undefined | Better HN

0 pointsgeoffharcourt1d ago0 comments

The domain lock process was an absolute fiasco at our company. I think this could work if you did this at the time your company launched, but the moment you have employees who have Apple IDs tied to their work email that aren't from the Business Essentials system you are stuck in an impossible-to-mange place.

There are several cheap MDM solutions for Apple devices that I would rather pay for than be dependent on this. (We've used SimpleMDM and love them.)

0 comments

cocoflunchy1d ago

I'm currently in that hellish process too... I don't know how to get out of it. Did you know that your employees will be forbidden from downloading from the App store once you launched that migration? It's a nightmare

wpm1d ago

Well yeah, the idea is that if you have ABM, you have an MDM you can use to purchase licenses for them and install the apps with the MDM.

IrishTechie1d ago

It can be done that way, but it is definitely not the norm. Businesses will generally “purchase” (many for €0) apps in ABM that are to be used for business purposes and push those to devices, the user can then use an Apple ID to download any other apps they want for personal use.

1 more reply

anxman1d ago

This was a big pain in the ass for me to figure out. I ended up using the free version of Mosyle and hiring someone on Fiverr to help me figure out how to get the licenses assigned to our managed devices.

FireBeyond1d ago

Apple and MDM has always been a shit show. In the days as recently as Ventura (last time I tried it), MDM bypass was as simple as "null route 4 DNS entries during install process, remove null routing after install complete, and never be bothered by it again". This is on Apple Silicon. With no workarounds or anything, upgrades work all the way up to Tahoe.

Like really Apple, that's your device "locking"? I could test activate my work Mac with my personal Apple ID while doing this, no alarm bells, nothing, effectively "It's your laptop now".

IrishTechie1d ago

The baffling thing is that iOS+MDM has been fantastic over the years. macOS is a completely different beast though.

1 more reply

geoffharcourtOP16h ago

I did not. If I had known what would happen when we tried this we would have skipped the process entirely. Our staff (roughly 125) was so confused and it wasted a lot of time communicating about it, then trying to roll it back, etc.

pottertheotter1d ago

> I think this could work if you did this at the time your company launched, but the moment you have employees who have Apple IDs tied to their work email that aren't from the Business Essentials system you are stuck in an impossible-to-mange place.

I had the same thing happen but with Microsoft. A friend and I had started a small consulting business and were using Google Workspace, but I needed a Microsoft account to interact with a client. I made one with my business email. None of us knew any better, but I couldn’t connect with our client’s Microsoft setup because it was a personal account. So I went to set up a business account. It was a whole fiasco and the only way I could really fix it was create an alias and use that for Microsoft.

AdamN23h ago

That's why Enterprise vendors try so hard to get startups using their stuff. Lock-in is so strong. I can't imagine having a working system at a 100 person company and then trying to migrate to something else unless the current situation was truly awful.

SoftTalker13h ago

> the moment you have employees who have Apple IDs tied to their work email that aren't from the Business Essentials system you are stuck in an impossible-to-mange place

So give all the employees an email alias they can use to create a new Apple ID for this purpose?

yabutlivnWoods1d ago

> I think this could work if you did this at the time your company launched

This should not be a surprise. Greenfield services have not existed long enough to resolve edge cases that inevitably arise while integrating existing operating models already in use.

geoffharcourtOP9h ago

The broken part of this process (domain claim) has existed for several years as part of ABE, it isn't new.

wil4211d ago

How does a company allow personal Apple IDs?

rescbr1d ago

Employee needs to download Microsoft Remote Desktop (sorry, Windows App) that is only distributed through App Store.

Employee does not trust the company having access to everything else in their personal iCloud account - photos, mails, messages, calendar, reminders, etc.

Employee registers a new Apple ID with company email, as it would be only used for downloading one single app.

wil42115h ago

Got it. It’s registering with the company email first, not their personal one.

pottertheotter1d ago

I think the idea is that it happens before they lock the domain as a business. Before that, if you have an email address you can create a personal account with it.

jamiecurle1d ago

yes, that's exactly how it happens.

j / k navigate · click thread line to collapse

0 comments

cocoflunchy1d ago

wpm1d ago

Well yeah, the idea is that if you have ABM, you have an MDM you can use to purchase licenses for them and install the apps with the MDM.

IrishTechie1d ago

1 more reply

anxman1d ago

FireBeyond1d ago

Like really Apple, that's your device "locking"? I could test activate my work Mac with my personal Apple ID while doing this, no alarm bells, nothing, effectively "It's your laptop now".

IrishTechie1d ago

The baffling thing is that iOS+MDM has been fantastic over the years. macOS is a completely different beast though.

1 more reply

geoffharcourtOP16h ago

pottertheotter1d ago

AdamN23h ago

SoftTalker13h ago

> the moment you have employees who have Apple IDs tied to their work email that aren't from the Business Essentials system you are stuck in an impossible-to-mange place

So give all the employees an email alias they can use to create a new Apple ID for this purpose?

yabutlivnWoods1d ago

> I think this could work if you did this at the time your company launched

This should not be a surprise. Greenfield services have not existed long enough to resolve edge cases that inevitably arise while integrating existing operating models already in use.

geoffharcourtOP9h ago

The broken part of this process (domain claim) has existed for several years as part of ABE, it isn't new.

wil4211d ago

How does a company allow personal Apple IDs?

rescbr1d ago

Employee needs to download Microsoft Remote Desktop (sorry, Windows App) that is only distributed through App Store.

Employee does not trust the company having access to everything else in their personal iCloud account - photos, mails, messages, calendar, reminders, etc.

Employee registers a new Apple ID with company email, as it would be only used for downloading one single app.

wil42115h ago

Got it. It’s registering with the company email first, not their personal one.

pottertheotter1d ago

I think the idea is that it happens before they lock the domain as a business. Before that, if you have an email address you can create a personal account with it.

jamiecurle1d ago

yes, that's exactly how it happens.

j / k navigate · click thread line to collapse