[geoffharcourt]

The domain lock process was an absolute fiasco at our company. I think this could work if you did this at the time your company launched, but the moment you have employees who have Apple IDs tied to their work email that aren't from the Business Essentials system you are stuck in an impossible-to-mange place.

There are several cheap MDM solutions for Apple devices that I would rather pay for than be dependent on this. (We've used SimpleMDM and love them.)

[cocoflunchy]

I'm currently in that hellish process too... I don't know how to get out of it. Did you know that your employees will be forbidden from downloading from the App store once you launched that migration? It's a nightmare

[FireBeyond]

Apple and MDM has always been a shit show. In the days as recently as Ventura (last time I tried it), MDM bypass was as simple as "null route 4 DNS entries during install process, remove null routing after install complete, and never be bothered by it again". This is on Apple Silicon. With no workarounds or anything, upgrades work all the way up to Tahoe.

Like really Apple, that's your device "locking"? I could test activate my work Mac with my personal Apple ID while doing this, no alarm bells, nothing, effectively "It's your laptop now".

[IrishTechie]

The baffling thing is that iOS+MDM has been fantastic over the years. macOS is a completely different beast though.

[jamiecurle]

MacOS used to be excellent for a short period of time when Fleetsmith existed. Then Apple purchased Fleetsmith around 2020 and killed the product not long after.

Fortunately around the same time, JamF ended the practice of the mandatory Jamf JumpStart (£5K fee), which finally made Jamf a feasible option for the company I was in at the time.

[wolvoleo]

True, I remember looking at jamf at one point and the mandatory consulting was so annoying because we already had it dialled in on the free trial.

In the end we just made do with intune. It's a lot less capable for Mac but these days you can get by with it.

[bzmrgonz]

hopefully there's no kill switch for macs on intune, if not, the threat of wiping machines with one click is real, just ask stryker; https://www.cybersecuritydive.com/news/stryker-attack-device...

[wpm]

Well yeah, the idea is that if you have ABM, you have an MDM you can use to purchase licenses for them and install the apps with the MDM.

[IrishTechie]

It can be done that way, but it is definitely not the norm. Businesses will generally “purchase” (many for €0) apps in ABM that are to be used for business purposes and push those to devices, the user can then use an Apple ID to download any other apps they want for personal use.

[ndespres]

If they’re using Managed Apple IDs they will have no access at all to the app store and won’t be able to download their own apps anymore. IT department will have to buy and assign any apps that anyone needs, even the $0 ones that only 1 person needs.

[Anon1096]

Yep. Truly horrid policy. Where I work our issued iPhones suck to use without App Store access; no Bitwarden was the killer for me personally. Everyone I checked with uses their personal email/Apple ID instead of the MAID, and there's a sword over your head if you ever accidently copy/paste something from internal emails to something like Notes which has iCloud sync (we're semi serious about leaker). Absolute failure of an MDM setup by Apple.

[wpm]

MDM can restrict pasteboard from managed apps to non-managed apps, as well as allowing iCloud sign-ins but restricting which iCloud services are allowed.

It's an absolute failure of the MDM server administrator for allowing such things, not on Apple.

[lynx97]

If my employer did that to me, I would seriously consider sueing them.

[jazzyjackson]

You’ve never been issued a work computer that’s not yours to fuck around with?

[anxman]

This was a big pain in the ass for me to figure out. I ended up using the free version of Mosyle and hiring someone on Fiverr to help me figure out how to get the licenses assigned to our managed devices.

[geoffharcourt]

I did not. If I had known what would happen when we tried this we would have skipped the process entirely. Our staff (roughly 125) was so confused and it wasted a lot of time communicating about it, then trying to roll it back, etc.

[TheNewsIsHere]

The Domain Capture process cannot be canceled once it’s started. It’s also not required, unless by your company policy.

The point is to make sure there’s not a mess on the other end when you enforce SSO for MAIDs.

Apple’s documentation for ABM and ABE is atrocious, but they do manage to document a bunch of footguns, just poorly and in seemingly bizarre places.

For example, ABE doesn’t support MDM migration (either as source or destination), despite the fact that the feature launched with macOS/iOS/iPadOS 26 and is supported by other MDM solutions.

And you cannot push custom config profiles with ABE which declare a non-Apple preference domain. Utter nonsense.

If you’re using the full ABM-with-ADE and MDM stack, it’s expected that you push apps to employees.

You can also use Munki to make apps available to users. You can just push only Munki via MDM if you want, and let it manage app installs and self service installs for you. There are caveats.

[pottertheotter]

> I think this could work if you did this at the time your company launched, but the moment you have employees who have Apple IDs tied to their work email that aren't from the Business Essentials system you are stuck in an impossible-to-mange place.

I had the same thing happen but with Microsoft. A friend and I had started a small consulting business and were using Google Workspace, but I needed a Microsoft account to interact with a client. I made one with my business email. None of us knew any better, but I couldn’t connect with our client’s Microsoft setup because it was a personal account. So I went to set up a business account. It was a whole fiasco and the only way I could really fix it was create an alias and use that for Microsoft.

[AdamN]

That's why Enterprise vendors try so hard to get startups using their stuff. Lock-in is so strong. I can't imagine having a working system at a 100 person company and then trying to migrate to something else unless the current situation was truly awful.

[SoftTalker]

> the moment you have employees who have Apple IDs tied to their work email that aren't from the Business Essentials system you are stuck in an impossible-to-mange place

So give all the employees an email alias they can use to create a new Apple ID for this purpose?

[yabutlivnWoods]

> I think this could work if you did this at the time your company launched

This should not be a surprise. Greenfield services have not existed long enough to resolve edge cases that inevitably arise while integrating existing operating models already in use.

[geoffharcourt]

The broken part of this process (domain claim) has existed for several years as part of ABE, it isn't new.

[yabutlivnWoods]

My point was trying to fit a new company with no barnacles into an existing process model will always be easier than retrofitting an existing company model full of edge cases the service never had to engineer around

Not really sure why you made that point only to wave it away later saying it's always been broken regardless

[wil421]

How does a company allow personal Apple IDs?

[rescbr]

Employee needs to download Microsoft Remote Desktop (sorry, Windows App) that is only distributed through App Store.

Employee does not trust the company having access to everything else in their personal iCloud account - photos, mails, messages, calendar, reminders, etc.

Employee registers a new Apple ID with company email, as it would be only used for downloading one single app.

[wil421]

Got it. It’s registering with the company email first, not their personal one.

[pottertheotter]

I think the idea is that it happens before they lock the domain as a business. Before that, if you have an email address you can create a personal account with it.

[jamiecurle]

yes, that's exactly how it happens.