top of page
Writer's pictureAnand P

Configure Shared iPad Using Microsoft Intune

Updated: 6 days ago

Hello everyone, in this blog I will discuss the concept of shared iPads, how to configure them efficiently for optimal use, and explore various use cases where they can be particularly beneficial. Shared iPads are increasingly being adopted in diverse settings, including businesses like manufacturing centers and educational institutions, primarily due to their ability to reduce hardware costs significantly. This innovative approach allows multiple users to access a single iPad while maintaining separate logins and ensuring data segregation. It provides each user with a personalized experience tailored to their individual needs and preferences.


Configuring shared iPads requires enabling the Shared iPad feature via Apple School Manager or Apple Business Manager, allowing seamless transitions between personal profiles. This setup lets administrators create multiple user accounts with unique settings and app access. Managed Apple IDs to streamline user management, facilitating easy assignment and revocation of access.


In educational settings, shared iPads enhance learning by allowing multiple students to use the same device. Students can log in to access their work, preferences, and apps, promoting ownership and collaboration. Teachers can monitor usage to ensure effective educational outcomes. In manufacturing, shared iPads enhance operations and productivity by allowing employees to access training materials, manage inventory, and communicate efficiently. Separate accounts ensure data security, enabling workers to check production schedules and supervisors to monitor performance metrics on the same device without compromising confidentiality.


Organizations can enhance shared iPad efficiency by implementing policies, regularly maintaining and updating, and providing user training. This approach ensures smooth and secure device operation, extends device lifespan and improves user satisfaction by fostering responsibility for shared resources.


Prerequisite

  • Mobile Device Management ( Microsoft Intune, Airwatch, etc... )

  • Apple Business Manager

  • Managed Apple Account

  • iPad running a Minimum of 13.4 or later

  • All iPad Pro models

  • iPad (5th generation) or later

  • iPad Air 2 or later

  • iPad mini (4th generation) or later


For more information on setting up Apple Business Manager and Managed Apple, please refer to my previous blog posts through the link.


Shared iPad Storage Allocation


Before proceeding with the configuration, let's understand how storage works on a shared iPad. This will help you determine the appropriate storage needed for your use case.


When configuring a new Shared iPad with iPadOS 13.4 or later, you can use your MDM solution to either set the maximum storage per user or determine the maximum number of users that the device can accommodate simultaneously. If no configuration is specified, Shared iPad defaults to allowing 10 users. Once iPadOS is installed, storage is allocated based on the device's capacity.


  1. Reserved Storage

    An allocated part of the device's storage is dedicated to the iPad operating system (iPadOS) and pre-installed system applications. This allocation ensures that the device operates efficiently, regardless of user actions.


  2. Per-User Data Partitioning

    The leftover storage is allocated to users according to the number of accounts and the device's overall capacity. Each user receives an individual, encrypted partition to store their Application data, Files (such as notes and photos), Settings, and preferences.


  3. Dynamic Storage Location

    Storage is allocated based on the number of users and their activity. When a user logs in, their data is downloaded from iCloud. If multiple users share the device, the system keeps frequently used data and moves less-used data to iCloud. If storage is limited, older and less frequently used data is offloaded to ensure space for active users.


  4. Guest Session

    Temporary storage is assigned for guest use, and data is removed at the end of the session to release space.


  5. MDM Controlled Quotas

    Administrators can set user storage limits through mobile device management. They can specify the maximum storage allotted to each user. Quotas prevent any one user from dominating the available storage, ensuring a fair experience for all.


We will now look at examples of how storage is allocated on a shared iPad for 8 users per device across 32 GB, 64 GB, and 128 GB options. This will provide a brief understanding of storage allocation and help you choose the appropriate storage size and number of users for each shared iPad based on specific use cases.


Use case 1: For an iPad with 32GB and 8 users, the device will allocate 10GB for the system, and 8GB for applications and media, and the remaining space will be distributed among the users, with 1.75 GB per user.


Use Case 2: For an iPad with 64GB and 8 users, the device will allocate 10GB for the system, and 16GB for applications and media, and the remaining space will be distributed among the users, with 4.75 GB per user.


Use Case 3: For an iPad with 128GB and 8 users, the device will allocate 10GB for the system, and 16GB for applications and media, and the remaining space will be distributed among the users, with 12.75 GB per user.


This image is for illustrative purposes only.

To handle shared iPads, the organization needs an Apple Business Manager. For further information on setting up Apple Business Manager for your organization, you can follow this link.


Steps to Configure Shared iPad in Intune


Step 1: Create an Enrollment Profile In Intune

Log in to the Intune admin center @ https://intune.microsoft.com, navigate to Devices, select iOS/iPadOS, then click on enrollment and choose Enrollment Program Token. Select the token that has been previously created. If no token exists, please follow the instructions to create an ADE token at Setup Apple automated device enrollment (ADE) token in Intune.


Tap on profile, create a new profile, select the appropriate OS type, provide a name for the profile, and tap on Next.

Choose the user affinity option for shared iPads, select Enroll without user affinity, and set supervised to yes, Locked enrollment to yes, shared iPads to yes, and specify the number of users that can be cached. Decide whether the iPad can sync with computers and select a device name template if the device requires a specific naming convention.

Create and verify the profile

After completion, you can view the profile under the profile tab.

Step 2: Assign Devices


Use Apple Business Manager to assign devices to the Intune profile to understand more on how to assign a device to a profile go through this blog https://www.cloudtekspace.com/post/using-apple-business-manager-abm-assign-or-remove-a-device-from-intune


Step 3: Configure Settings for Shared iPad


Shared iPad configurations can be set up in a device configuration profile for both device and user contexts. Device-specific settings impact all active users on a Shared iPad. User-specific settings apply when the user is active on any Shared iPad device. The table below will help you determine which settings apply to a device type, a user group, or both.

Profile type

Setting name

Applicability on device group assignment

Applicability on user group assignment

Device features

Home screen layout

Device

User

Device features

App notifications

Device

User

Device features

Single sign-on app extension

Device

User

Device features

AirPrint settings

Device

Not applicable

Device features

Lock screen message

Device

Not applicable

Device features

Web content filter

Device

Not applicable

Device restrictions

Block Shared iPad temporary sessions

Device

Not applicable

Device restrictions

Defer software updates

Device

Not applicable

Device restrictions

Force automatic date and time

Device

Not applicable

Device restrictions

Require joining Wi-Fi networks only using configuration profiles

Device

Not applicable

Device restrictions

Allow users to boot devices into recovery mode with unpaired devices

Device

Not applicable

Device restrictions

Block Siri for dictation

Device

Not applicable

Device restrictions

All other settings in the device restrictions

Device

User

Email

All settings

Device

User

VPN, Wi-Fi, Certificate

All settings

Device

Not applicable

  • For a user group policy assignment to be successful, your Microsoft Entra instance needs to be federated in Apple Business Manager.

  • All device configuration profile settings apply to devices during Shared iPad temporary sessions.

  • When a user logs into a shared iPad with their federated Microsoft Entra credentials, the user-assigned policies are applied.

  • Policies assigned to a device are implemented on a shared iPad either when you initiate a device sync from the admin center or when Intune prompts the device to check in with the Intune service, which occurs every 8 hours.


Access the Intune admin center at https://intune.microsoft.com, go to Devices, choose iOS/iPadOS, then click on Configuration, select New Policy, tap on Device Restriction, and tap on Create.


Assign a name to the policy and then choose the necessary configurations according to your requirements and assign them to the respective group.


Step 4: Deploy Apps and Policies


A shared iPad is compatible with certain types of applications. Administrators can deploy volume-purchased (VPP) apps, custom apps, line-of-business apps, or web apps to a Shared iPad device. The table below provides information on the supported and applicable type whether it's a Device or User.

App type

Applicability on device group assignment

Applicability on user group assignment

Line-of-business app

Device

Not applicable

Device-licensed volume-purchased or custom app (VPP)

Device

Not applicable

User-licensed volume-purchased or custom app (VPP)

Not applicable

Not applicable

Web app

Not supported

User

App Store app

Not applicable

Not applicable

You can develop compliance policies to ensure the device is secure and meets the organization's compliance standards, such as blocking jailbroken devices, minimum OS version, etc.

You can form a dynamic device group to allocate these profiles to devices enrolled with the profile, and the query can be (device.enrollmentProfileName -eq "Shared Ipad")

End User Experience


When the iPad is powered on, users will be greeted with a hello screen and prompted to connect to a wireless network, which is necessary to receive the remote management profile. After the iPad is enrolled, users can sign in to the device using their federated account. If they prefer to use a Guest account, they can select the Guest User option from the bottom corner. Once the user is finished with the device, they can sign out, which will save their data on the device.



After the device is fully enrolled, the admin can view it in the Intune admin center, where it is indicated as shared under Enrolled by.


Recognized Limitations


  1. Settings and system apps that are disabled: With a Shared iPad, only a select few settings and system apps are accessible. To learn more about the settings and apps that are not available, refer to Use Shared iPad with Managed Apple IDs.

  2. App Store installations are disabled: While the App Store is accessible by default on Shared iPad, users are unable to install apps from it. To prevent user confusion, we suggest disabling the App Store through an Intune configuration profile.

  3. The shared iPad does not support the Intune Company Portal app or the Intune Company Portal website.

  4. App assignment criteria: You need to assign apps as required to device groups. Apps marked as available are not compatible with Shared iPad.

  5. Shared iPad passcodes must be eight alphanumeric characters and can't be changed in Apple Business Manager. Intune device configuration settings for passcode complexity don't apply. An MDM administrator can set the grace period for unlocking without a passcode.

  6. Unsupported policies: Shared iPad does not support Intune's app-based/device-based Conditional Access, app protection, and compliance policies.

  7. Email profile not compatible: Shared iPad does not support email profiles. Assigning an email profile to a Shared iPad device results in an error.

  8. User-assigned policies don't appear in reports: Intune doesn't report device or user status for Shared iPad apps and profiles assigned to Microsoft Entra user groups.

  9. The Microsoft Entra federation requirement isn't enforced. If a Managed Apple ID matches the Microsoft Entra UPN and the user has an applicable device configuration profile, the profile applies when they sign in to a shared iPad with their Managed Apple ID.


Conclusion


In summary, shared iPads offer a flexible and economical option for educational and business settings. They allow several users to utilize a single device while keeping their data and preferences intact, thereby boosting collaboration, simplifying processes, and providing a more personalized user experience. As we further investigate the possibilities of shared technology across different environments, it becomes evident that effectively configuring and managing shared iPads can provide substantial advantages for all users.

Recent Posts

See All

コメント


bottom of page