Apple Shared iPad for Business

Apple introduced Shared iPad for Education in iOS 9.3 that allowed students and teachers to sign in to Shared iPads with Managed Apple IDs that were created in Apple School Manager (ASM). For iOS 13.4, Apple extends the Shared iPad support to enterprises. Administrators can use MaaS360® to securely deploy supported iPads in Shared mode. With Shared iPads, multiple employees in an organization can sign in or out of a single iPad with unique Managed Apple IDs that are created in Apple Business Manager (ABM).

This feature offers the following benefits:

Allows multiple employees to share an iPad while providing a personalized experience for each user. For example, a nurse and a doctor can securely log in to the same device and access separate user profiles that are assigned to them.
Allocates a separate storage partition on the device for each user.
When employees sign in with a Managed Apple ID, the corresponding app data, files, policies, or mail accounts are automatically loaded to the device.
Shared iPad data is automatically synchronized to iCloud through the caching service. With content caching, the Shared iPad can download the data locally instead of from iCloud.
Administrators can remotely delete or log out users from the MaaS360 Portal.
Administrators can disable temporary sessions (guest user login), so that only employees with Managed Apple IDs can access the Shared iPad resources.

Requirements

The following devices support Shared iPad for Business:
- iPad Pro
- iPad 5th generation or later
- iPad Air 2 or later
- iPad mini 4th generation or later
iOS 13.4+ supervised device with at least 32 GB of storage.
Managed Apple IDs must be created in Apple Business Manager and linked to the user account.

Configuring a shared device

Customers that are part of the Apple DEP plan can use the Apple Shared iPad feature. The devices must be enrolled through DEP and enabled as shared devices. This feature requires that administrators modify the existing enrollment profile or create a new profile. Administrators must also reset the device back to factory settings for the enrollment to work.

Follow these steps to configure a shared device:

Go to Devices > Enrollments. The Enrollments (Add Device Requests) page is displayed.
Click Other Enrollment Options > Apple Device Enrollment (DEP).
Click Profiles > Add Profile. The Add Profile window is displayed.
Complete the mandatory fields and then select Supervise Device > Apple Shared Device.
Select one of the following values in the partition type:
- Resident Users: The expected number of users that can log in to a Shared iPad. If this value is greater than the value of the maximum possible number of users that the device supports, MaaS360 uses that value instead.
- Quota Size: The maximum storage allocated for each user. The device can override this value if the value entered is too small. Click Add. The devices must be enrolled with this configuration profile to be enabled as shared devices.

Resident users and quota size

Local storage is evenly divided for the number of users based on partition type.

If the storage capacity of a device is 64 GB or greater, 10 GB is allocated for the system, 16 GB for apps and media, and the remaining storage is divided among the number of defined users with 2 GB minimum per user.
If the storage capacity of a device is 32 GB, 10 GB is allocated for the system, 8 GB for apps and media, and the remaining storage is divided among the number of defined users with 1 GB minimum per user.

For example:

If the number of resident users is defined as 10 and the available storage on the device is 30 GB, then the storage allocated for each user is 3 GB.
If the quota size allocated for each user is 4000 MB (4 GB) and the available storage on the device is 20 GB, then the device is allocated to 5 users.

For more information on user space considerations, see https://support.apple.com/en-in/guide/mdm/mdm71124b400/web.

Apple shared device user experience

Users must sign in to Shared iPads with their Managed Apple ID. After powering on a Shared iPad, users must complete the following initial set up steps before their first sign in:

Select the preferred language and country.
Allow MaaS360 to download and install the DEP configuration.
Sign in to the device with a Managed Apple ID.
Create a device passcode.
Verify your identity with two-factor authentication.

Result: The MDM profile is successfully configured on the device, but not displayed on the user interface.

Sample enrollment screens:

First time sign in experience:

Note: The phone number that is provided at initial setup is not synchronized to Apple Business Manager (ABM).

Tracking Apple Shared iPads in the MaaS360 Portal

After you successfully enroll the iPad, you can track the iPads that are enrolled in shared mode and track the list of active users in the Device details view.

In the Device Summary, the Apple Shared Device attribute is marked as Yes for devices that are enrolled in shared mode.

Advanced search

MaaS360 allows you to filter Shared iPads and create a smart device group with the advanced search option. To filter shared iPads:

Go to Devices > Advanced Search.
Use the following search criteria:

Hardware Inventory Apple Shared Device Equal To Yes
Click Search. The Search Results page is displayed.
Click Create New Device Group. The Device Group Details window is displayed.
Provide details about the new device group, including the name, description, and whether the group is public or private, and then click Save.


`Hardware Inventory`	`Apple Shared Device`	`Equal To`	`Yes`

Remotely logging out and deleting users from Shared iPads

You can remotely view and issue delete and log out commands to Apple Shared iPad users from the MaaS360 Portal.

Follow these steps to delete or log out users from the Apple Shared iPad:

Go to Device > Inventory and then open a Shared iPad.
In the Details view, select Summary > Display Active Users List. The list of Shared iPad users is displayed.
Click Log out or Delete.

Supported Apple Shared iPad policies

You can also apply both user and device policies to Apple Shared iPads. However, policies are not installed on the device immediately after device enrollment. The Shared iPad policies are applied when the user logs in to the iPad, where the latest policies are applied at each device login.

Note: Use the %email% or %username% placeholder in the policies against the email address or username fields instead of the user's actual email address so that the user's Managed Apple ID is automatically picked up when the policy is applied on the device. For example, if you provide an email address in the Google account configuration policies, that email address is visible across all users who log in to the Shared iPad.

Supported Apple Shared iPad apps

Only device-based VPP licensed iTunes apps and enterprise apps are supported on Apple Shared iPads. The apps assigned to users are installed at the user's first login, but are not removed from the device when the user logs out. Apps are not re-installed on subsequent logins. The user's app data is stored in a separate partition on the device. Even though Shared iPad users can view all the apps that are installed by other users on the iPad, access and visibility to app data is restricted to the logged-in user. Data on a Shared iPad is saved to iCloud through the caching service. With Apple's smart content caching service, you can download app data locally instead of from iCloud.

Note:

Users cannot install apps directly from the iOS App Store.
User-based licensed apps are not supported.

Temporary sessions

Shared iPads support temporary sessions, an authentication-less session that does not require a Managed Apple ID. However, administrators can remotely disable guest login sessions, so that only employees with a valid Manage Apple ID can access Apple Shared iPad resources.

Follow these steps to disable temporary sessions:

Open an iOS MDM policy and go to Supervised Settings > Restrictions & Network.
Set the Allow Shared Device Temporary Session policy to No.