Glossary

Apple Account

A personal account people use to access Apple services like the App Store, iCloud, iMessage, FaceTime, the Apple Online Store, and more. It includes the information necessary to sign in, as well as all the contact, payment, and security details that Apple services require. (A personal Apple Account is also known as an unmanaged Apple Account.) See also Managed Apple Account.

Apple Business Manager

A simple, web-based portal for IT administrators that provides a fast, streamlined way for you to deploy Apple devices that your organization purchases directly from Apple, or from a participating Apple Authorized Reseller or cellular carrier. You can automatically enroll devices in your device management service without having to physically touch or prepare the devices before users receive them.

Apple Customer Number

The account number (or numbers) that Apple assigns to your organization to purchase Apple hardware or software. It’s required to verify your organization’s eligibility for certain programs. If you don’t know the numbers, contact your purchasing agent, finance department, or Apple account team. This number isn’t the same as your GSX account number.

Apple School Manager

A simple, web-based portal for IT administrators that provides a fast, streamlined way for you to deploy Apple devices that your organization purchases directly from Apple, or from a participating Apple Authorized Reseller or cellular carrier. You can automatically enroll devices in your device management service without having to physically touch or prepare the devices before users receive them.

authentication

Retrieving a credential from an authority after providing an assertion that proves your identity.

authorization

Retrieving a token from an authority after performing authentication by providing an assertion that proves your identity.

backup

A copy of important data that includes information, such as the layout of the Home Screen, app data (such as Safari bookmarks and Calendar events), anything you can set in Settings on the device (including restrictions, certificates, and some account types), contacts, and the Camera Roll (but not photo albums). Backups don’t include apps or media that you might usually sync using the Finder (macOS 10.15 or later), using iTunes (macOS 10.14 or earlier), or by storing in iCloud or iCloud Drive. A backup of an unsupervised device is identical to and interchangeable with a Finder or iTunes backup, and you can restore it only to an unsupervised device. Similarly, you can restore the backup of a supervised device only to another supervised device.

Bootstrap token

A device management-based feature that automatically provides a secure token on all mobile accounts. Specifically, a bootstrap token helps with granting a secure token to both mobile accounts and to the optional device enrollment-created administrator account (“managed administrator”). In macOS 11 or later, the bootstrap token can grant a secure token to any user logging in to a Mac computer, including local user accounts.

configuration profile

An XML file (ending in .mobileconfig) that consists of payloads that load settings and authorization information onto Apple devices. Configuration profiles automate the configuration of settings, accounts, restrictions, and credentials. A device management service can create these files, or you can create them manually or with Apple Configurator for Mac.

device management service

A service that lets an administrator securely and remotely configure devices by sending configurations, profiles, and commands to the device, whether the user owns the device or the organization owns it. Capabilities include updating software and device settings, monitoring compliance with organizational policies, and remotely wiping or locking devices. Users can enroll their own devices in a device management service, and organizations can automatically enroll using Apple School Manager or Apple Business Manager.

D-U-N-S Number

A nine-digit identifier that Dun & Bradstreet (D&B) assigns to each business in its database and maintains. Apple cross-checks program enrollees with the D&B database. For more information on how to obtain a D-U-N-S number for your business, see Welcome to D&B Support.

duplicates

In device management, two or more identical payloads. For example, a Certificates payload often involves more than one certificate, and a VPN payload may involve more than one VPN setting. Two or more specific payloads can’t be active for a device or user, the payload needs to be single.

enrollment methods

The three main methods of device enrollment in a device management service: User Enrollment, Device Enrollment, and Automated Device Enrollment.

eSIM (embedded-SIM)

A software-based SIM used in Apple Watch Series 3 or later; in iPhone XR, iPhone XS, iPhone XS Max, or later; and in every iPad released since the 3rd generation iPad Pro. See also SIM card (Subscriber Identity Module).

federated authentication

The process of using an account’s user name and password from one directory system and allowing the same user name and password to be used in other systems.

identity

You can freely distribute certificates, but you need to keep identities secure. You use the freely distributed certificate and its public key for encryption processes that you can only decrypt with the matching private key. The system stores the private key part of an identity in a PKCS12 (.p12) file that it encrypts with another key that requires a passphrase.

Identity federation

The establishment of trust between identity providers across security domains.

local account pairing

A way to enforce smart card authentication for Mac computers on local accounts.

machine-based enforcement (MBE)

An implementation that removes the option for password-based authentication in favor of smart card–only authentication for any account accessible by a Mac. Compare user-based enforcement (UBE).

Managed Apple Account

An account that a business or educational institution creates, owns, and manages to allow users to access Apple services. These are separate from unmanaged Apple Accounts users create for themselves. (An unmanaged Apple Account is also known as a personal Apple Account.) See also Apple Account.

operating system and channel

You can use device management payloads on specific operating systems and for Shared iPad and Mac, the user channel. Because Shared iPad and Mac can have more than one user, you can apply a payload to the device channel (all users) or a user channel (specific users).

Organization ID

Your unique identifier in Apple School Manager or Apple Business Manager. When you give a participating Apple Authorized Reseller or cellular carrier your Organization ID and you add that reseller’s Reseller Number to your account profile, you authorize that reseller to submit devices you purchase through them to Apple so devices’ serial numbers can appear in Apple School Manager or Apple Business Manager.

payload

At least one managed setting. Some settings, such as LDAP, can have more than one payload. Use payloads to administer increased network security, user authentication, Wi-Fi authentication, VPN policy settings, mail settings, and more. See also settings.

personal identity verification (PIV) card

A type of smart card technology for two-factor authentication, digital signing, and encryption. The built-in support for smart cards in macOS is based on the CryptoTokenKit framework.

Reseller Number

A unique identifier for each Apple Authorized Reseller or cellular carrier that participates in Apple School Manager or Apple Business Manager. When you add a participating Apple Authorized Reseller’s or cellular carrier’s Reseller Number to your account profile and you give that reseller your Organization ID, you authorize that reseller to submit devices you purchase through them to Apple so devices’ serial numbers can appear in Apple School Manager or Apple Business Manager.

Secure token

A macOS feature that addresses the implementation of encryption keys, including when the system generates them and how it stores them. Specifically, a secure token is a wrapped version of a key encryption key (KEK) protected by a userʼs password.

settings

In the context of device management, unique identifiers apply to specific apps, features, or connectivity functions, such as Exchange, passcodes, VPN, Wi-Fi, proxies, and so forth. For example, the name of a Wi-Fi network or information about how to authenticate to an Exchange server might be a setting. After entering settings for a given app, feature, or connectivity function, they become a payload. See also payload.

Shared iPad

Use the Shared iPad feature to let multiple students use the same iPad in a classroom. In this way, learning experiences can be personal even though the devices are shared. Not only are transitions from class to class greatly simplified, but time you also save time. It’s easier to pick up right where students left off and automatically save student work. When using Shared iPad with Classroom, intelligent caching helps accelerate student sign-ins by returning students to the iPad they were previously using.

SIM card (Subscriber Identity Module)

A universal integrated circuit card (UICC) for identifying and authenticating subscribers on mobile devices. See also eSIM (embedded-SIM).

single sign-on

A process in which a user provides authentication and authorization information once and receives a ticket to access resources for as long as the ticket is valid (usually 10 hours).

supplier

The entity you purchase eligible devices from. If you purchase the device directly from Apple using a purchase order (PO), then you enter your Apple Customer Number as your supplier using the Apple (Direct) option. If you purchase your device through a participating Apple Authorized Reseller or cellular carrier, then you add them as a supplier to your account by entering their Reseller Number using the Reseller option. You add each supplier to your account only once.

user-approved device management enrollment

In macOS 10.13.2 or later, user-approved device management enrollment allows a device management service’s software additional privileges. As of macOS 11, it’s no longer possible to install profiles using the command line, so the user approves all new enrollments. User-approved device management enrollment is different from User Enrollment.

user-based enforcement (UBE)

An implementation that creates an exception to smart card–only authentication for specific users or groups of users. This option disables all password-based authentication. Compare machine-based enforcement (MBE).