Getting started with Shared iPad devices

This week is all around Shared iPad devices with Microsoft Intune. Shared iPad is an iPadOS configuration that easily lets multiple user share the same iPad. That configuration enables a personal experience for a user, on a device that is shared between multiple users. That personal experience enables users to be more productive, as users can simply pick-up where they left off previously. This post will start with a short introduction to Shared iPad devices, followed with the configuration steps for those devices. This post will end by describing and showing the user experience with Shared iPad devices.

Introduction to Shared iPad devices

With shared devices, this post is referring to company-owned multi-user devices that can be used – depending on the use case – as single-purpose or multi-purpose devices. Familiar use cases are frontline workers and students. When looking at iOS/iPadOS devices, there are actually two different methods for addressing shared multi-user devices. That is without considering kiosk mode.

  1. Shared iPad – Shared iPad functionality is provided by Apple with iPadOS 13.4 and later. This functionality enables multiple users to sign in to the same iPad by using a Managed Apple ID. Based on that Managed Apple ID, the user receives access to the different Apple apps, data and resources on the Shared iPad. Besides users with a Managed Apple ID, it’s also possible to provide temporary access for users without an account, by using a guest account. Shared iPad also provides builtin functionality to automatically clean up cached user accounts, depending on the available storage on the device. Microsoft Intune can enable the Shared iPad functionality, by integrating with Apple Business Manager (ABM), and adds on to that functionality by configuring policies and distributing additional apps.
  2. Shared Device Mode – Shared Device Mode functionality is provided by Microsoft for iOS/iPadOS 13 and later. This functionality enables multiple users to sign in to the same Apple device by using an Azure AD account. Based on that Azure AD account, the user will be automatically signed in to any supported app. Microsoft Intune can enable Shared Device Mode, by using the Microsoft Enterprise SSO plug-in, and adds on to that functionality by configuring policies and distributing additional apps.

Unless an organization needs cellphone capabilities, or needs to use iOS devices, Shared iPad is the recommended shared device solution for Microsoft 365 on iPadOS devices. Shared iPad is also the focus of this post and before looking at the configuration in more detail, it’s important to be aware of a few unsupported scenarios. According to the documentation, app-based and device-based conditional access, app protection policies and device compliance policies are currently not supported.

Note: During my initial testing, I could successfully use app-based conditional access policies and apply app protection policies in combination with Shared iPad devices.

Configuration of Shared iPad devices

The configuration of Shared iPad devices contains of a few important configurations that should be in place and that are described below as prerequisites. Besides that, the main configuration of Shared iPad devices consists of the configuration and assignment of an enrollment profile for iPadOS devices.

Requirements and prerequisites for configuring Shared iPad devices

The Shared iPad functionality has the following requirements on the iPad device.

  • iPad Pro, iPad (5th generation or later), iPad Air 2 (or later), iPad mini (4th generation or later)
  • iPadOS 13.4 or later as platform
  • 32GB or more as storage

Note: Not enough storage space can be a reason why the configuration of the iPad will hang during the remote configuration, with the message of “Awaiting final configuration from company“.

The described configuration of Shared iPad devices assumes that the following configurations are in place.

Configuration steps for Shared iPad devices

The actual configuration of Shared iPad devices is achieved by using an enrollment profile for corporate-owned iPadOS devices that synchronized via ABM. That enrollment profile will make sure that those iPadOS devices apply the correct enrollment configuration to bring those iPadOS devices in the correct mode. The following six steps walk through the steps to create an enrollment profile for Shared iPad devices.

  1. Open the Microsoft Endpoint Manager admin center portal and navigate Devices > iOS/iPadOS > iOS/iPadOS enrollment > Enrollment program tokens > {YourEnrollmentToken} > Profiles to open the {YourEnrollmentToken} | Profiles page
  2. On the {YourEnrollmentToken} | Profiles page, click Create profile > iOS/iPadOS to open the Create profile wizard
  3. On the Basics page, provide the following information and click Next
  • Name: Provide a name for the profile to distinguish it from other similar profiles
  • Description: (Optional) Provide a description for the profile to further differentiate profiles
  • Platform: iOS/iPadOS is preconfigured based on the initial start of the wizard
  1. On the Management Settings page (as shown in Figure 1), provide at least the following information and click Next
  • User affinity: Select Enroll without User Affinity as value, as a Shared iPad can’t have user affinity
  • Supervised: Select Yes as value, as a Shared iPad must be supervised
  • Locked enrollment: Select Yes as value, to make sure that the enrollment is locked on the device
  • Shared iPad: Select Yes, to enable the Shared iPad configuration
  • Maximum cached users: Specify a number of users that should be cached on the device

Note: A maximum of 24 users can be cached on a device with 32GB, or 64GB. Make sure to match this number with the number of user of the device. A too low number can mean that users have to wait longer to be productive and a too high number can mean that the device is running out of space.

  • Sync with computers: Choose between Allow All, Deny All and Allow Apple Configurator by certificate, to specify if the device is allowed to sync with computers

Note: When choosing Deny All, the port will be limited to charging only.

  • Apple Configurator certificates: Specify a certificate when the requirement (and previous configuration) is to only allow Apple Configurator by certificate

Note: It’s important to have local copy of the certificate, as it’s not possible to make changes to the uploaded copy.

  • Apply device name template (supervised devices only): Choose between Yes and No, to specify if the device should follow a specific naming standard
  • Device Name Template: Specify a device name template when the requirement (and previous configuration) is to apply a device name template

Note: The variable {{SERIAL}} can be used as serial number in the device name and the variable {{DEVICETYPE}} can be used as the device type in the device name.

  1. On the Setup Assistant page (as shown in Figure 2), provide at least the following information and click Next
  • Department: Specify the department name that should be displayed in the Setup Assistant during the setup of the Shared iPad
  • Department Phone: Specify the department phone number that should be displayed in the Setup Assistant during the device setup of the Shared iPad
  • Setup Assistant Screens: Specify the screens that should be displayed in the Setup Assistant during the device setup of the Shared iPad
  1. On the Review + create page, verify the configuration and click Create

Once the enrollment profile for Shared iPad devices is created, it can be assigned to devices that are synchronized via ABM. That assignment can be achieved by using one of the following methods.

  • Default profile – Navigate to Devices > iOS/iPadOS > iOS/iPadOS enrollment > Enrollment program tokens > {YourEnrollmentToken} > Profiles and use Set default profile to configure the default profile that is automatically assigned to all synchronized iOS/iPadOS devices for that specific enrollment token.
  • Assign profile – Navigate to Devices > iOS/iPadOS > iOS/iPadOS enrollment > Enrollment program tokens > {YourEnrollmentToken} > Devices and use Assign profile to manually configure the profile that is assigned to the specifically selected iOS/iPadOS devices that are synchronized for that specific enrollment token

Configuration suggestions for Shared iPad devices

Once an iPad is configured as a Shared iPad, it’s possible to do additional configuration and to distribute apps. Below are a few suggestions to use and to keep in mind for further configuring Shared iPad devices.

  • Assign apps and policies to device groups, as user assigned apps and policies will not apply on Shared iPad devices.
  • Assign apps as required to device groups, as available apps (and the Company Portal app and website) are not supported on Shared iPad devices.
  • Only Apple VPP apps, line-of-business apps and weblinks can be distributed to Shared iPad devices, as the App Store can not be used.
  • Disable the App Store via a device configuration profile (setting: Block App store), as the App Store is available on Shared iPad devices but the app installations are disabled.
  • Block guest sign in via a device configuration profile (setting: Block Shared iPad temporary sessions), to prevent temporary sessions and public access to the Shared iPad devices

User experience with Shared iPad devices

Once all the required configurations are in place and the enrollment profile is assigned to an iPad, it’s time to have a look at the user experience. The enrollment is actually really simple and leaves little room for error. The IT administrator (or an user) turns on the iPad, selects the language and the location of the iPad, and connects the iPad to the Wi-Fi. The iPad will activate and will find the remote management configuration after connecting to ABM. That will trigger the Shared iPad configuration. The iPad will restart and the configuration of the iPad will start. Once the configuration is completed, the Shared iPad sign-in screen shown.

Now the user can sign in with a Managed Apple ID and the profile will be created and cached locally on the Shared iPad. When it’s the first time of the user with a Shared iPad, the user should configure a language and location. Also, and this is were Shared iPad is a bit tricky from a user perspective, when it’s the first time using a Shared iPad, the user should configure an iPad passcode. All of these configurations are not iPad specific, but Shared iPad specific. The user can now sign in with a Managed Apple ID and the iPad passcode, on any Shared iPad device. That means that from this point, the user has a separate passcode for Shared iPad devices.

Once the user is signed in to a Shared iPad, the name of the user will be visible in the top left corner of every screen (as shown below in Figure 3 and Figure 4). To sign-out of the device, the user can swipe down to get a Sign Out button in the bottom right corner of the screen (as shown below in Figure 4). When the user is signed out, the device will show Recent Users (middle) and Other User (bottom left corner) as options to sign in to the device again. And when guest access is allowed, this screen will also show Guest (bottom right corner) as option to sign in.

When working with Shared iPad devices, there are also a few practical things to keep in mind.

  • Only a limited number of settings and system apps are available on Shared iPad devices.
  • The passcode complexity for Shared iPad devices is complex 8 character alphanumeric.
  • ABM should be used to reset the passcode of a user for a Shared iPad device.
  • The cached user data is removed after a passcode reset of that user for a Shared iPad device.

More information

For more information about Shared iPad devices and Microsoft Intune, refer to the following docs.

1 thought on “Getting started with Shared iPad devices”

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.