I recently went through a similar proof of concept corporate iPad deployment and had the same questions walking in. The direction we went might not be the best solution, but it worked for us and maybe it will give you a hand with your deployment.
Know your Audience
Early in our deployment it became glaringly obvious that this would have to be a simple solution. Apple devices are designed to be simple, that's the draw in the corporate world. Our main audience was managers, VPs, and CXX level executives. A good number of these folks either aren't technically savvy enough to deal with a complicated configuration, or simply don't have the time to fuss with a device.
It should just work, out of the box, like it was designed.
Just Say NO to Multiple Accounts
Firstly I can see one big problem with your initial plan. By stating that you have an account created with a secret password I'm assuming that you're having a helpdesk configure the devices and install the software before they're handed over to your end users. What happens when an application is updated in the AppStore? Your helpdesk will have to enter the password to have the application updated. Depending on the size of your company this could eat up a ton of time, and most of your end users most likely won't ever bother to go through the process to upgrade.
Additionally, when John Doe leaves the company, the software purchased for jdoe@acme.com will be assigned to John's replacement Fred Flinstone and his iPhone. You now have fflinstone@acme.com using the account jdoe@acme.com. It might not be a big problem at first, but this will easily get difficult to manage down the road.
Mobile Device Management
Depending on the size of your deployment you might eventually start looking at one of the many Mobile Device Management (MDM) solutions out there. We did. It's likely that things will change in the future, but as of this posting we didn't find much that an MDM solution would bring to the table that our Exchange environment wouldn't already provide.
MDM offers a simplistic way to deploy VPN, Wi-Fi, and user profiles. If you're not using Exchange or aren't comfortable with rolling your own solution you might gain more from one then we were able. Other benefits would be device tracking, and enabling your helpdesk to do basic device troubleshooting, device wiping, remote locking, etc. Read the link to Wikipedia above for more information and a decent list of the bigger vendors in the field.
Application Purchasing
We first identified a list of applications that we would recommend for different tasks, and published the list and relevant links on our company intranet. Initially we installed a few applications when we initially configured the device, but ran in to the time problem above. We calculated a total estimated dollar figure of all applications that an average user would purchase and bought gift cards for that amount + an additional X% for growth. This was more convenient for how we do purchases then gifting would have been.
Apple recently announced their Volume Purchase Program (VPP), and you might want to look in to that if the solution above isn't any help.
Further Reading
Best of luck to you, we learned that smart devices in the enterprise is a rapidly growing environment and there's no "right way" to do things yet. Apple is constantly improving their tools to make the transition better, but they're not quite there yet.
There are tradeoffs to any choice of Apple ID, but unless your personal Apple ID are tied to an Apple email, you can always re-name the Apple ID and change email, DOB, security questions, etc…
For pilot projects on iOS where the budget for apps is less than $1000, I usually recommend a personal account option when you don't have someone in the organization to manage email / fire up new corporate accounts.
If you do have control and desire to set up work Apple ID, then you should do that and keep the purchases on a work account per policy. This also is my primary recommendation for Macs since software costs are often higher and you are less likely to shuffle people through a Mac as opposed to an iPad or iPhone/iPod.
The process of discovering how you want to enable your people to work, who will be responsible for managing Apple ID / passwords is more valuable than any decision you actually make. Most decisions can be fixed / adjusted / changed if you find you choose unwisely. Just write up your plan, review it internally and go. You don't have to get everything right if you can loop back in 3 months and see how you did and adjust accordingly.
I would go to the seller of your Macs and see if they can advise you on how to deploy. If you haven't purchased yet, go to your local Apple store (if there is one) and talk with their Business Team. They help hundreds of groups like you navigate the path of using Apple at work. They don't charge for their time, have amazing resources if you stump them, and can hand you off to a local consultant if it's more economical to hire expertise if you have more money that time or training. A good consultant will guide you and inform so you can use Apple's planning guides to best effect.
Here's my TLDR advice:
- Empower each Mac user to use their work email as their Apple ID and have no form of payment associated with these accounts.
- Expect them to handle purchases / updates with a discretionary budget of gift cards that work provides, so you'll train them or get them to Apple for training so they can perform basic tasks / troubleshooting without needing your help. Treat one-off purchases like other things you use expense reports for and review all purchases quarterly or annually to see which apps you want everyone to be using.
- Enroll your work in Apple's VPP program (even though it's designed for iOS - you will be forced to think about how to deploy apps and the resources there are worth your time to read / understand.) My guess is VPP will come to Macs this year with 10.9 - but that's wild speculation on my part.
- Use one account to gift required apps to each user account if you find gift cards unworkable. Use this for purchases that are role-based as opposed to exploratory or one-off needs.
- Consider enrolling in Joint Venture so Apple can provide your first line of help desk training and support in a business setting.
Best Answer
I will say that I have seen two small organizations do this, but the overhead of setting up the escrow of recovery keys took more effort than we are likely to save in three years of supporting the accounts.
Also, now that Volume Purchase Plan redemptions can be reclaimed and they are not lost when issuing expensive apps to personal Apple ID, the need to more tightly control which Apple ID is used to redeem a purchase is not nearly as valuable as it would have been in the cases where we looked at implementing this.
The strategy we are now taking is to just establish a written policy that work apps are to be returned to work - just like work computers and work phones and have employees sign for the tools they are provided with an HR policy to deduct value for tools not properly returned at the end of employment.