Shared iPads for Business is a solution developed by Apple to enable users based on their Managed Apple IDs. Multiple users can check in and check out of the iPad. User's Managed Apple IDs are created in Apple Business Manager often through federation to a third-party Identity Provider such as Azure Active Directory.
As users log in with their Managed Apple ID, the managing MDM provider is notified of this change and can perform personalized actions to only show the resources needed by the targeted user.
When a user signs into an iPad, the user is automatically provisioned with a separate partition of the device's disk space. This ensures that the user's data is separated from all other users and data saved by the user is captured to their Managed Apple ID iCloud storage.
Know about the software and hardware requirements for deploying Shared iPads for Business.
Minimum Device Requirements
iPads with 32 GB storage or higher and iOS 13.4 and later. To know more about device requirements, see Apple documentation here.
The following tasks must be completed before you configure Workspace ONE UEM Shared iPad functionality.
Apple Business Manager - Register your user id with Apple Business Manager and create an administrator account. See, Apple Documentaion here. For information on integrating DEP with Workspace ONE UEM, see Apple Business Manager Device Enrollment Program in Integration with Apple Business Manager Guide.
Managed Apple IDs - Credentials required to sign into Shared iPads to access Apple services. For more information, see Managed Apple IDs.
Configuring Shared iPads
Workspace ONE UEM allows you to configure Shared iPads using the UEM console.
Perform the following task to set up a Shared iPad in the Workspace ONE UEM console.
- Configure a DEP profile. For more information on how to add a DEP profile, see Create or Edit the DEP Enrollment Profile.
While adding a profile, select the following options specifically to enable shared devices:
Custom Enrollment: OFF
Staging Mode: Multi user device
Default Staging User: Enter the staging user
Shared Devices: Enabled
- To assign a profile, navigate to Devices > Lifecycle > Enrollment Status > Select a Device > More Actions > Assign a Profile. For more information, see Manually Assign or Remove a DEP Profile.
- If you want to assign smart groups only for shared devices, see Create a Smart Group.
In Enrollment Catagory, you must select Selected as Apple - Shared iPad.
- Configure Managed Apple IDs for your enrollment users. For managing Apple IDs, see Manage Apple IDs.
- To select which Organization Group a Shared iPad will move when a user logs in, navigate to All Settings > Devices & Users > General >Shared Device. Select the appropriate option.
Since there is no method to Prompt User for Group ID, selecting this option will default to using a Fixed Organization Group.
Shared iPad Apps
When any user logs in, the data belonging to that user is accessible and other user's data is securely stored in separate partition. When users log in and out of the Shared iPad, they only want to see the apps that are assigned and applicable to their account. One way to do this is to install all a user's apps when they log in and remove them when they log out. However, this is slow and inefficient because users must wait for apps to install on each login.
Only Internal and Device Based Licensed apps synced from Apple Business Manager (public and custom) are supported on Shared iPads.
With the Shared iPad for Business in Workspace ONE UEM, apps that are assigned to a user will only be installed on that user's first login to the Shared iPad. Each subsequent login will not reinstall the assigned apps. After the user logs out, these apps will be hidden rather than removed. This provides a better, secure experience as the device is shared among multiple users.
Internal apps will install as new apps if the currently installed version is different than the highest assigned version of the logged in user. This occurs even if the new version is lower than the currently installed version. For example, if version2 of an app is installed on the device, but version1 is the highest version assigned to the logged in user, version1 will be installed and replace version2.
Here is a simple workflow to describe the typical Shared iPads app management concept.
- You get a new iPad and it is enrolled. A first user User1 logs in and that user is assigned App1, App2, and App3 and set for automatic deployment. All three apps are installed for the first time. User1 logs out.
- User2 logs in and is assigned App3, App4. For User2, App1 and App2 are hidden automatically using a restriction configuration profile. This is managed by Workspace ONE UEM and doesn't require any admin actions to deplo. App3 is displayed because User2 is assigned this app and App4 installs for the first time on user's iPad.
At any point, for any user, only user's assigned apps are visible on the screen and the rest is hidden. Other users' data is inherently secure because each user has their own data partition.
Shared iPad Profiles
Profiles for Shared iPads differ slightly from profiles associated to typical one-to-one enrolled devices in that profiles configured to be automatically deployed are sent down during a user log in rather than immediately after enrollment. Each time a user logs into the Shared iPad the profiles assigned to that user are freshly installed on the device. This is to ensure that all profiles have accurate information relative to that user. For Shared iPads, there are two types of profiles that can be installed. These two types are device channel profiles and user channel profiles.
To deploy profiles to Shared iPads, there are no additional steps that must be taken from the typical profile assignment process. For more information on how to create and assign profiles to iOS device, see Device Profiles in Workpsace ONE UEM iOS Platform Guide.
To configure a profile for the device vs user channel, perform the following steps:
Device Channel Profiles
Device channel profiles in Shared iPads are sent directly to the device. This means that any user that logs in will have all assigned devices profiles installed and applied. All profiles for non-Shared iPads are deployed as device channel profiles. For Shared iPads, not all profile payloads can be deployed in the device channel for which profiles are available.
User Channel Profiles
User channel profiles in Shared iPads are sent directly to a user instead of the entire device. This means profiles are applied to the users that are logged in. Workspace ONE UEM automatically sends any assigned user profiles to the assigned user when they log into the device.
- Navigate to Devices > Profiles & Resources > Profiles > Add Profile.
- Select Device or User to configure the profile for the device channel or user channel, respectively.
- Configure the profile as normal. For more information on configuring configuration profiles, see Device Profiles in Workpsace ONE UEM iOS Platform Guide.
Managed Apple IDs
Managed Apple IDs are used in accessing Apple services using Apple Business Manager. These user accounts are created through integration with a third party identity provider (IDP) such as Azure Active Directory. By default, these Apple Business Manager Managed Apple IDs are created using the User Principal Name in the IDP but can be changed by an admin.
For Shared iPad users to receive the correct apps and profiles, the Managed Apple ID of the user logging into the device must match an enrollment user within Workspace ONE UEM. By default, Workspace ONE UEM assumes the Email Address value of the enrollment user is the Managed Apple ID. If your users require a different Managed Apple ID format, you can edit this in the Settings.
To know more about Shared iPad with Managed Apple IDs, see Apple Documentation here.
- Navigate to Settings > Devices and Users > Apple > Managed Apple ID.
- Select Enable Custom Managed Apple ID Format as Enabled.
- Enter Managed Apple ID Format including Lookup Values.
- Select the Child Permission.
- Inherit only.
- Override only.
- Inherit or Override.
- Click Save.
After clicking Save, the Managed Apple ID value of all users at that Organization Group will be updated. This will also occur if the Managed Apple ID settings are inherited at lower Organization Groups.
Shared iPad User Workflow
Users log into Shared iPads using their enterprise Managed Apple ID created by their organization's Apple Business Manager tenant through federation to an IDP such as Azure Active Directory. When this occurs, the device updates Workspace ONE UEM which user has logged in and Workspace ONE UEM assigns the device to the enrollment user with the matching Managed Apple ID.
To ensure Workspace ONE can appropriately associate the device to an enrollment user, the Managed Apple ID of a user logging into a Shared iPad must exist and be globally unique for that Workspace ONE environment.
Never delete the multi-staging enrollment user if there are active Shared iPads. This will leave devices that fall into the above category orphaned and the device will need to be wiped and enrolled to a new multi-staging user.
If a user logs into the device with a Managed Apple ID that doesn't exist in Workspace ONE UEM or is associated with more than one enrollment user, the device remains is associated with the multi-staging user originally used to enroll the device.
This is also the case if the user begins a Temporary Session. When this occurs, Workspace ONE UEM will move the device to the multi-staging user originally used to enroll the device.
It is recommended to assign the minimum required apps and profiles to the multi-staging enrollment user, as any user may have permission to log into the device in this way.
Monitor, Logout, and Delete a User
Workspace ONE allows the administrators to view the list of logged in users, delete a user and forcefully log out a user from a Shared iPad device.
View Current User List
In Workspace ONE UEM, navigate to Devices > Details View > User List.
List of active user and other users who have used the device is displayed with the last logged in time, name, managed Apple Id and so on.
Manually Delete a User
Some users are configured on Shared iPads but have not logged in for a while or have left the company. Admins can select such users from the list and delete them from the device.
In Device Details > Details View > User List, select a user and click Delete.
You have successfully deleted a user from the Shared iPad Device.
Manually Logout a User
Shared iPad users, when they are idle, they do not appear to be automatically logged out. Workspace ONE enables the admins to manually log out a user. Once the administrator log outs a user, it returns to the main lock screen. The next user can log in and use the Shared iPad later.
To log out a user from Shared iPad, perform the following steps:
- In the Workspace ONE UEM, navigate to Devices > Details View > More Actions.
- Select Admin.
- Select Log Out User.