Apple Business Manager
Early Access release. See Enable self-service features.
Okta can be used to create Managed Apple IDs, which allow users to sign in to certain Apple services with their Okta credentials. This is accomplished by establishing a connection between Okta and Apple Business Manager.
Any step in this process that requires Apple Business Manager can also be completed in Apple School Manager if you have an Administrator role.
Before you begin
-
Administrator access to Apple Business Manager is required. The other roles listed (People Manager, Device Enrollment Manager, Content Manager, and Staff) don't have the necessary permissions to complete this process.
- In the Okta Admin Console (Managed Apple ID Federation and Provisioning feature. ), locate and enable the
- Ensure that your Okta account has super admin permission enabled, and that your account is assigned as a user.
Set up Federated Authentication
Federated authentication is configured in the Okta Admin Console and in Apple Business Manager.
Configure app integration in Okta
-
In the Okta Admin Console, go to .
-
Click Create App Integration.
-
Choose OIDC - OpenID Connect as the Sign-in method, and Web Application as the Application type. Click Next.
-
On the New Web App Integration page, enter the following:
-
App Integration Name: Apple Business Manager OIDC
-
Grant type: Check the boxes for Authorization Code and Refresh Token
-
Sign-in redirect URIs: Enter https://gsa-ws.apple.com/grandslam/GsService2/acs. This is a static URI provided by Apple and can be found in the Apple Business Manager console.
-
Assignments: For the initial app integration, assign the application to your admin. Further assignments are required for all accounts that have a Managed Apple ID and need to authenticate using Okta.
-
-
Click Save.
-
Click the Okta API Scopes tab. In the list of API Scopes, locate ssf.manage and ssf.read scopes and click Grant for each. If you're unable to locate ssf.manage and ssf.read in the API Scopes list, contact your Okta account representative.
-
Click the General tab, which contains the information that you add in Apple Business Manager. Make note of the Client ID and Client Secret to add in the next step.
Configure Custom Identity Provider in Apple Business Manager
-
Sign in to Apple Business Manager and go to .
-
Enter the required information:
-
Client ID: This is located in the Client Credentials section of the app integration that you created in the previous step.
-
Client Secret: This is located in the Client Secrets section of the app integration that you created in the previous step.
-
SSF Config URL: https://yourOktaOrgURL/.well-known/ssf-configuration
-
OpenID Config URL: https://yourOktaOrgURL/.well-known/openid-configuration
-
-
Click Continue. You're prompted to sign in to Okta as a super admin to connect Apple Business Manager to your Okta org.
If you aren't prompted to sign in to Okta after clicking Continue, you may need to open the Apple Business Manager console in an incognito browser window.
-
If Apple Business Manager and Okta are successfully linked, a message confirms that the Federated Authentication setup is complete. Click Done.
Set up Directory Sync between Apple and Okta
-
In the Okta Admin Console, go to .
-
Click Create App Integration.
-
Select SAML 2.0 and click Next.
-
Enter the App name as Apple Business Manager SCIM and click Next.
-
Add the following entries:
-
Single sign-on URL: https://YourOktaOrgURL
-
Audience URI (SP Entity ID): https://YourOktaOrgURL
-
-
Click Save.
-
Switch to the Apple Business Manager console window.
-
Go to Custom Sync.
and click -
Enter the Authorization callback URL using the following format.
Copyhttps://system-admin.okta.com/admin/app/cpc/<SAML_AppBundleName>/oauth/callback
-
The okta.com portion of the authorization callback URL can be either okta.com, oktapreview.com, or okta-emea.com based on your Okta tenant location.
For example, if your Okta tenant location is oktapreview.com, then change https://system-admin.okta.com/admin/app/cpc/<SAML_AppBundleName>/oauth/callback to https://system-admin.oktapreview.com/admin/app/cpc/<SAML_AppBundleName>/oauth/callback.
-
The SAML_AppBundleName can be found in the Okta Admin Console in . Click Apps under the Filters heading, and locate the entry for the Apple Business Manager SCIM app integration you created in the previous step. Open it, and copy the value shown for the variable name. Add this information to the authorization callback URL.
If your Okta org URL has a dash (-), ensure that the character is included in the App Bundle name before continuing. The profile editor removes - characters, but if it's part of the org name, it's required.
-
- After adding the Authorization callback URL in Apple Business Manager, click Continue to access more configuration details needed to complete the SCIM configuration.
- In the Okta Admin Console, go to . Go to the Apple Business Manager SCIM app that you created in step 2.
- On the General tab, click Edit in the App Settings section.
- Next to Provisioning, select the SCIM radio button and then click Save.
- Move to the Provisioning tab and click Edit in the SCIM Connection section.
- Enter the following information. The configuration details are from the Custom Sync that you created in Apple Business Manager:
- SCIM connector base URL: https://federation.apple.com/feeds/business/scim
- Unique identifier field for users: userName This field is case-sensitive.
- Supported provisioning actions: Select Import New Users and Profile Updates, Push New Users, and Push Profile Updates.
- Authentication Mode: Select OAuth 2 from the dropdown menu.
- Access token endpoint URI: https://appleid.apple.com/auth/oauth2/v2/token
- Authorization endpoint URI: https://appleid.apple.com/auth/oauth2/v2/authorize
- Client ID: Copy this from your Apple Business Manager Custom Sync configuration details.
- Client Secret: Copy this from your Apple Business Manager Custom Sync configuration details.
- Ensure that the Custom Sync profile is saved in Apple Business Manager. Return to the Okta Admin Console and click Test Connector Configuration.
- At the prompt, enter your Apple Business Manager credentials. Completing this successfully connects your Apple and Okta configurations.
Assign your users, including yourself, to the new application to use Managed Apple ID. The list of users should match the assignment list for the OIDC app created in Set up Federated Authentication .
Set up provisioning to app
- In the Okta Admin Console, go to .
- Select the Apple Business Manager SCIM app.
- Go to the Provisioning tab, and then click To App.
- Click Edit, and select the options to enable:
- Enable Create Users
- Update User Attributes
- Deactivate Users
-
Click Save.
- Switch to the Apple Business Manager console window and go to .
- Ensure that the Federation Enabled toggle is on for your verified company domain.
- Click Done.
You can test access to Apple resources to ensure the configuration has been set up properly. Browse to https://appleid.apple.com and sign in with your Okta credentials.
If you have conflicting personal Apple IDs on a company-owned email address, see User name conflicts in Apple Business Manager.