The Problem with Managed Apple IDs and iTunes U

As I write this, we are five days away from teachers coming back to school and eight days from pupils coming back.

And I have found a showstopper problem with Managed Apple IDs and iTunes U.

Please bear with me as the explanation will be slightly complex but it is essential to understand its impact if you are rolling out Managed Apple ID and rely on iTunes U.

Background

Briefly, a Managed Apple ID is an Apple ID that is created by the school for pupils. They can also be created for teachers and administrators. A Managed Apple ID allows access to iCloud and iTunes U but not to commercial services like the App Store and iBookstore. A Managed Apple ID is literally disbarred from any commercial transaction with Apple.

Contrast that with a 'consumer' Apple ID - the kind that every iOS user creates either through iTunes or through on-device setup when they buy an iPhone. These Apple IDs have no restrictions.

In our deployment, as in many others, teachers use their own personal Apple IDs on the iPads they use in school. This is obviously true - there has only ever been one kind of Apple ID and every teacher using an iPad must be using a 'consumer' Apple ID.

Since iTunes U 3.0 came out, teachers have been using these personal Apple IDs to create iTunes U courses for our pupils. The reason they were using personal Apple IDs is that the iTunes U app on iOS uses the Apple ID that is logged into the "iTunes and App Store" section of iOS Settings as the Apple ID for the teacher. There is no way to have a separate Apple ID just logged into iTunes U. Remember that fact; it will become important later on in this story.

Managed Apple ID

Once we were migrated to Apple School Manager, the first thing I tested was:

  • Create a Managed Apple ID for a fake student
  • Set up an iPad with that Managed Apple ID
  • Test enrolling in an iTunes U course that I created last year

Immediately I hit a problem. An error message stated:

"Your Apple ID can only enrol in courses from your institution."

I was confused by this because my courses are from my institution. Our school has an iTunes U site and all my courses are set to be from "Cedars School of Excellence". There is a menu in Course Settings where an instructor can choose which institution their course is associated with.

After some more messing around, I realised that what this error message actually means is this:

Students with Managed Apple IDs from a particular school's Apple School Manager domain can only enrol in courses that are owned by an Apple ID that is also from that same Apple School Manager domain.

I verified this by creating a new Managed Apple ID for myself, sharing a copy of my course to that Apple ID and then enrolling my fake student Apple ID in that course. This worked perfectly.

Consequences

So, as a result of this decision to only allow iTunes U interaction between Managed Apple IDs in the same ASM domain, this means that teachers effectively have to be using a school-issued Managed Apple ID to run their iTunes U courses.

This is fine - in a very restricted set of circumstances that don't apply to any existing school iOS deployment anywhere.

Firstly, every currently practicing iOS teacher will be using a consumer Apple ID. Very likely it will be their personal Apple ID. This is because this was exactly the deployment scenario that Apple has encouraged us to use since iOS 7: users bring a personal Apple ID and the school or business uses VPP Managed Distribution to assign apps to that Apple ID.

Secondly, because iTunes U does not have its own Apple ID login system but instead uses the iTunes and App Store setting on the device, there is no possibility of using a separate Managed Apple ID "just for iTunes U". Signing into a Managed Apple ID on an iPad to make iTunes U happy will mean that teachers have to switch Apple IDs to buy any app, buy an In-App Purchase or download any past content purchase in iTunes, iBooks or the App Store.

This is obviously a massive speed bump in the teacher's iPad experience. Worse, though, there are various vaguely-documented tripwires in the App Store that can lock a device into a specific Apple ID for 90 days:

"Computers and devices can be associated with a different Apple ID once every 90 days."

- View and remove associated devices in iTunes, Apple

It is not at all clear whether Managed Apple IDs are also subject to these restrictions. These tripwires are set server-side and it is far from certain that you could depend on their criteria not to change during the course of a deployment. I mean, what does it look like when the App Store sees the same iPad signing into and out of Apple IDs on a daily basis?

If teachers are expected to flip between two Apple IDs on their iPad - which they will probably be doing on a daily basis, if not hourly - what happens if (when?) the iPad gets stuck for 90 days on one or other Apple ID? Either the teacher is locked out of their courses for 90 days or they can't buy or download any apps for 90 days. I'm not an Apple Music subscriber, but some teachers somewhere surely are, and I'm told that Apple Music gets weird when you switch Apple IDs.

Workarounds

At the moment, I have no satisfactory workaround for this. I cannot conceivably expect teachers to switch to using a Managed Apple ID permanently, abandoning all their past purchases and content. Similarly, the idea of switching between two Apple IDs in the course of doing your job is maddening at best and potentially disastrous if you accidentally trigger an App Store tripwire.

The only workaround that I can live with right now is to just not use Managed Apple IDs for students. Fortunately, most of the pupils moving up to our secondary department already have a device-generic Apple ID that I can convert into their own Apple ID. It's just the new pupils that I have to worry about.

At the moment, Apple is checking whether the Apple IDs of both teacher and student are in the same Apple School Manager domain. To me, this is the wrong criteria. The check should be: is the student's Apple ID from the same institution as the course's Institution?

It should not matter whether the teacher's Apple ID is institutional or personal - if the teacher has the right to make courses for that institution, they should be able to enrol that institution's students in that course.

I speculate that the Apple School Manager database and the iTunes U course database are simply not integrated. Whichever part of the system that is performing this check doesn't know that the "Cedars School" in our iTunes U courses is the same "Cedars School" as in our Apple School Manager domain.

I don't know the exact technical and legal reasons why this decision was made. All I know is that this new system of Managed Apple IDs is currently undeployable for any existing iOS site. The problem is not actually a student problem; it's a problem for the teacher's user experience.