Apple Shared iPad for Business

In iOS 9.3, Apple started Shared iPad for Education, enabling students and teachers to sign in with Managed Apple IDs from Apple School Manager. For iOS 13.4, Apple extends the Shared iPad support to enterprises. Administrators can use MaaS360® to securely deploy supported iPads in Shared mode. With Shared iPads, multiple employees in an organization can sign in or out of a single iPad with unique Managed Apple IDs that are created in Apple Business Manager (ABM).

The Apple Shared iPad feature offers the following benefits.

  • Enables multiple employees to share an iPad and provides a personalized experience for each user. For example, a nurse and a doctor can securely log in to the same device and access separate user profiles that are assigned to them.
  • Allocates a separate storage partition on the device for each user.
  • When employees sign in with a Managed Apple ID, the corresponding app data, files, policies, or mail accounts are automatically loaded to the device.
  • Shared iPad data is automatically synchronized to iCloud through the caching service. With content caching, the Shared iPad can download the data locally instead of from iCloud.
  • Administrators can remotely delete or log out users from the IBM® MaaS360 Portal.
  • Administrators can disable temporary sessions (guest user login) so that only employees with Managed Apple IDs can access the Shared iPad resources.
Requirements
  • The following devices support Shared iPad for Business:
    • iPad Pro
    • iPad 5th generation or later
    • iPad Air 2 or later
    • iPad mini 4th generation or later
  • iOS 13.4+ supervised device with at least 32 GB of storage.
  • Managed Apple IDs must be created in Apple Business Manager and linked to the user account.

Configuring a shared device

Customers that are part of the Apple DEP plan can use the Apple Shared iPad feature. The devices must be enrolled through DEP and enabled as shared devices. This feature requires that administrators modify the existing enrollment profile or create a new profile. Administrators must also reset the device back to factory settings for the enrollment to work.

Follow these steps to configure a shared device:
  1. Go to Devices > Enrollments. The Enrollments (Add Device Requests) page is displayed.
  2. Click Other Enrollment Options > Apple Device Enrollment (DEP).
  3. Click Profiles > Add Profile. The Add Profile window is displayed.
  4. Complete the mandatory fields and then select Supervise Device. By default, the Supervise device option is selected.
  5. Go to the Apple shared device settings tab. Select Apple Shared Device to configure the share iPad devices.
  6. Enter the domain in the Manage Apple ID default domains field. A maximum of three domains can be picked from the list.
  7. Enter the grace period time in days in the Online authentication grace period field for shared iPad online authentication.

    The Shared iPad verifies the user’s passcode locally during login for users that exists on the device. However, the system requires an online authentication after the number of days specified by this setting. Setting this value to 0 enforces online authentication every time. The range of the values that is accepted 0-14400 seconds.

  8. Select the Passcode policy.
    Auto lock time
    The minimum time before the devices goes into sleep mode after being idle for time. The minimum time period is 120 seconds.
    Passcode lock grace period
    This controls the duration of the device lock period before a passcode is required.
    Remember: This setting is disabled if Temporary session is enabled.
  9. Select the Temporary session option. When enabled, the guest welcome page is displayed, and users can login as a guest users.
    Temporary session timeout
    The session logs out automatically after the specified period of inactivity. The minimum value is 30 seconds. Setting this value to 0 removes the timeout.
    Remember: This setting is disabled when the Passcode policy setting is enabled.
  10. Select one of the following values in the Partition type. This is a mandatory field that is selected to create a shared device profile
    Resident Users
    The expected number of users who can log in to a Shared iPad. If this value exceeds the device's maximum supported users, MaaS360 automatically uses the maximum supported value instead.
    Quota Size
    The maximum storage allocated for each user. The quota size, in megabytes (MB), for each user on the shared device, or if the quota size is too small, the minimum quota size.
  11. Select Skip language and locate setup for new users. If enabled, the system picks the language and locale automatically for the new Shared iPad user.
  12. Enter the time in seconds in the User session timeout field. The session logs out automatically after the specified period of inactivity. The minimum value is 30 seconds. Setting this value to 0 removes the timeout.
Tip: For the Apple shared device settings to be enabled, the user must select the Supervise device setting in the configuration tab.

Resident users and quota size

Local storage is evenly divided among the number of users based on partition type.
  • If the storage capacity of a device is 64 GB or greater, 10 GB is allocated for the system, 16 GB for apps and media. The remaining storage is divided among the number of defined users, with 2 GB minimum per user.
  • If the storage capacity of a device is 32 GB, 10 GB is allocated for the system, 8 GB for apps and media. The remaining storage is divided among the number of defined users, with 1 GB minimum per user.

For example

  • If the number of resident users is defined as 10 and the available storage on the device is 30 GB, then the storage that is allocated for each user is 3 GB.
  • If the quota size that is allocated for each user is 4000 MB (4 GB) and the available storage on the device is 20 GB, then the device is allocated to 5 users.

For more information on user space considerations, see https://support.apple.com/en-in/guide/mdm/mdm71124b400/web.

Apple shared device user experience

Users must sign in to Shared iPads with their Managed Apple ID. After powering on a Shared iPad, users must complete the following initial set up steps before their first sign in:

  1. Select the preferred language and country.
  2. Allow MaaS360 to download and install the DEP configuration.
  3. Sign in to the device with a Managed Apple ID.
  4. Create a device passcode.
  5. Verify your identity with two-factor authentication.

Result: The MDM profile is successfully configured on the device, but not displayed on the user interface.

Follow these steps to sign in to device for first time user.
  1. Update your password before signing in to your Apple ID by creating a new password.
  2. After you set the password, you must enter a phone number that can be used to verify the identity using text message or call.
  3. Enter the verification code sent to the phone number.
Note: The phone number that is provided at initial setup is not synchronized to Apple Business Manager (ABM).

Tracking Apple Shared iPads in the IBM MaaS360 Portal

After you successfully enroll the iPad, you can track the iPads that are enrolled in shared mode and track the list of active users in the Device details view.

Note: Before user logs in to device with managed Apple Id. In IBM MaaS360 Portal the same managed Apple Id must be linked to user for the user to be displayed in the active users list.

In the Device Summary, the Apple Shared Device attribute is marked as Yes for devices that are enrolled in shared mode.

Advanced search

MaaS360 allows you to filter Shared iPads and create a smart device group with the advanced search option. To filter shared iPads:

  1. Go to Devices > Advanced Search.
  2. Use the following search criteria:
           
    Hardware Inventory Apple Shared Device Equal To Yes
  3. Click Search. The Search Results page is displayed.
  4. Click Create New Device Group. The Device Group Details window is displayed.
  5. Provide details about the new device group, including the name, description, and whether the group is public or private, and then click Save.

Remotely logging out and deleting users from Shared iPads

You can remotely view and issue delete and log out commands to Apple Shared iPad users from the IBM MaaS360 Portal.

Follow these steps to delete or log out users from the Apple Shared iPad:

  1. Go to Device > Inventory and then open a Shared iPad.
  2. In the Details view, select Summary > Display Active Users List. The list of Shared iPad users is displayed.
  3. Click Log out or Delete.

Supported Apple Shared iPad policies

You can also apply both user and device policies to Apple Shared iPads. However, policies are not installed on the device immediately after device enrollment. The Shared iPad policies are applied when the user logs in to the iPad, where the latest policies are applied at each device login.

Note: Use the %email% or %username% placeholder in the policies against the email address or username fields instead of the user's actual email address so that the user's Managed Apple ID is automatically picked up when the policy is applied on the device. For example, if you provide an email address in the Google account configuration policies, that email address is visible across all users who log in to the Shared iPad.

Supported Apple Shared iPad apps

Only device-based VPP licensed iTunes apps and enterprise apps are supported on Apple Shared iPads. The apps assigned to users are installed at the user's first login, but are not removed from the device when the user logs out. Apps are not reinstalled on subsequent logins. The user's app data is stored in a separate partition on the device. Even though Shared iPad users can view all the apps that are installed by other users on the iPad, access and visibility to app data is restricted to the logged-in user. Data on a Shared iPad is saved to iCloud through the caching service. With Apple's smart content caching service, you can download app data locally instead of from iCloud.

Note:
  • Enable Install Automatically and distribute the device-based VPP licenses and enterprise apps.
  • Users cannot install the apps directly from the iOS App Store.
  • User-based licensed apps are not supported.
  • The Web Apps are not supported.
  • The MaaS360 App Catalog is not displayed on the device.

Temporary sessions

Shared iPads support temporary sessions, an authentication-less session that does not require a Managed Apple ID. However, administrators can remotely disable guest login sessions so that only employees with a valid Manage Apple ID can access Apple Shared iPad resources.

Follow these steps to disable temporary sessions:

  1. Open an iOS MDM policy and go to Supervised Settings > Restrictions & Network.
  2. Set the Allow Shared Device Temporary Session policy to No.