are considerable due to the intended Quality of Life benefits they offer a normal home user:
Keychain: Includes password manager features which allow a user to securely generate and store authentication credentials.
Cloud Drive (Documents, Desktop, Photos): These synced User home directory folders allow a user to access documents they have saved via the Cloud.
Find My: Allows a user to remotely locate a device in the event it becomes lost or stolen.
Calendar, Contacts and Mail: These basic apps/services can be configured with both personal and work information.
Media & Purchases: Apps purchased through the App store are associated with the Apple ID which purchased them, and can be transferred from device to device.
Why are personal Apple IDs sometimes a concern for IT and Security administrators?
There are a variety of reasons an IT or Security administrator may wish to limit or prohibit the usage of personal Apple IDs on company provided devices. The following are some (but not all) possible reasons:
Shadow IT
Shadow IT is commonly known as personal or unmanaged SaaS services (typically Cloud storage solutions) which are not within the purview of the IT or Security team at an organization.
A good example of Shadow IT would be an employee connecting a personal Dropbox account to a company laptop when their organization uses a corporate managed (G Suite) Google Drive account. An employer may worry that this personal Dropbox account could unintentionally sync proprietary or sensitive organization data, with no ability for the company to know what was synced or to revoke access in the event the employee leaves the company.
Activation Lock
Devices which have Secure Enclaves (T1 and T2 equipped Intel Macs, and all M1 Macs) and are not enrolled in MDM have a feature called Activation Lock which works with Find My to prevents a device from being recovered or reimaged without the express authorization of the registered Apple ID on the device. This can pose an issue if a company-owned device (with Find My enabled) is returned to an IT department as the device will not be serviceable until that Apple ID has been disconnected or Find My has been disabled.
For this reason, Apple expressly recommends to personal users that they turn off Activation Lock when sending a device in for service, or transferring ownership to another individual. (https://support.apple.com/en-us/HT208987)
Software Provisioning
When an end-user purchases software licenses through the Apple App Store using their personal Apple ID, the license is non-transferable and linked to their Apple ID. This means that if the software is intended to be used for work purposes, that license cannot be reprovisioned to another end-user in the future in the event the existing end-user discontinues their employment.
What alternatives to Personal Apple IDs exist?
For a number of years Apple has provided a more restricted version of Apple ID used in education environments called Managed Apple IDs, in 2018 these Managed Apple IDs were made available for Apple Business Program accounts as well. These managed Apple IDs are provisioned, configured and managed through the Apple Business Manager portal: https://business.apple.com/
Managed Apple IDs have several key differences which you should be aware of:
Managed Apple ID Restrictions:
(https://support.apple.com/guide/apple-business-manager/what-are-managed-apple-ids-tes78b477c81/web)
End users cannot purchase or install apps of their own choosing through the App Store
Apple Pay is disabled
Find My is disabled
Cloud Keychain is disabled
Cloud Family Sharing is disabled
Cloud Photos is disabled
Cloud Mail is disabled
Sidecar is disabled
Media services (such as Apple Music, Apple TV+, Apple Arcade, etc.) cannot be accessed
Managed Apple ID Benefits:
Apple ID access can be provisioned, configured, managed and revoked for onboarding/offboarding purposes
Apple ID passwords can be reset by an administrator if a user forgets their password
App Store app licenses can be centrally managed, purchased and distributed/reprovisioned as needed.
If iCloud FileVault recovery is configured, an administrator can recover FileVault without an escrowed key via Apple ID password reset.
As you can see there are a significant number of considerations to take into account before deciding which path is best for your organization, and the level of control/restriction you wish to deploy.
What are my choices as an employer?
Allow end users to use their personal Apple ID with their work laptop.
We believe this is the best choice for organizations who do not have an explicit compliance requirement prohibiting Apple ID/iCloud usage. The risk of unauthorized data syncing is no greater than an employee uploading or emailing sensitive files via other services. If utilizing an MDM, items such as Activation Lock and FileVault2 Recovery can be managed without the need for a Managed Apple ID.Configure Managed Apple IDs for employees and require their usage.
This will permit greater control at the cost of reduced/restricted end-user functionality.Use a personal Apple ID with a corporate email.
See below for why this is not recommended
Why might personal Apple IDs with company emails be inadvisable?
By having an employee use their work email to sign up for a personal Apple ID you are obtaining none of the benefit of a Managed Apple ID while ultimately negatively impacting the user experience of your employee.
You will not be able to:
Centrally configure or manage company Apple IDs
Provision software
Reset passwords
Revoke access to AppleID services or synced data when the employee leaves
Furthermore, the employee will still be able to sync files and services to iCloud, purchase software licenses, Activation Lock their device etc.
*A Caveat to these limitations*
Some teams work around the limitations of Personal Apple IDs configured via their Work Email address by assuming they can access the Email of their employees upon termination.
By accessing an employee's work email (which they signed up for Apple ID with), an administrator may be able to reset the Apple ID password and subsequently delete any synced information, preventing the end-user from accessing that Apple ID, as well as ensuring any linked services requiring Apple ID authorization (eg. Activation Lock) can be disabled by the administrator.
Wrapping things up
With the context provided in this article, it is ultimately up to the IT or Security team to decide which path is best for their organization. Kolide can then assist in identifying any Apple IDs connected to a device and emit notifications if they do not match the criteria you choose.