Contents x
    SSO with Apple School Manager/Apple Business Manager
    • 03 Jul 2025
    • 9 Minutes to read
    • Print
    • PDF
    Contents

    SSO with Apple School Manager/Apple Business Manager

    • Updated on 03 Jul 2025
    • 9 Minutes to read
    • Print
    • PDF
    Article summary

    Introduction

    Apple School Manager and Apple Business Manager are two closely related platforms from Apple that help organizations deploy, manage, and configure Apple devices centrally. While they offer similar features, they are tailored to different audiences — schools and businesses, respectively.

    With Scalefusion's SSO configuration, you can seamlessly integrate your Apple School Manager / Apple Business Manager accounts using industry-standard OIDC/OAuth 2.0 protocols. This integration enables secure, centralized authentication for users and simplifies identity management across Apple devices. It ensures a streamlined user experience, enhances security, and supports scalable deployment of devices and services within educational institutions and enterprise environments.

    Prerequsite

    1. The devices should be enrolled with Scalefusion as BYOD or UAE, or Shared COD.

    2. The Custom Domain for which you are authorising should be verified through OneIdP.

    3. Users belonging to a custom domain should be imported/added to the Scalefusion Dashboard and migrated to OneIdP.

    4. IT Admins should have access to the Apple School Manager/Apple Business Manager Admin Console.

    Create SSO Configuration for Apple School Manager/Apple Business Manager

    1. Navigate to OneIdP > SSO Configurations on the Scalefusion dashboard.

    2. Click on the New SSO configuration button.

    3. From the shown list, click on Configure for either Apple School Manager or Apple Business Manager to open the configuration wizard.

    4. Navigate to each tab and enter the required details. You can navigate to the next tab only after you have entered complete details in the current section.

    Application Basics

    1. Enter Application Name: Enter a name for your App, which will be an identifier for your configuration. The name must be at least 5 characters long. The maximum allowed length is 128 characters.

    2. Select Hosting Type: This will be pre-selected as Cloud.

    3. Select Domains: All the custom domains you have configured and verified using OneIdP will be listed here. Select the domain(s) on which you want SSO to be enabled. You can select more than one domain.

    4. Select Authentication Type: This will be pre-selected as OIDC.

    5. Enter Login URL: Provide the URL that you use to sign in to that service.

    6. Once you have entered all details, click Next.

    SSO Scope Management

    With SSO scope management, you can configure the procedure for managing the users who will be accessing this application.

    User assignment

    SSO Configuration would allow only assigned users to access the app. Choose one from the following options:

    1. Allow all users imported to Scalefusion to access the application: All users (belonging to the domain) imported to Scalefusion and migrated to OneIdP will be allowed to access the application.

    2. Allow only assigned users to access the application: Only the user(s) whom you have assigned the SSO configuration will be allowed to access the application. With this option, after the SSO configuration is created, you need to manually select and assign the users.

      1. Revoke access for all users once when the configuration is saved: If this is checked, the access is revoked from the users who are currently assigned the configuration. As a result, it will invalidate all user sessions and log out users from their current running session.

    Permissions

    Scalefusion does not require any additional permissions to manage SSO for this application. Click Next to continue.

    SSO Settings

    This section provides the SSO settings to set OneIdP as the Identity Provider for Apple School Manager / Apple Business Manager. You will have to add these in the Apple School Manager / Apple Business Manager admin portal.

    1. Navigate to your Apple School Manager / Apple Business Manager Admin Portal and log in.

    2. Go to Profile and click Preferences.

    3. Click on Managed Apple Accounts and click the Get Started button. The domain that is to be federated must be present here.

    4. Select Custom Identity Provider and click Continue.

    5. In the Set up your Custom Identity Provider section, enter the following details from the Scalefusion dashboard > OneIdP SSO Settings:

      1. OneIdP Client ID

      2. OneIdP Discovery/Well-Known URL

      3. OneIdP SSF URL

    6. Select Authentication Type on the Scalefusion dashboard will be pre-selected as  Client Secret.

    7. Copy the Client Secret from the Scalefusion dashboard and paste it in the Custom Identity Provider section in the Apple School Manager / Apple Business Manager portal.

    8. Once done, click Continue.

    9. Next, you will be asked to Sign in with OIDC to grant all the permissions to complete the setup on the Apple School Manager / Apple Business Manager portal.

    10. You can use any managed Apple ID to complete this.

    11. Click Continue to grant the requested permissions.

    12. You will be redirected to Apple School Manager / Apple Business Manager portal, and it will show the connection as successful. Click Continue.

    13. You will also be able to see the details on the portal.

    14. Next, select the domain that you would like to Manage in the Apple School Manager / Apple Business Manager portal.

    15. In the pop-up windows that appear, click Set up.

    16. This completes the Identity provider set up on the Apple School Manager / Apple Business Manager portal.

    17. On the Scalefusion dashboard, navigate to the Redirect URIs & Grants section.

      1. The Redirect URIs field will be pre-filled.

      2. Sign-Out URL: You can add the back channel log out URL here, if it is supported.

      3. Grant type: Select the grant types that should be provided in response. By default, Authorization Code is selected. You can also select Refresh Token.

      4. Access Token: You can set the Token expiry from 5 to 120 minutes and the Grace Period for Token from 0 to 5 minutes.

    18. This also completes the SSO Settings on the Scalefusion dashboard. Click on Next to save the settings on the Scalefusion dashboard and move on to the next section.

    Conditional Access

    From this section, you can define the additional conditions on the basis of which users will be allowed/disallowed from accessing the application on the device.

    Conditional Access Settings

    Device Policy

    1. For Android, iOS/iPad OS, Windows & macOS, Linux: Choose one from the following two conditions:

      1. Only if the device is managed by Scalefusion: The application will be accessible only on devices managed (enrolled) by Scalefusion.

      2. If the device is managed by Scalefusion or an OTP using the Scalefusion Authenticator app from a managed device: The application is accessible if any of the following conditions is met:

        1. Device is managed by Scalefusion: If device is managed you will not be asked to enter OTP for authentication, or

        2. If device is unmanaged, OTP is required for authentication: OTP can be taken from the Scalefusion Authenticator app installed on a Scalefusion-managed device.

      3. Allow users to access by setting up MFA using third-party authenticator app or OTP sent on email:

        1. Device is managed by Scalefusion: If device is managed user will not be asked to enter OTP for authentication.

        2. If device is unmanaged, OTP is required for authentication. OTP can be taken from any 3rd party authenticator app or an OTP received via email, based on the MFA settings in Directory Settings.
          Note: The left side panel is for configuring Device Policy on Android & iOS/iPad OS and right side is for Windows & macOS and Linux below them. Hence, you can configure separate device policies based on platform.

    2. For ChromeOS: Choose one from the following two conditions:

      1. Allow users to sign in using an OTP from Scalefusion authenticator app: OTP can be taken from Authenticator app installed on a Scalefusion managed device.

      2. Allow users to access by setting up MFA using third party authenticator app or OTP sent on email: OTP is required for authentication. OTP can be taken from any 3rd party authenticator app or an OTP received via email, based on the MFA settings in Directory Settings.

        Note:

        This option will be enabled if MFA is enabled in Directory Settings.

      3. Allow access using email and password without MFA: Authorization check will not happen, and users can login directly with their email and password.

    Browser Policy

    From here, you can select one or more browsers and specify minimum versions on which you want to allow the access to the application.

    1. The following are the options:

      1. All Browsers

      2. Google Chrome with minimum version

      3. Microsoft Edge with minimum version

      4. Safari with minimum version

      5. Mozilla Firefox with minimum version

    2. By default, all browsers are allowed.

    3. Only major versions are validated. E.g., if you mention browser version: 23.5.8.10, then the respective browser with minimum major version (23) will be allowed.

    Access Exceptions

    From this section, you can configure the exceptions where the users are allowed to access the applications even if the conditions are not met. The following are the exceptions that can be configured:

    1. Enrollment Exceptions:

      1. Allow users to access the application till they enroll their first device: Allows users to access the application till they enroll at least one device. This option is helpful in conditions where the enrollment steps require them to authenticate with the service provider. With this, you can also configure the following:

        1. Maximum sessions allowed per user: Set the maximum number of simultaneous sessions a user can have when logging into an application across devices. If a user is already logged into the app on one device, they won’t be able to log in to the same app on another device. It can range from 1 to 3. Ideally, 1 session per user is recommended.

        2. Configure the OS where the exceptions are applied: Select the platform(s) on which this exemption would be allowed to users.

    2. User Exceptions: Here, you can add the users who are always exempted from the conditions and will never be asked to manage their devices. Enter comma-separated email addresses of users, or click on Add Users on the right, and in the new window, select the users who should be exempted.

    Note:

    These users still need to sign in with their OneDirectory credentials if they fall under the SSO Scope, however the conditions will not be enforced.

    User Portal Settings

    IdP-initiated SSO is particularly useful in scenarios where users access applications through a unified dashboard or portal displaying all available apps. Since OAuth (and OIDC) does not natively support IdP-initiated SSO, we handle this by displaying application shortcuts based on the configured SSO settings. When a user clicks on an app, they are redirected to the appropriate login URL to initiate the standard authentication flow.

    To know more about the User Portal, please refer to our guide here.

    User Facing Messages

    User-facing messages help admins configure messages that end users may be shown when they are unable to access the application if any of the compliance conditions are not met. You can configure messages under the following:

    1. Configure Instructions for a Non-Compliant Device: This message is shown when the device is not compliant and needs to be enrolled in Scalefusion.

    2. Configure Instructions for a Non-Compliant Browser: Shown when the browser is not compliant as per the configurations.

    3. Configure a Message to be displayed when Access is Denied: Any other cases where access to the application is denied.

    4. There are some pre-configured messages displayed on the Dashboard which you can edit as per your requirement.

    5. After configuring user-facing messages, click on Save.

    6. The SSO configuration is created and listed on the SSO Configuration page as a separate card with the name you have defined. You can create multiple SSO configurations in the same manner.

    User Experience

    1. When the user(s) log into their Apple School/Apple Business Manager account, they will be redirected to OneIdP screen for authentication.



    2. User(s) will have to enter their email ID and password and sign in.

    3. Click Check Compliance & Sign in.


    4. Based on the Conditional Access Settings configured on the Scalefusion dashboard, the user will successfully sign in if the device is a Scalefusion-managed device, or it might ask to enter an OTP from a Scalefusion-managed device.

    5. On meeting the conditional access requirements, user(s) will sign into their Apple School/Apple Business Manager account.

    Was this article helpful?
    What's Next
    Ambitious companies around the world trust Scalefusion to secure and manage endpoints including smartphones, tablets, laptops, rugged devices, POS, and digital signages. Our mission is to make Device Management simple and effortless along with providing world class customer support.
    By Business Initiative
    Top Features
    Existing Users
    Connect With Us
    Sales and Support
    Copyright © 2023 Scalefusion. All rights reserved.