
Use federated authentication with Google Workspace in Apple Business Manager
In Apple Business Manager, you can link to Google Workspace using federated authentication to allow users to sign in to Apple devices with their Google Workspace user name names (generally their email address) and password.
As a result, your users can leverage their Google Workspace credentials as a Managed Apple Account. They can then use those credentials to sign in to their assigned iPhone, iPad, Mac, Apple Vision Pro, and to Shared iPad. After they’ve signed in to one of those devices, they can then also sign in to iCloud on the web (iCloud for Windows doesn’t support Managed Apple Accounts).
Google Workspace is the identity provider (IdP) that authenticates the user for Apple Business Manager and issues authentication tokens. This authentication supports certificate authentication and two-factor authentication (2FA).
Federated authentication process
This process involves three main steps:
- Configure federated authentication. 
- Test federated authentication with a single Google Workspace user account. 
- Turn on federated authentication. - If you’re attempting to federate a domain you’ve already verified but another organisation has already federated the identical domain, you need to contact that organisation to determine who has the authority to federate the domain. See Domain conflicts. 
Important: Review the following before you configure federated authentication.
Step 1: Configure federated authentication
The first step is to establish a trust relationship between Google Workspace and Apple Business Manager.
Note: After you complete this step, users cannot create new unmanaged (personal) Apple Accounts on the domain that you configure. This could affect other Apple services that your users access. See Transfer Apple services.
- In Apple Business Manager  , sign in with a user who has the role of Administrator or People Manager. , sign in with a user who has the role of Administrator or People Manager.
- Select your name at the bottom of the sidebar, select Preferences  , select Managed Apple Accounts , select Managed Apple Accounts , then select Get Started under “User sign in and directory sync.” , then select Get Started under “User sign in and directory sync.”
- Select Google Workspace, then select Continue. 
- Select “Sign in with Google,” enter your Google Workspace administrator user name, then select Next.  
- Enter the password for the account, then select Next. 
- If necessary, review the list of automatically verified domains and any conflicting domains. 
- Carefully read the agreement, then accept the Terms and Conditions, then check the following: - View audit reports for your Google Workspace domain 
- View domains related to your customers 
- See info about user accounts on your domain. 
 
- Select Continue, then select Done. 
In some cases you may not be able to sign in to your domain. Here are some common reasons:
- The Google Workspace administrator account used doesn’t have permission to add domains. 
- The user name or password from the account in steps 4 or 5 are incorrect. 
- You or another Google Workspace administrator modified the default attributes. 
Step 2: Test federated authentication with a single Google Workspace user account
Important: The federated authentication test also changes your default Managed Apple Account format.
You can test the federated authentication connection after you’ve performed the following tasks:
- The check for user name conflicts is complete. 
- The Managed Apple Account default format is updated. 
After you successfully link Apple Business Manager to Google Workspace, you can change the role of a user account to another role. For example, you may want to change the role of a user account to a Staff role.
- In Apple Business Manager  , sign in with an account. , sign in with an account.- If the user name you signed in with is found, a new screen indicates that you’re signing in with an account in your domain. 
- Select Continue, enter the password for the user, then select Sign In. 
- Sign out of Apple Business Manager. - Note: Users can’t sign in to iCloud.com from a Mac unless they first sign in with their Managed Apple Account on another Apple device. 
In some cases you may not be able to sign in to your domain. Here are some common reasons:
- The user name or password from the domain that you chose to federate is incorrect. 
- The account isn’t in the domain that you chose to federate. 
Step 3: Turn on federated authentication
If you’re planning to sync Google Workspace with Apple Business Manager, you need to turn on federated authentication before you sync.
- In Apple Business Manager  , sign in with a user who has the role of Administrator or People Manager. , sign in with a user who has the role of Administrator or People Manager.
- Select your name at the bottom of the sidebar, select Preferences  , then select Managed Apple Accounts , then select Managed Apple Accounts . .
- In the Domains section, select Manage next to the domain you want to federate, then select “Turn on Sign in with Google Workspace.” 
- Turn on “Sign in with Google Workspace.” - If necessary, you can now sync user accounts to Apple Business Manager. See Sync user accounts from Google Workspace.