Manage verified domains in Apple School Manager
After a domain has been verified, there are three options available, all of which can be enabled for each domain:
Option 1. Lock a domain: This option requires that all new Apple Accounts created on the domain be only Managed Apple Accounts.
See Lock a domain.
Option 2. Domain capture: This option allows you to use domain capture to ensure any account using your domain is a Managed Apple Account. This includes the possibility to convert existing Apple Accounts (which may have been created previously using the organisation’s domain) into Managed Apple Accounts.
See Show unmanaged accounts using your domain.
Note: Turning on domain capture also locks a domain if it was not previously locked.
Option 3. Federated authentication: If there are no unmanaged Apple Accounts conflicts or after the domain capture process has started, users with the role of Administrator, Site Manager and People Manager can optionally continue to turn on federated authentication with an IdP. As a result, users can leverage their Google Workspace, Microsoft Entra ID or IdP user name (generally their email address) and password as their Managed Apple Account. When federated authentication is turned on, Managed Apple Accounts are automatically created for new users the first time they sign in.
After the domain capture and federated authentication processes have been completed, users with the role of Administrator, Site Manager and People Manager can also turn on directory syncing with their IdP.
Important: To leverage roster data and assign Instructor and Student roles to accounts, do not enable sync directly with the IdP. Instead, integrate with your Student Information System (SIS) or upload SIS data using SFTP (Secure File Transfer Protocol). If you do want to sync directly with the IdP, Apple School Manager provisions all synced accounts with the role of Student. Accounts that require the role of Instructor must be added manually. See Integrate Apple School Manager with your Student Information System (SIS) or Upload Student Information System data to Apple School Manager.
Directory syncing:
Imports user account information from the IdP
Monitors for changes and automatically syncs these changes to Apple School Manager
Automatically removes Managed Apple Accounts when the corresponding user accounts are deleted in the IdP
Note: Turning on federated authentication also locks a domain if it was not previously locked.
This allows an organisation to lock one specific domain in their list of verified domains, perform the domain capture process on another domain and federate a third domain.