| ▲ | meego 6 hours ago |
| I recently tried setting Apple Business Manager for our ≈20 people SME. The first step was "Domain Lock/Capture" which takes over all Apple accounts for a specific domain. I've never had a worse experience from Apple. The process is buggy, filled with foot-guns and dead ends. It expects huge amounts of work from users who have had their account for more than a few weeks and are expected to remove a lot of their personal data before their account can be migrated (e.g. do you know how to delete all your Health data?). The process is also impossible to cancel. Phone support was par for the course, e.g. tickets escalated to the abyss, suggestions to restore workstations to factory settings, etc. Be warned. |
|
| ▲ | geoffharcourt 6 hours ago | parent | next [-] |
| The domain lock process was an absolute fiasco at our company. I think this could work if you did this at the time your company launched, but the moment you have employees who have Apple IDs tied to their work email that aren't from the Business Essentials system you are stuck in an impossible-to-mange place. There are several cheap MDM solutions for Apple devices that I would rather pay for than be dependent on this. (We've used SimpleMDM and love them.) |
| |
| ▲ | pottertheotter 23 minutes ago | parent | next [-] | | > I think this could work if you did this at the time your company launched, but the moment you have employees who have Apple IDs tied to their work email that aren't from the Business Essentials system you are stuck in an impossible-to-mange place. I had the same thing happen but with Microsoft. A friend and I had started a small consulting business and were using Google Workspace, but I needed a Microsoft account to interact with a client. I made one with my business email. None of us knew any better, but I couldn’t connect with our client’s Microsoft setup because it was a personal account. So I went to set up a business account. It was a whole fiasco and the only way I could really fix it was create an alias and use that for Microsoft. | |
| ▲ | cocoflunchy 6 hours ago | parent | prev | next [-] | | I'm currently in that hellish process too... I don't know how to get out of it. Did you know that your employees will be forbidden from downloading from the App store once you launched that migration? It's a nightmare | | |
| ▲ | wpm 3 hours ago | parent | next [-] | | Well yeah, the idea is that if you have ABM, you have an MDM you can use to purchase licenses for them and install the apps with the MDM. | | |
| ▲ | IrishTechie 3 hours ago | parent | next [-] | | It can be done that way, but it is definitely not the norm. Businesses will generally “purchase” (many for €0) apps in ABM that are to be used for business purposes and push those to devices, the user can then use an Apple ID to download any other apps they want for personal use. | | |
| ▲ | ndespres 3 hours ago | parent [-] | | If they’re using Managed Apple IDs they will have no access at all to the app store and won’t be able to download their own apps anymore. IT department will have to buy and assign any apps that anyone needs, even the $0 ones that only 1 person needs. |
| |
| ▲ | anxman 2 hours ago | parent | prev [-] | | This was a big pain in the ass for me to figure out. I ended up using the free version of Mosyle and hiring someone on Fiverr to help me figure out how to get the licenses assigned to our managed devices. |
| |
| ▲ | FireBeyond 4 hours ago | parent | prev [-] | | Apple and MDM has always been a shit show. In the days as recently as Ventura (last time I tried it), MDM bypass was as simple as "null route 4 DNS entries during install process, remove null routing after install complete, and never be bothered by it again". This is on Apple Silicon. With no workarounds or anything, upgrades work all the way up to Tahoe. Like really Apple, that's your device "locking"? I could test activate my work Mac with my personal Apple ID while doing this, no alarm bells, nothing, effectively "It's your laptop now". | | |
| ▲ | IrishTechie 3 hours ago | parent [-] | | The baffling thing is that iOS+MDM has been fantastic over the years. macOS is a completely different beast though. | | |
| ▲ | jamiecurle 14 minutes ago | parent [-] | | MacOS used to be excellent for a short period of time when Fleetsmith existed. Then Apple purchased Fleetsmith around 2020 and killed the product not long after. Fortunately around the same time, JamF ended the practice of the mandatory Jamf JumpStart (£5K fee), which finally made Jamf a feasible option for the company I was in at the time. |
|
|
| |
| ▲ | wil421 an hour ago | parent | prev [-] | | How does a company allow personal Apple IDs? | | |
| ▲ | pottertheotter 31 minutes ago | parent [-] | | I think the idea is that it happens before they lock the domain as a business. Before that, if you have an email address you can create a personal account with it. | | |
|
|
|
| ▲ | SoleilAbsolu 2 hours ago | parent | prev | next [-] |
| FWIW, my experience doing this process for a ~130 person org last year was pretty painless compared to other Domain Claims I've initiated for other SAAS vendors (Docusign in particular), and MDM nightmares (expired JAMF certificates, I'm looking at you). We had to do it as ppl had made personal Apple accounts using our domain, meaning if they logged in with such an account and left, their iPhone magically transformed into an expensive, elegant paperweight. Due to a setting in our previous MDM we were unable to migrate data cleanly using Apple Biz Manager without committing to use ABM as our MDM (we couldn't) so we told people to "move it yourself following these detailed instructions, otherwise it can't be migrated." Regarding personal data like health on company-managed devices, I certainly don't share that type of info with my employer, and make it clear to staff that it's not our responsibility to migrate such data. |
| |
|
| ▲ | czscout 2 hours ago | parent | prev | next [-] |
| Yes, as an IT professional at a company where a few people have insisted on using Macs, the ABM workflow is by far the most frustrating, half baked product I've had the displeasure of using. People love to complain about Entra/Azure AD, but ABM is another level of obtuse. |
| |
|
| ▲ | matt_daemon an hour ago | parent | prev | next [-] |
| Apple's cloud software has been buggy as hell for a long time, at least for me. I'm in a family iCloud group with my parents... one day I just woke up and had all my podcasts and music replaced with my Mum's :/ Would not want this anywhere near a "business" experience |
|
| ▲ | cj 5 hours ago | parent | prev | next [-] |
| We use Apple Business Manager. Locking a domain is not a requirement if you're just doing basic MDM, I'm pretty sure. (I also had a negative experience with it, so we didn't use it and everyone just uses their personal apple IDs). Is it no longer possible to skip this step in setting up the account? |
|
| ▲ | jillesvangurp 2 hours ago | parent | prev | next [-] |
| Same here, I never even got in. I never managed to get in. My account is good enough to take my money for other things but somehow I can't manage to onboard into the damn thing so that I can actually manage devices for my company. I just gave up in the end. Couldn't get it done. I'll try again next month see how far I get with this. This needs to be way simpler than it currently is. Hopefully they fixed a few things there. |
|
| ▲ | razakel 3 hours ago | parent | prev | next [-] |
| I gave up when it wanted a Dun and Bradstreet number (whoever they are) and the website to get one didn't work. |
| |
| ▲ | dlg 2 hours ago | parent | next [-] | | I have had the misfortune of having to get D&B numbers (for various Apple things). I believe is the source for lead lists where you start to get dozens to text and phone spam calls per day. Do not pay hundreds of dollars for this if you can at all avoid it. | | |
| ▲ | keerthiko 2 hours ago | parent [-] | | Definitely avoid unless you are distributing a consumer application through the dominant app stores (App Store and Google Play) ~globally, in which case you may not be able to avoid (or avoiding will be just as much work). Google and Apple require it for lots of mobile apps targeting certain consumer segments because some countries (eg: Brazil, IIRC? don't quote me on that) have chosen to use D&B as a qualified unique identifier of business legitimacy and it requires exposing personal information of your company's leadership to them. |
| |
| ▲ | yolo3000 2 hours ago | parent | prev [-] | | Afaik every company has a DNB number. It's a credit risk company which sources company data from every country. |
|
|
| ▲ | true_religion 4 hours ago | parent | prev | next [-] |
| AFAIK, it works with subdomains, so you can use something like employees.example.com as your domain, and capture over that. |
| |
| ▲ | slyn 3 hours ago | parent [-] | | The org I work for just makes alias's - @ourbrandmdm.com for ABM that forward to their @ourbrand.com emails. |
|
|
| ▲ | quietsegfault 4 hours ago | parent | prev | next [-] |
| This was my experience switching from GMail to Apple’s mail service. I switched back after a few days. |
| |
| ▲ | givinguflac an hour ago | parent [-] | | Genuinely curious, what were the Apple mail service issues for you?
I hate gmail and have had zero issues with my @Mac.com email in 20+ years, that I’ve noticed. Thanks | | |
| ▲ | xp84 13 minutes ago | parent | next [-] | | Do you find that iCloud email can correctly handle both “true spam” (meaning the nonsense garbage kind) and “promotional email” effectively? | |
| ▲ | quietsegfault 17 minutes ago | parent | prev [-] | | Lots and lots of missing messages. That was the big one. Anything from a SaaS just never arrived, like tickets, notifications, etc. I had random IMAP authentication failures too. |
|
|
|
| ▲ | jiveturkey 2 hours ago | parent | prev [-] |
| you only need to do the domain lock part if you plan to use MAIDs. For 20 people you probably didn't need to do that, at least not at the same time as the rest. You can do it as a later step, not the first step. |
