In today's educational institutions, managing hundreds or thousands of devices and accounts without losing your mind is possible thanks to Apple School Manager (ASM). This IT web portal brings together volume purchasing, automatic enrollment, and identity management in one place, allowing you to deploy iPhone, iPad, Mac, Apple TV, Apple Watch, and even Apple Vision Pro without touching a single piece of equipment. ASM works hand in hand with your MDM solution to automate tasks, centralize control, and maintain user privacy..
Beyond deployment, Apple School Manager integrates identity and academic data systems, facilitates the allocation of apps and books, and offers security and compliance tools. If you're looking for a complete guide to deploying devices, accounts, and applications in your data center, you'll find the end-to-end process here..
What is Apple School Manager and why should you be interested?
Apple School Manager is an online portal designed for education IT administrators that centralizes three pillars: device enrollment, volume purchasing, and identity management. With ASM, your organization can acquire content at scale, create accounts for teachers and students, and automatically enroll teams in your MDM..
The service supports multiple Apple platforms and integrates with authorized resellers and Apple Configurator to add purchased or existing devices. The ASM + MDM combination allows the equipment to arrive in the classroom ready to use, with settings applied and apps pre-installed..
Implementation without intervention and flexible models
The deployment experience is wireless and hands-free: devices are assigned to an MDM server and, when powered on for the first time, they configure themselves. The IT team doesn't need to manually prepare each device, which saves time and avoids friction..
ASM supports various scenarios: 1:1 programs, shared iPad, computer labs with Macs, and large-scale Apple TV deployments. The implementation models are adaptable to both center-owned devices and personally managed equipment..
Key capabilities of Apple School Manager
Automatic device enrollment: You can enroll devices in your MDM remotely as long as they have been associated with your organization during purchase or through Apple Configurator. This simplifies the initial wizard and speeds up classroom setup.
Content purchase and distribution: ASM connects with your MDM to acquire apps and books in volume, assign them to users or devices, and update them without intervention, even if the App Store is restricted. The organization retains ownership of the licenses and can revoke and reassign them as needed..
Managed Apple Accounts: Managed Apple IDs are center-owned identities that enable iCloud, iWork collaboration, Notes and Reminders, and access to Classroom and Classwork where applicable. These accounts are managed by roles and keep personal data separate from institutional data..
Prerequisites: browsing, accounts, and verification
Supported browsers: Updated Safari on iOS/iPadOS and macOS, Google Chrome and Microsoft Edge on Windows. Verify that IT workstations meet these requirements to avoid unnecessary blockages..
Initial account: You must create the administrator account with a personal name (not generic) and provide a work email address not linked to personal Apple IDs. This account accepts software and program license agreements and can add up to four initial managers..
Verification contact: This must be someone with the authority to validate ASM terms on behalf of the institution and cannot be the same person as the one submitting the request. During the review, Apple will contact you to confirm the organization's details before approving the registration..
Steps to start managing devices
Step 1: Link your organization to Apple or an authorized reseller using your customer or reseller number. After the link is created, device orders will automatically appear in ASM..
Step 2: Link at least one external MDM service in the ASM portal to be able to assign devices. Without this partnership, you won't be able to orchestrate policies or enrollment flows..
Step 3: Add devices. Those purchased with your identifiers appear automatically; the rest can be added manually using Apple Configurator. It is crucial to keep the inventory up to date to avoid leaving equipment out of control..
Step 4: Assign each device to an MDM server (manually or automatically). This assignment determines which policies, apps, and restrictions the team will receive..
Step 5: Enroll devices to apply policies. Enrollment can be automatic (recommended) or manual by the user. Upon completion of registration, the device becomes visible and manageable from your MDM and in the ASM list..
Account-based enrollment and domain discovery
With account-based enrollment, users sign in with their Apple Account managed on the device to activate work settings. This method allows you to have a personal account on the same computer, separating personal data from corporate data..
ASM offers linked MDMs the detection of alternative services for verified domains and the default allocation of devices per platform. This automates the routing of new equipment to the correct server based on the domain or location..
Content management: apps and books by volume
Volume purchases are integrated into your MDM to view, allocate, and update apps and books at scale. You can decide whether licenses are assigned to users or devices, and configure silent installation when supervised mode allows it..
With application and book tokens by location, administration is segmented between locations or responsible parties, and distribution is enabled without needing the user's Apple ID. Remember that tokens expire annually, so it's advisable to renew them in advance to avoid interruptions..
Managed Apple Accounts: Creation, Usage, and Roles
Managed Apple IDs are created at scale and associated with your verified domains. They allow access to iCloud, collaboration with iWork, and teaching apps like Classroom and Class Assignments, depending on the role..
Roles and privileges: Administrator, Manager (by scope), Staff Member, Teacher and Student define what each profile can do in ASM and associated services. Assigning each role precisely prevents over-permissions and improves security.
Classes: group teachers and students so that your MDM enables visibility in Classroom (iPad and Mac) and on shared iPad. When creating classes, at least one teacher is associated to manage the group dynamics..
Password policies: 4 or 6 digit codes are accepted for students; other roles require strong passwords of 8 or more characters. The complexity defined in ASM determines the lock screen (numeric or full keyboard) on a shared iPad.
Credential reset: Depending on the account origin, the password is retrieved from ASM or through the federated identity provider. The appropriate privileges allow administrators or managers to assist in lockouts after failed attempts.
Integration with identity and academic systems
Student Information Systems (SIS/SIE): You can synchronize lists and classes directly or via SFTP. This system keeps the registration, deregistration, and changes of license plates up to date without manual tasks..
Microsoft Entra ID (formerly Azure AD): Available with federated authentication or via SCIM for provisioning and Single Sign-On on Apple services with existing credentials. Reducing duplicate passwords minimizes incidents and improves the user experience.
Google Workspace: ASM can coexist with Google environments and connect to Google endpoint management to manage the center's iPhones and iPads. This integration makes it easier to apply corporate policies and distribute institutional apps..
Privacy, security and certifications
Apple maintains ISO/IEC 27001 and 27018 certifications that validate its security and privacy practices on covered systems. To protect browsing on managed devices, consider Protect your browsing with Private Relay. These standards help institutions meet regulatory and contractual obligations in education.
Account inspection (with limits and logs): Privileged roles can request temporary credentials to access iCloud Drive data or CloudKit-enabled apps from lower-level accounts in the hierarchy, expiring after 7 days and fully audited in ASM. This control protects the educational community from abuse and ensures traceability.
Best practices for managing MDM
Supervised mode: Enable it on educational devices to expand control (silent installation, advanced restrictions, app settings). To create and apply profiles, see [link to relevant documentation]. Manage configuration profiles on your iPad. Your MDM offers locking options by organizational unit or by groups, depending on your needs..
Context restrictions: differentiate global policies of the center from those specific to the classroom or projects. Teachers can apply temporary rules according to the session, such as allowing only necessary apps and limiting distractions..
Critical renewals: Apple's push certificate (APNs), enrollment server tokens, and app and book tokens expire annually. Schedule reminders with enough time to renew them without affecting app synchronization or installation..
Live inventory: regularly synchronize devices and lists from ASM to your MDM, and vice versa. Maintaining a consistent inventory prevents management gaps and ensures that policies reach all teams.
Integration with Google endpoint management
Administration Console: ASM or Apple Business Manager is integrated using a public key and Apple MDM server token, which must be uploaded and renewed when they expire. This integration allows Google to apply settings through its MDM profile and the Google Device Policy app..
Initial setup: After linking the token, it defines how the center's iPhones and iPads are configured the first time they are started, affecting the entire organization. These parameters define the high-level experience and which assistant elements are omitted..
Restrictions and organizational units: On supervised devices, you can apply additional controls and segment by organizational units (for example, allowing app installations only to certain groups). This granular approach balances security and autonomy.
Assignment and synchronization: From ASM, assign serial numbers to the MDM server connected to Google; you can use default assignment, CSV, or enter numbers individually. Availability may take up to 24 hours, although it is usually sooner..
Lifecycle management: Removing a device from the list deletes the management profile; if the user adds the account again without restoring it, it will remain unmonitored. You can also Restore the contents of your iPad from a backup to recover data. The console also allows you to delete corporate data or restore to factory settings when necessary..
Integration with Microsoft Intune for Education
Apple MDM push certificate (APNs): Creates and uploads the certificate to establish the secure connection between Intune and ASM; it is renewed every 365 days. Always use the institutional Apple ID and document who manages it to facilitate continuity..
Enrollment Program Token (DEP/MDM server token): Download the public key from Intune, create the MDM server in ASM, generate the token, and upload it to Intune. This token allows you to synchronize devices and populate the inventory in Intune for Education.
Enrollment options: You can require login with managed Apple IDs (ideal for shared iPad) or allow direct access with a device code if the center does not use managed identities. The choice is fixed by token and cannot be changed afterward; plan it well..
Enrollment and monitoring profiles: Intune applies an iOS profile with supervised mode and naming scheme (you can add a prefix). Supervised mode expands control capabilities and allows for silent app installation.
App and book tokens (VPP in ASM): Create locations in ASM, download the token, and upload it to Intune to sync catalogs, assign apps, and enable automatic updates if desired. Without this token, you will only be able to manage free apps with user intervention..
Daily operations and incident resolution
Scheduled and manual synchronizations: frequently check the status of tokens and force synchronizations when you expect new batches of equipment or massive changes. Timely synchronization avoids doubts about why a device does not appear or does not receive policies.
License assignment by user or by device: Use device licenses in shared classrooms and user licenses in 1:1 scenarios. License reassignment in ASM gives you the flexibility to optimize costs and turnover..
Controls by role and delegation: create areas and locations so that managers and teachers have the right tools without "free rein" of permissions. Role-based management reduces risks and improves traceability.
Communication and training: documents procedures (renewals, additions/deletions, classes) and trains teachers in the use of Aula and course start flows. An informed community reduces tickets and speeds up learning.
Legal and privacy considerations in education
Managed Apple IDs are designed to comply with child and student privacy frameworks, limiting features and access to certain services. The balance between security, teaching, and ease of use is the priority of Apple's educational ecosystem.
When a personal account is deleted following Apple's process, it cannot be reused as a managed account for an extended period. It is recommended to verify and secure your domains to avoid name conflicts in the future..
The inspection log in ASM includes who requested access, to which account, when, and whether it was completed, allowing searches by those with privileges. This traceability discourages misuse and helps to comply with audits..
Apple only uses personally identifiable information to resolve issues and improve their experience with the services involved. Data management is limited to the scope necessary to operate and support ASM and its services.
Apple's education ecosystem is constantly evolving, with improvements in management and cross-platform support. Following official guidelines and keeping your MDM integrations up to date ensures a robust and classroom-ready environment.
A careful implementation of Apple School Manager, well linked with your MDM, identity, and academic systems, makes it possible for devices to reach students ready to learn, for teachers to have classes and apps instantly, and for IT to gain time for strategic tasks. Between automatic enrollment, managed Apple Accounts, volume purchasing, and integrations with Google or Intune, your center can scale technology with control, security, and efficiency..
