I get the following question regularly; “can we configure our Apple iPads as Shared device. Where you as a user, can login and logoff without seeing each other’s data?”. Most of the time it’s about medical personal that works in shifts and don’t have a personal device. But you can also think of maintenance and field agents or flight crew members for example.
In this case you want to let the employees use their applications across a pool of shared devices. They should be able to pick any random device from that pool, login and do their work. At the end of their shift or workday, they should be able to logoff with all their personal and company information removed, or at least that this data is not visible or accessible by other users on that same device. Just like with a Windows device, but then on an iPad.
To answer the question, yes you can! I will show you how to configure this step-by-step in this blog.
Users needs to login on an iPad with a managed Apple ID. By enabling Federated Authentication with Microsoft Azure Active Directory in the Apple Business Manager, this managed Apple ID will be created automatically the very first time the user logs in with his/her Azure AD account on a Shared iPad device.
During this very first login, a new Shared iPad Passcode must be set. This password is saved in the Apple Business Manager and can be used on all shared iPad devices. After the Shared iPad Passcode is set, the account will be created. This account will be visible in the Apple Business Manager, and from here you can manage the accounts with actions like Shared iPad Passcode reset, Sign Out Devices and Deactivate Account.
First, lets talk about the requirements. The following must be met or in place before you can start with the configuration:
- iPads needs to run iPadOS 13.4 or higher
- You need to have an active Apple Business Manager account
- Devices must be registered in the Automated Device Enrollment program of Apple (formerly called Apple DEP)
- Apple Automated Device Enrollment needs to be configured in Microsoft Endpoint Manager
- The Microsoft Intune MDM server needs to be configured within the Apple Business Manager, and the devices needs to be assigned to this MDM server
- Azure AD needs to be up and running
- For automatic deployment of Applications from the public App store configure Apple VPP (optional)
The following steps are covered in this blog.
- Add your domain to the Apple Business Manager
- Enable Federated Authentication
- Create an Automated Device Enrollment Profile within Microsoft Endpoint Manager
- Test the results
- Possible next steps
Step 1 : Add your domain to the Apple Business Manager
Login to the Apple Business Manager. The first step is to add your domain so users can login with their Azure AD account.
Within the Apple Business Manager, navigate to Settings > Accounts and click Edit at the rights in the Domain section.
Click Add Domain…
Fill in the Domain Name and click Add
Click Edit again
TXT Record information will now be visible. This record needs to be created by your domain register.
Create a new TXT record as shown above.
Wait a few minutes before the change is processed and click Check Now in the Apple Business Manager.
If everything is configured correctly, the domain ownership is verified.
Step 2 : Enable Federated Authentication
The second step is to enable federated authentication so that users can sign in using their Microsoft Azure AD credentials.
In the Federated Authentication section, click Edit
Click Sign in to Microsoft Azure Active Directory Portal and login with a Global Administrator account.
In the Domains section, click Edit
Next to your domain name, click Federate
Sign in with a Global Administrator account with an UPN of the domain name your are enabling the federation of.
Click Federation Not Enabled
Federation is now enabled for your domain name.
Step 3 : Create an Automated Device Enrollment Profile within Microsoft Endpoint Manager
For the following steps, login to the Microsoft Endpoint Manager portal.
Navigate to: Devices > Enroll devices > Apple enrollment and click Enrollment program tokens
Open your Apple Business Manager connection.
Click Profiles and click + Create profile > iOS/iPadOS
Give the new profile a name. In this case I will give it Shared iPads
Select the following options;
User affinity : Enroll without User Affinity
Supervised : Yes
Locked enrollment : Yes
Shared iPad : Yes
Maximum cached users : *
Sync with computers : depending on the use case
Optionally you can configure a device name template.
* The number of users per device is depending on which applications will be used and how much documents and media there will be stored in the profile. And of course the disk size of the device itself. For example, if you have an iPad with a 32 GB HDD , the system and apps will take an average between 12 and 20 GB. The space that is left must be divided by the number of users.
Keep in mind that the lower the size of the profile, the faster the login experience will be. If you configure that 5 profiles may be saved on the device, and the 6th user logs in, the profile of the user who has not logged in the longest will be deleted.
Fill-in the information about the Department and Department Phone and which Setup Assistant Screens must appear during the initial enrollment.
Make sure you assign this profile to your devices.
Step 4 : Test the results
Now that all configurations have been made, lets test the results!
I performed a factory reset on the device where the new Profile is assigned to. As you can see, the automatic enrollment will be started after the reset.
After the automatic enrollment, you will be asked to enter an Apple ID. In this case, the username that is filled in has not a Managed Apple ID yet. However, this is an account in the Azure AD tenant.
Login with your Azure AD account.
The Managed Apple ID will be created and the profile will be cached on the iPad.
Select your language, this is a profile setting, not a device setting, this is a one time only setting that needs to be made per user.
Select the Written and Spoken Languages, this is also a profile setting, not a device setting. This needs to be configured only the very first time a user logs in.
Set the iPad passcode, again, this is a user passcode, not a device passcode.
The profile is created and loaded, and the Home screen is now visible. As you can see, the username is displayed in the top left corner.
When you pull down the lock screen you can find the Sign Out button.
After logging out, the Recent Users are displayed. This will also be the first screen that is displayed after you turn an iPad back on.
When we take a look in the Apple Business Manager, we see that the accounts are now visible and can be managed from here.
Step 5 : Possible next steps
- Publish Configuration Profiles and Applications with Microsoft Endpoint Manager