As I touched on previously, the concept of a device supporting dual iCloud accounts on iOS is something I had not thought of until recently, but I do think it’s something enterprise customers would like to see from Apple. One of the benefits of iCloud is how heavily it’s tied into Apple’s iOS devices, but for enterprise and education customers, this means they won’t usually be able to use their device for anything personal. This week, I want to look at this in depth and discuss why Apple should offer a “dual iCloud account” setup for managed devices.
About Making The Grade: Every Saturday, Bradley Chambers publishes a new article about Apple in education. He has been managing Apple devices in an education environment since 2009. Through his experience deploying and managing 100s of Macs and 100s of iPads, Bradley will highlight ways in which Apple’s products work at scale, stories from the trenches of IT management, and ways Apple could improve its products for students.
I’m a heavy iCloud user, and in fact, I’ve been using Apple’s services since the .Mac days. It’s a badge of honor for me that my apple ID works with @mac.com, @me.com (I still give this one out oddly enough), and @icloud.com. I know some people don’t trust Apple’s services, but I use iCloud for email, calendars, contacts, document storage, photos, etc.
With Apple’s services on iOS, you are generally limited to only being able to use a single account across the devices (exceptions to this are iMessage, FaceTime and the App Store/iTunes). With Apple pushing Managed Apple IDs for enterprise customers, I think there is a lot of opportunity for some additional controls for end users and IT administrators, and I think this comes through a dual iCloud account setup.
The Set Up Screen for Dual iCloud Accounts
When users are handed new devices, one of the first things they are asked to do is sign in to the device through iCloud. If they use a managed Apple ID, they’ll be unable to access anything on their personal Apple ID. What I envision in this process is that you are asked to sign into a managed Apple ID first. You’ll be able to turn on services that IT allows as part of this process. After that, you’ll be given the opportunity to sign into a personal iCloud account. IT will also be able to control which services can be enabled.
For an organization that uses One Drive, Box, or Google Drive, they’ll likely want to disable iCloud Drive, so no corporate documents end up on an unmanaged document provider. What happens if a user wants two sets of reminders? The reminders app could show all of the lists, but use a different font to distinguish between corporate-owned reminders and personal reminders. The same could go with Photos.
You could have two libraries on the device, but you might have to choose a default for saving to and from other applications. IT wouldn’t be able to access your personal photos, but they’d have additional controls over work-related ones (perhaps you cannot empty the trash, etc.).
iCloud Backup and Password Resets
iCloud Backups are the only way to make an exact backup of an iOS device. In a dual iCloud account setup, IT departments will want to ensure that the device backups are happening only on the corporate account. This setting would ensure that in the event of legal matters or data recovery, they’d be able to reset the password of a managed Apple ID and then restore the data onto a new device.
Managed Apple ID for iMessage
iMessage has become the default messaging client for many people in my organization. We don’t use Slack, we don’t we Google Chat, and we don’t even use email as much as we did before. iMessage is Apple’s most popular service by far, and it’s a handy lock into the Apple ecosystem (it’s one of the reasons I never consider a Pixel phone).
On the flip side, iMessage is a blackhole for IT departments. It can be used to share almost anything, but IT departments have no visibility into what is happening. I wouldn’t push for IT departments to be able to monitor messages (something Apple can’t even do), but I do think there should be some controls for message retention and management.
I think there should be two options here: users should be able to login with multiple accounts and policies applied to a corporate managed account. If the device is tied to a corporate owned iPhone, the phone number associated would get applied iMessage controls.
I would love to be able to control if messages can be deleted. By not allowing messages to be removed, I can ensure, that if I had to recover a message, I would be able to. If the user signs into the device with a personal Apple ID, any messages sent to that Apple ID/personal phone number would not be managed with the same controls. There would be a clear dividing line between iMessages on a personal Apple ID and vice versa.
Remotely Wipe Personal Apple ID Information
While I am very much in favor of IT departments being able to access any information on a device if needed, I also am a big believer in personal privacy. If a user is let go for any reason, they likely have to return their device immediately. IT departments have the ability to remove any unlock passwords on a device remotely, so they’d be able to access any personal information from a secondary iCloud account.
I’d want Apple to build a “remote wipe” feature for a personal Apple ID signed into a corporate device. This feature could easily be built into the Find My iPhone app. You’d see the corporate device in your list, and within a few taps, all personal data could be remotely removed.
These are just a few of the ideas I’ve had for how to implement dual iCloud accounts on iOS devices and why it should happen. Do you have any experience with this? Are there aspects of the configuration I missed? Let me know in the comments.