check-circle-line exclamation-circle-line close-line

<

Mobile devices are often used to facilitate business functions in multiple vertical industries such as Healthcare, Retail, Transportation, and Banks. Some of these functions are performed with a common pool of shared devices. Organizations around the world choose iPhones and iPads to help facilitate these lines of business functions. Workspace ONE offers different solutions to enable iOS devices for shared purposes. Workspace ONE UEM can be configured to provide your shift workers access to corporate resources. Different apps and policies are assigned to shift workers based on their roles.

Workspace ONE offers multiple solutions for enabling shared use of devices in the enterprise depending on the type of devices you want to use and data separation needs.

Type User Data Separation Device Requirements
Check-in Checkout with Hub Limited. Requires removal and reinstallation of apps to clear app data between users iOS and iPadOS devices
Native iOS Shared iPads for Business Complete. Data is separated for each user by the operating system 32 GB+ iPadOS devices (13.4 and later)

Example Usage

  • Shared Bank Teller iPad in Financial Services
  • Shared Nurse iPhone/iPad in Healthcare
  • Shared Mobile Point of a Sale iPad in Retail

Check-in and Check-out with Hub

Intelligent Hub can be configured to operate in a multi-user mode allowing any employee to authenticate within Hub to allow Workspace ONE UEM to customize and configure the managed device with the respective policies and applications for that user.

Prerequisites

This guide assumes you have knowledge of certain workflows in the Workspace ONE UEM console, and have completed certain steps already:

  • iOS, iPadOS devices (preferably running latest version of iOS).
  • Intelligent Hub for iOS. See, App Store.
  • Supported version of Workspace ONE UEM. Solution available on all Workspace ONE license offerings (Standard, Advanced, and Enterprise). For more information on supported console versions, see VMware Lifecycle Product Matrix .
  • Smart groups are already created for your users. If a certain group of users need a different set of policies and/ or apps, separate smart groups are created for them.
  • Configured integration with Apple Business Manager for Automated Device Enrollment and distribution of volume purchased applications.
  • Internal and/or volume purchased applications through Apple Business Manager for your users are added into the Workspace ONE UEM Console.
  • User accounts for your users have been added to the Workspace ONE UEM Console. Intelligent Hub supports the following types of user authentication:
  • Profiles for applying device policies and network configuration must be created and assigned to your users.

Enrollment Configuration

For check-in and check-out with Hub use case, the enrollment configuration includes the following:

Create Multi-staging User Account

Enrolling a device using a multi-user staging account sets up the device for shared use. Additionally, the multi-user staging account can simplify bulk enrollment by enabling you to enroll all your shared devices with this account.

To create a multi-user staging account in the Workspace ONE UEM console:

  1. Navigate to Accounts > Users > List View > Add User.
  2. Add a username, full name, email, and password for the account in the General tab.
  3. In Advanced tab > Staging, enable Multi User Devices.
  4. Click Save.

Configure Automated Device Enrollment

To configure automated device enrollment in the Workspace ONE UEM console:

  1. Navigate to Groups and Settings > All Settings > Devices & Users > Apple > Device Enrollment Program.
  2. Create Automated Device Enrollment profile with Authentication OFF and staging enabled for Multi-Staging user.
  3. Click Save.

  4. Click Edit Assignment to assign the Device Enrollment profile to devices.

  5. Download the template for this batch type.
  6. Add all the serial numbers of devices that are to be provisioned to be used as shared devices.
  7. Import .csv file with list of Serial Numbers.
  8. Click Save.

Configure Deployment of Intelligent Hub

To configure deployment of Intelligent Hub:

  • Configure application licensing purchased through Apple Business Manager for Intelligent Hub application to be deployed via Device Based Licensing to managed devices silently without the need for an Apple ID on the device.

Configure Shared Device Settings

To configure shared device settings in the Workspace ONE UEM console:

  1. Navigate to Groups and settings > All Settings > Devices & Users > General > Shared Device

  2. Set the destination Organization Group for the device. This provides the flexibility to associate different Organization Group level policies for Shared Devices.

  3. Specify the Group Assignment mode. This prompts the user to enter the GroupID of the Organization Group destination.

    Selecting User Group Organization Group is an automated approach that Workspace ONE UEM uses to determine the right Organization Group based on defined mapping of User Group to Organization Group. For more information on configuring User Group Mapping, see Mapping your User Groups for Enrollment and Console Access.

Prompting end-user to enter GroupID is typically used in scenarios where the user has access to enroll devices into multiple organization groups. For example, for an organization group structure that is organized by a Hospital or a Retail Store location, the user can enter in the code for the respective Hospital or Store they are in that day to login.

  • Optionally choose to enforce Terms of Use on each login by user, as per organization requirements.
  • Optionally configure an Auto-Logout interval to avoid cases of user's forgetting to check the device back in, leaving the device being logged into a last-logged user.
  • Optionally enforce Single App Mode to lock the device to Hub automatically when the device is checked-in. This prevents anyone from accessing rest of the device or settings until a user can authenticate and check out.
  • Optionally disable the automated Clear Passcode behavior leaving a static password on the device (Given a passcode configuration is assigned). The default behavior of clearing passcode on each check-in is to prevent users from resetting the passcode to unlock the device that other users might not be aware of.

Native iOS Shared iPads for Business

Shared iPads are a subset of iOS devices that are configured to allow users to natively log in and log out of the iPad using their Managed Apple IDs. Each user that logs in is given their own secure partition of the device where their data is stored and accessed. This partitioning is managed by the OS automatically and is critical in providing a targeted experience to each user logging into the device.

This capability was originally released in iOS 9.3 through integration with Apple School Manager and Managed Apple IDs created on behalf of students. In iOS 13.4, this capability was released to Apple Business Manager as well for use with corporate, federated Managed Apple IDs.

Prerequisites

  • Workspace ONE UEM 20.07 and later.
  • Administrator access to an Apple Business Manager or Apple School Manager tenant.
  • 32+ GB iPad on iPadOS 13.4 and later. Each user is given a dedicated partition so the larger the storage, the more space available to each user or maximum number of users that can be configured simultaneously. iPhones and iPods are not supported.
  • Domain in Apple Business Manager federated. This is used for the creation of Managed Apple IDs and authentication when users are setting up accounts on new Shared iPads.
  • User accounts in Workspace ONE UEM. These accounts can be associated with a Managed Apple ID attribute.

Configure Managed Apple ID

Authentication on Shared iPads for business is entirely driven through Managed Apple IDs created or federated through Azure AD as part of Apple Business Manager.

To associate user objects in Workspace ONE UEM with the corresponding Managed Apple ID in Apple Business Manager:

  1. Navigate to Groups and Settings > All Settings > Devices & Users > Apple > Managed Apple ID.
  2. Toggle the Enable Custom Managed Apple ID Format to Enabled.
  3. Enter the format that corresponds to the Managed Apple IDs being created in Apple Business Manager. This can be a combination of lookup values and static values.
  4. Click Save.

Configure Automated Device Enrollment

To enable Shared iPad in Enrollment profile in the Workspace ONE UEM console:

  • Enabling Shared iPad in Enrollment Profile:

    1. Log into Workspace ONE UEM and navigate to Groups and Settings > All Settings > Devices & Users > Apple > Device Enrollment Program.
    2. Click to edit an enrollment profile.
    3. Toggle the Shared iPad setting to Enabled.
    4. Save the enrollment profile.

    5. Click Edit Assignment to assign the Device Enrollment profile to devices.

    6. Download the template for this batch type.
    7. Add all the serial numbers of devices that are to be provisioned and to be used as shared devices.
    8. Import .csv file with list of Serial Numbers.
    9. Click Save.

Note: Devices must be onboarded through Apple Business Manager to be enabled as Shared iPad. This might require a device to be factory wiped and re-enrolled.

  • Profiles and configuration Management:
    • Similar to Apps, configuration profiles like restrictions can be assigned and deployed to users. Every user who checks out the device will receive the assigned policies to be applied for their session. For more information about device based and user based policies for Shared iPads, see Shared iPads for Business in Apple Business Manager guide.

End-User Experience

Shared iPads allow Managed Apple IDs to log in and out of iPads. This allows Workspace ONE UEM to provide unique experiences for each user and preventing sharing data across users. However, this alters the experience away from the typical MDM enrolled iPad. These behaviors are determined by Apple and are active as of iOS 13.4.

  • Users first sign in with their Managed Apple ID (federated from Azure AD).
  • Users must perform initial setup steps before their first sign-in. These steps include selecting the user's preferred Language, Region, and setting a passcode. This passcode is used for unlocking the device when the user signs in.
  • Several device settings are removed, hidden, or read-only for users on Shared iPads. See Apple's documentation for more details on settings available to users of Shared iPads.
  • Shared iPads allow a temporary, authentication-less session, Guest login. It has no Managed Apple ID associated with it and any data on the device after the session is ended, is removed and is irretrievable.
Login Screen Recent Users Authentication

Steps for a new user that does not have an account on the iPad:

  1. Onboard the iPad through Apple Business Manager with Shared mode enabled in the enrollment profile. Existing devices must be factory wiped to onboard.
  2. Tap Other User.
  3. Enter the Managed Apple ID.
  4. Complete authentication steps for Managed Apple ID.
  5. Select Language, Region, and create a device Passcode.
  6. After the device usage, lock the device and tap Sign Out.

Steps for an existing user that does have an account on the iPad:

  1. Tap the icon for the account of the Managed Apple ID that must log in.
  2. Enter in passcode. This is the same device passcode created when the account was set up for the first time.
  3. After the device usage, lock the device and tap Sign Out.