Shared iPads for business were introduced by Apple with the iPadOS 13.4. Organizations like schools, healthcare institutions, logistics operations, etc. that require multiple users to login on a single device based on shifts or for specific tasks, can use the Shared iPad capability supported by Mobile Device Manager Plus.
Admins can allow users to login on devices and sign out once the task is finished, thereby creating a secure workspace by ensuring user privacy on shared devices.
This option can be enabled on devices that are enrolled into Apple Business Manager/Apple School Manager, or devices that have been added to DEP. The Shared iPad capability is supported for the following devices:
- iPad Pro
- iPad - 5th generation series or above
- iPad Air 2 or above
- iPad mini - 4th generation series or above
To enroll devices through ABM/ASM, refer the steps given in this document
Enabling the Shared iPad setting:
- After you have generated the server token , and have uploaded it on the MDM server, click on Device Activation settings and navigate to the Shared iPad option and enable it.
- Enabling this option will allow the creation of multiple user accounts on iPads.
- Specify the number of user accounts to be created on the device, or specify the amount of storage assigned to each user.
Apple will limit the maximum storage per user for every device, based on the device's storage capability. For more information on how a device's storage is allocated per user, refer this document from Apple.
All the devices that are added to the ABM server with the Shared iPad option enabled, will be enrolled as Shared iPads.
Signing out users from a Shared iPad:
- Admins can keep track of which users log in or log out of a device, by navigating to Inventory> Device> Device's name and navigating to User Accounts.
- If you want to remotely sign out users from their accounts on the devices, navigate to Inventory tab> Shared devices> Device name> Actions> Log out all users> Log out.
Authentication for Shared iPads using Azure AD:
Since different users will be accessing a single device, signing in can be a tedious process, with different user credentials and passwords being used. Apple permits MDM solutions to integrate federated authentication with Azure AD, to simplify user authentication for Shared iPads. Hence, users can login to a Shared device using their Azure credentials.
To use federated authentication for Shared iPads, the devices should be running on iPadOS 13.1 or higher. Follow the given steps to use federated authentication on Shared iPads:
- Login to the Apple Business Manager Portal.
- Click on Settings > Accounts.
- Select Add domain under the Accounts tab, and enter the required domain (https://azure.microsoft.com/en-us/)
- After adding the domain, click on the Federation Enabled button to allow federation authentication.
Enabling this will allow users to sign in on Shared iPads using their Azure credentials.
To remove the Shared iPad setting/capability on devices, follow either of the given methods:
- Login to the Apple Business Manager portal, and navigate to the Devices tab.
- Select the device which has the Shared iPad setting enabled on it, and click on Edit Device Management.
- A list of servers will be displayed. Click on another ABM server which does not have the Shared iPad setting enabled. This will transfer the Shared iPad to the selected ABM server.
- Click on Continue to save the changes.
- On the MDM server, navigate to the Enrollment tab and click on Apple Enrollment.
- Under ABM servers, select the server on which the Shared iPad is enrolled on.
- Disable the Shared devices option and click on Modify.
- Factory reset the device and enroll it again into the MDM console. The iPad will be enrolled without the Shared iPad setting enabled on it.
Points to Note:
- The number of user accounts is dependent on the storage capability of the iPad. For more information, you can refer this document.
- After the Shared iPad setting is enabled, the iPads will be enrolled as Shared devices by MDM. Hence, it is recommended that organizations maintain a separate DEP server for Managed Shared iPads.
- Ensure that Shared iPad functionality is allowed under Profiles> Restrictions> Device Functionality >Shared iPads.