Apple @ Work: How Apple Business Solved the Shadow‑IT Problem of Apple Maps Connect

Apple announced Apple Business in the spring of 2026, merging three previously separate services—Apple Business Essentials, Apple Business Manager, and Apple Business Connect—into a single, identity‑driven portal. The headline feature was the free‑tier device management that lets schools, enterprises, and government agencies enroll macOS, iOS, iPadOS, and visionOS devices without a paid MDM license. Beneath that, Apple quietly fixed a hidden security hole: the way corporate locations were claimed on Apple Maps.

---

Platform update – what changed?

Component	Prior to Apple Business	After Apple Business (2026)
Device enrollment	Apple Business Manager (ABM) + Apple Business Essentials (paid)	Unified enrollment flow, free tier supports up to 5,000 devices per org
Identity	Managed Apple IDs created manually, no SCIM support	Automatic Managed Apple ID provisioning via SCIM 2.0, compatible with Google Workspace, Azure AD, Okta
Location services	Apple Maps Connect accessed with personal Apple IDs; ownership tied to individual accounts	Apple Business Connect (formerly Maps Connect) managed through Managed Apple Accounts; role‑based permissions enforced
SDKs	Maps Connect API v1 (deprecated)	New Business Connect SDK 2.0, requires iOS 17.2 / iPadOS 17.2, macOS 14.2, visionOS 1.1
Platform requirements	macOS 13, iOS 16 for MDM enrollment	Minimum OS versions raised to macOS 14.2, iOS 17.2, iPadOS 17.2 for full feature set

The most visible change for developers is the Business Connect SDK 2.0. It adds a ManagedLocation class that can be queried only by a Managed Apple Account with the LocationAdmin role. The SDK also introduces a new entitlement (com.apple.businessconnect.location.manage) that must be declared in the app’s Entitlements.plist. Without it, the API returns a permission error, preventing rogue apps from altering a company’s map data.

---

Developer impact – why it matters for cross‑platform teams

1. Unified identity flow – Teams that already use SCIM to provision users in Microsoft Intune or Jamf now have a single source of truth for Apple devices. When a user is added to the Apple Business group in Azure AD, a Managed Apple ID is automatically created, and the user receives the appropriate role (e.g., LocationEditor). This eliminates the need for a separate “marketing‑only” Apple ID that lives outside the corporate directory.

2. Role‑based access – The new SDK enforces granular permissions. A marketing specialist can be granted LocationEditor while an IT admin retains LocationAdmin. The distinction is enforced at the API level, so a compromised marketing device cannot elevate its privileges.

3. Cross‑platform parity – The Business Connect SDK is shipped for iOS, iPadOS, macOS, and visionOS. For Android teams that need to surface the same location data, Apple provides a REST endpoint (https://businessconnect.apple.com/api/v2/locations) that respects OAuth 2.0 tokens issued to Managed Apple Accounts. This means a single backend can serve both Apple and Android clients without duplicating business logic.

4. Version constraints – Because the SDK requires iOS 17.2+ and macOS 14.2+, older devices in the field will fall back to the legacy Maps Connect API, which is read‑only. Developers should implement runtime checks using if #available(iOS 17.2, *) to decide whether to call the mutable endpoints.

5. Testing considerations – Apple now ships a Business Connect sandbox in the Apple Developer portal. It mirrors production data but isolates changes, allowing QA teams to test location updates without affecting the live storefront. The sandbox uses the same Managed Apple Account model, so test accounts must be provisioned with the appropriate roles.

---

Migration – steps to bring your organization out of the shadow‑IT era

1. Audit existing Apple Maps Connect accounts
   • Export the list of locations claimed with personal Apple IDs (available via the legacy API).
   • Identify owners who are no longer with the company.
2. Provision Managed Apple Accounts
   • Enable SCIM in Apple Business → Settings → Identity Providers.
   • Connect your IdP (Google Workspace, Azure AD, Okta) and map corporate groups to Apple roles (LocationAdmin, LocationEditor).
3. Transfer ownership
   • Using the Business Connect sandbox, claim each legacy location with a newly created Managed Apple Account.
   • Verify that the ownerId field now points to a corporate‑managed account.
4. Update your apps
   • Add the com.apple.businessconnect.location.manage entitlement.
   • Replace calls to the deprecated MapsConnectAPI with the new BusinessConnect SDK methods.
   • Implement fallback logic for devices running older OS versions.
5. Decommission personal accounts
   • After verification, request Apple Support to release the old personal Apple IDs from the locations.
   • Remove any lingering OAuth tokens from your CI/CD pipelines.
6. Train stakeholders
   • Provide marketing teams with a self‑service portal that authenticates via Managed Apple ID but limits actions to the LocationEditor role.
   • Document the revocation process for off‑boarding employees.

By following these steps, an organization can eliminate the risk of former employees or contractors retaining control over its digital storefronts. The result is a clear separation: IT owns the access, marketing owns the content.

---

What this means for the broader Apple ecosystem

Apple’s decision to fold location management into the Managed Apple Account framework signals a shift toward treating every corporate‑facing service as an extension of device management. For developers, this translates into more consistent APIs, tighter security, and a single onboarding experience for new Apple devices. For IT leaders, it removes a lingering blind spot that could have exposed brand reputation to accidental or malicious edits.

If you’re already using Mosyle’s Unified Platform, the migration is even smoother. Mosyle now includes a Business Connect module that automates the SCIM provisioning steps and surfaces a UI for bulk location transfers. Organizations that adopt Mosyle can complete the entire migration in under a week, according to internal case studies.

---

Apple @ Work continues to explore how Apple’s enterprise tooling evolves. Stay tuned for deeper dives into the new Apple Business Essentials analytics dashboard and the upcoming visionOS device enrollment flow.