'Sign in with Apple' comes to the enterprise
- 17 June, 2022 07:45
Apple introduced “Sign in with Apple” a couple of years ago. Like similar options from Facebook and Google, the feature allows users to sign into apps and websites using their Apple ID rather than creating a unique account for each app or site.
Unlike other options, however, Apple allows users to choose whether their email address and related information is shared with each app/site. If a user chooses not to share this information, Apple will create a separate unique address to present to the app/site and will forward any mail to the user’s actual email address.
While the feature is useful, preserves privacy, and is pretty broadly adopted, it only supports personal Apple IDs. For apps and services used at work or school, users either have to use their personal Apple ID or create accounts using their corporate or school email address.
This fall, Apple is extending Sign in with Apple to support Managed Apple IDs, those that are created by an employer or other organisation and managed through Apple Business Manager, Apple Business Essentials, or Apple School Manager.
In addition to simplifying user login to business or education apps and websites, Sign in with Apple at Work School lets IT administrators designate what apps and sites users can use the feature with and provide access restrictions based on users, groups, or roles within an organisation.
The feature will help streamline account creation and management both for users and for IT. The ability to enforce access controls through this mechanism will also simplify IT administration for a range of services, from in-house apps to common enterprise apps like Slack, as well as commonly used internal or external websites.
From a user perspective, the experience will be very similar to the way Sign in with Apple works today. When Sign in with Apple at Work School is enabled, however, users will see a slightly different dialog after clicking the “Continue with Apple” button. They will not have the option to hide their email, and they will see a notice labeled “Get the Right Access” that informs them that the app will apply access controls based on their business or education account.
The following pane of the account setup process will display their name and the email address that will be used within the app or site. Managed Apple IDs without an email address, such as student accounts, will only display their name — an email address is not required.
Users will not have to enter their account information. The service will automatically use the managed Apple ID associated with the device they are using.
Developers must choose to support this feature
On a basic level, there is nothing that developers need to do to support this feature beyond supporting Sign in With Apple. However, Apple strongly recommends that developers also incorporate the company’s new Roster API and a new feature called Organizational Data Sharing.
Supporting these allows for access controls within the app or site. This makes managing accounts associated with the app or site much simpler and more efficient for IT.
There are a couple steps that developers will need to take. The first is to enable the feature using their account within the Apple developer program, which can be done on the Apple Developer website. The second is to implement Apple’s new Roster API.
This API allows a developer’s app or website to query an organisation for user, group, and role information. It pairs with Organizational Data Sharing, a feature that integrates with Apple Business Manager, Apple Business Essentials, or Apple School Manager.
This is where IT administrators need to consent to sharing the user, group, and role information with the app/site. With that information shared, access controls are supported based on any of those attributes.
What IT needs to do
IT administrators need to take a couple of steps as well. The first is to decide whether or not they want Sign in with Apple at Work School enabled for all apps and websites that support Sign in with Apple or whether they want to create a list of supported apps and sites. These options are chosen in Apple Business Manager, Apple Business Essentials, or Apple School Manager.
If an administrator chooses to support only some apps and sites, they will need to use a search box to locate and select the apps and sites they want to support. Should a user try to use Sign in with Apple with an app or site that isn’t supported, they will receive an error message and will need to use another option for creating an account with that app/site.
If a developer has implemented the Roster API, administrators will have to consent to Organizational Data Sharing. Again, there is the option to support all apps and sites or to limit support to specific apps and sites. Administrators will again use Apple Business Manager, Apple Business Essentials, or Apple School Manager to manage consent for Organizational Data Sharing.
Will the potential be realised?
Apple is calling this feature an extension to Sign in with Apple. Technically, that’s an accurate description, but I would posit that it is more an extension to Managed Apple IDs. The real power is that it allows administrators to leverage Managed Apple IDs for access control within apps and services (sites) as opposed to having to do so manually for each app or service/website.
In this respect, the feature offers a lot of potential. The question is whether or not that potential will actually be realised. The answer to that question really depends on whether developers are willing to put in the time and effort, however minimal, to support the Roster API. That is a bit of an open question.
I expect that education developers will be the most likely to implement the Roster API, because it provides an obvious value-add for their primary customers — schools.
For developers of business solutions, the prospect is a little murkier. Many business developers support multiple mobile, desktop, and web platforms. That means the additional value may not translate to the majority of their customer bases. Still, the fact that it is a relatively simple addition means that it may be worth the effort. We’ll have to wait and see.
As I’ve noted elsewhere in Computerworld’s coverage of WWDC, however, it is heartening to see that Apple is noticing many IT pain points, including inefficiencies in IT-related processes and workflows, and is actively working to provide creative solutions to them.
