How to start with Shared iPads for Business with Microsoft Endpoint Manager (Intune) and Apple Business Manager

I get the following question regularly; “can we configure our Apple iPads as Shared device. Where you as a user, can login and logoff without seeing each other’s data?”. Most of the time it’s about medical personal that works in shifts and don’t have a personal device. But you can also think of maintenance and field agents or flight crew members for example.

In this case you want to let the employees use their applications across a pool of shared devices. They should be able to pick any random device from that pool, login and do their work. At the end of their shift or workday, they should be able to logoff with all their personal and company information removed, or at least that this data is not visible or accessible by other users on that same device. Just like with a Windows device, but then on an iPad.

To answer the question, yes you can! I will show you how to configure this step-by-step in this blog.

Users needs to login on an iPad with a managed Apple ID. By enabling Federated Authentication with Microsoft Azure Active Directory in the Apple Business Manager, this managed Apple ID will be created automatically the very first time the user logs in with his/her Azure AD account on a Shared  iPad device.

During this very first login, a new Shared iPad Passcode must be set. This password is saved in the Apple Business Manager and can be used on all shared iPad devices. After the Shared iPad Passcode is set, the account will be created. This account will be visible in the Apple Business Manager, and from here you can manage the accounts with actions like Shared iPad Passcode reset, Sign Out Devices and Deactivate Account.

Requirements

First, lets talk about the requirements. The following must be met or in place before you can start with the configuration:

  • iPads needs to run iPadOS 13.4 or higher
  • You need to have an active Apple Business Manager account
  • Devices must be registered in the Automated Device Enrollment program of Apple (formerly called Apple DEP)
  • Apple Automated Device Enrollment needs to be configured in Microsoft Endpoint Manager
  • The Microsoft Intune MDM server needs to be configured within the Apple Business Manager, and the devices needs to be assigned to this MDM server
  • Azure AD needs to be up and running
  • For automatic deployment of Applications from the public App store configure Apple VPP (optional)

The following steps are covered in this blog.

  1. Add your domain to the Apple Business Manager
  2. Enable Federated Authentication
  3. Create an Automated Device Enrollment Profile within Microsoft Endpoint Manager
  4. Test the results
  5. Possible next steps

Step 1 : Add your domain to the Apple Business Manager

Login to the Apple Business Manager. The first step is to add your domain so users can login with their Azure AD account.

Within the Apple Business Manager, navigate to Settings > Accounts and click Edit at the rights in the Domain section.

Click Add Domain…

Fill in the Domain Name and click Add

Click Edit again

Click Verify

TXT Record information will now be visible. This record needs to be created by your domain register.

Create a new TXT record as shown above.

Wait a few minutes before the change is processed and click Check Now in the Apple Business Manager.

If everything is configured correctly, the domain ownership is verified.

Step 2 : Enable Federated Authentication

The second step is to enable federated authentication so that users can sign in using their Microsoft Azure AD credentials.

In the Federated Authentication section, click Edit

Click Connect

Click Sign in to Microsoft Azure Active Directory Portal and login with a Global Administrator account.

Click Accept

Click Done

In the Domains section, click Edit

Next to your domain name, click Federate

Sign in with a Global Administrator account with an UPN of the domain name your are enabling the federation of.

Click Done

Click Federation Not Enabled

Federation is now enabled for your domain name.

Step 3 : Create an Automated Device Enrollment Profile within Microsoft Endpoint Manager

For the following steps, login to the Microsoft Endpoint Manager portal.

Navigate to: Devices > Enroll devices > Apple enrollment and click Enrollment program tokens

Open your Apple Business Manager connection.

Click Profiles and click  + Create profile > iOS/iPadOS

Give the new profile a name. In this case I will give it Shared iPads

Select the following options;

User affinity : Enroll without User Affinity
Supervised : Yes
Locked enrollment : Yes
Shared iPad : Yes
Maximum cached users : *
Sync with computers : depending on the use case

Optionally you can configure a device name template.

* The number of users per device is depending on which applications will be used and how much documents and media there will be stored in the profile. And of course the disk size of the device itself. For example, if you have an iPad with a 32 GB HDD , the system and apps will take an average between 12 and 20 GB. The space that is left must be divided by the number of users.

Keep in mind that the lower the size of the profile, the faster the login experience will be. If you configure that 5 profiles may be saved on the device, and the 6th user logs in, the profile of the user who has not logged in the longest will be deleted.

Click Next

Fill-in the information about the Department and Department Phone and which Setup Assistant Screens must appear during the initial enrollment.

Click Next

Click Create

Make sure you assign this profile to your devices.

Step 4 : Test the results

Now that all configurations have been made, lets test the results!

I performed a factory reset on the device where the new Profile is assigned to. As you can see, the automatic enrollment will be started after the reset.

After the automatic enrollment, you will be asked to enter an Apple ID. In this case, the username that is filled in has not a Managed Apple ID yet. However, this is an account in the Azure AD tenant.

Click Continue

Login with your Azure AD account.

The Managed Apple ID will be created and the profile will be cached on the iPad.

Select your language, this is a profile setting, not a device setting, this is a one time only setting that needs to be made per user.

Select the Written and Spoken Languages, this is also a profile setting, not a device setting. This needs to be configured only the very first time a user logs in.

Set the iPad passcode, again, this is a user passcode, not a device passcode.

The profile is created and loaded, and the Home screen is now visible. As you can see, the username is displayed in the top left corner.

When you pull down the lock screen you can find the Sign Out button.

After logging out, the Recent Users are displayed. This will also be the first screen that is displayed after you turn an iPad back on.

When we take a look in the Apple Business Manager, we see that the accounts are now visible and can be managed from here.

Step 5 : Possible next steps

  • Publish Configuration Profiles and Applications with Microsoft Endpoint Manager

13 comments

  • I can see in Intune there is a shared device mode for Android now as well. Do you know if that is going to work in the same way? I’ve tested it on my tenant and there is no sign in and sign out feature and doesnt appear to be mult-user at all.

  • Hi Robin,

    I am currently trying to pilot this as well. Though it is lacking documentation on the area available. Microsoft Docs points to enabling Shared Device using Configuration Profiles and the new Microsoft Enterprise SSO plug-in for Apple: Device configuration profile -> iOS/iPadOS -> Device features -> Single sign-on app extension:
    SSO app extension type: Azure AD
    Enable shared device mode: Enable

    Ref.: https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-ios-shared-devices

    Is this the same setup? I’ve also tried your approach, but assumed this is an old method since the “Shared iPad” option under the enrollment profile says it is supported for iOS 9.3 and above and all docs on this subject says iOS 13+.

    With your approach I am unable to use the company portal since it tries to download the enrollment profile when launching, and therefore users are unable to install apps made available. Required apps are not installing either. Have you succesfully pushed apps using the method described in your article or allowed for the company portal?

  • thanks for your article. I found it very helpful. I am working through it and I am concerned about the step when enabling federation. The message ‘We are verifying that no existing AppleIDs are using this domain…” We have users that currently use their work email, our domain, as their AppleID. Will this force them to use their Azure password when authenticating into, for example, the Apple store or iTunes? Thx

    • Every current Apple ID that is using an email address of your company domain will automatically be deleted after 60 days. Till that time users have the option to change their mail address to an other domain address.

      • That is what I thought was going to happen, just hoping what I read online was not true. This is going to be fun getting users to change their email addresses. Thanks for your response and again thanks for posting these instructions.

      • That is not accurate. The Apple Ids will not be deleted but renamed until the user changes the Id.

  • Robin, great article.

    Have you or anyone else had issues with 14.2? I am getting stuck at “Configuring iPad” “Awaiting final configuration from ….”. This was apparently a 14.0 issue, MS says they fixed it, but I’m experiencing this still. Thanks!

    • I went through this as well. I opened a ticket with MS Intune Support who told me to log into Apple Business Manager, go into the properties of the ipad & unassign the device from MDM, then re-assign it to intune MDM. Factory reset the device & the setup wizard completed on the next attempt.

      • I should have specified to perform a ‘Sync’ in Intune under Devices > iOS/iPadOS > Enrolment Programs > Intune after adding the device back to MDM.

  • Hi Robin, great article. Thanks for sharing the knowledge!

    According to MS docs, unless we use User Affinity and the Company Portal app deployment along with the VPP Token, modern authentication (MFA) would not be supported. Following that, I’m assuming your scenario would not work for users that are required to use MFA, am I right?

  • This article was awesome. It saved me a lot of time and eliminated a huge headache. I have one question for you. Users are prompted to create a passcode. Is there any way to make this their Active Directory password instead of a new passcode?

  • Question for you Robin:

    If a user uses Azure AD to initially sign into the iPad and then create a local passcode on the iPad, does the user’s Azure AD password ever come back into the picture when using this iPad? Do they just login with their custom iPad passcode from that moment on?

About Robin Hobo

Robin Hobo

I work as a Senior Solution Architect with focus on the Modern Workspace. I am specialized in Azure Virtual Desktop (AVD), Windows 365 and Microsoft EM+S (including Microsoft Endpoint Manager - Microsoft Intune).

For my full bio, check the About Me page. You can also join me on the following social networks:

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close