By using the Shared iPad for Business profile, an iPad can be used by multiple users. Users must sign in to the Shared iPad using a managed Apple ID. A local account is created for each user that signs into the Shared iPad. This is synced with the user’s iCloud and is password protected. There is also a guest account that is used to create a temporary user session. Unlike a managed user account, when you log out of the guest account, the session data is deleted.
Accounts Setup
When signing in for the first time, the user must enter the managed Apple id password (created manually) or create a shared iPad passcode (federated account). This depends on how the account was created in Apple Business Manager. Next, the language and location must be set.
Storage
By default, when configuring a Shared iPad in Intune, a maximum of 10 cached users is set. Depending on the storage of the device, when configuring there will be 10GB reserved for the system and 8GB (32GB) or 16GB (64GB or more) reserved for apps and media. The remaining available data will be shared by the number of defined users with a minimum of 1 GB (32GB) or 2 GB (64GB or more) per user.
For example, if you configure 5 users on a 32GB and 128GB iPad
Create Enrollment profile
Before you can configure the Shared iPad enrollment profile in Intune, you will need to setup an Automatic Device Enrollment. I wrote a blog about this a few months ago that you can find here. I also have configured Federated Authentication in Apple Business Manager (More info here).
1. Login to the MEM admin center and go to “Devices” -> “iOS/iPadOS” -> “iOS/iPadOS enrollment” or click here. Select “Enrollment program tokens”
2. Select the Enrollment token you want ot use for the shared profile by clicking on the name.
3. Select “Profiles” and press “+ Create profile” -> “iOS/iPadOS” to create a new enrollment profile.
4. Enter a Name and (optional) Description. Press “Next” to continue.
5. Setup the Management Settings, in this step you can adjust the management options aand also set the “Maximum cached users” (See storage). I will be using the settings in the table. Press “Next” to continue.
User affinity | No |
Supervised | Yes |
Locked enrollment | Yes |
Shared iPad | Yes |
Maximum cached users | 10 |
Sync with computers | Allow all |
Apply device name template | No |
6. Enter a Department and Department Phone. I hide all the settings so the user is not bothered by them. Press “Next” to continue.
7. Review your settings and press “Create” to create the new enrollment profile.
8. Assign the profile to a synced device from Apple Business Manager. Select “Devices” and mark the device you want to assign the new profile. Press “Assign profile” and select the new “Shared iPad profile” to finish assignment press “Assign”
9. For the Shared iPad profile to work it’s not necessary to add any Configuration profiles or Applications. But you might want to consider that to restrict the device or do some additional setup.
Demo Shared iPad Intune
After you turn the device on a few steps need to be performed by the end user before the device can be used. You will need to setup language, region and network. In this demo I am using a federated apple business manager, these steps are different from a non federated apple business manager.
10. After these initial steps you will recieve a notification that the device is remotely managed. Press “Next” to continue. It will take some minutes and the device will reboot
11. Once the device has rebooted the Shared iPad is ready for use. Users can add their profile by entering their managed Apple ID and pressing “Sign in”.
12. Because the Apple Business Manager is federated with Azure the user will be redirected to https://login.microsoftonline.com for authentication. Press “Continue” to go to the authentication page.
13. Enter the password and press “Sign in”
14. A cached profile for the user will be created on the iPad. This will take some time.
15. The user will get a question to select the language used for his/her profile. This language setting only applies to this user. Other users may use a different language.
16. Just as with the language the user now needs to select the country or region.
17. Review the settings and press “Continue”
18. The final setting is to create an iPad passcode. This is the password Tim will need to enter to use his profile. The passcode is saved online and can be reset in Apple Business Manager.
19. The startscreen of Tim will be shown and the profile is ready for use. In the top left of the screen you can see which user is currently logged in. In this case
20. By pressing the power button you will see the lockscreen.
21. Recent users
Guest Access
22. By pressing Guest user somebody without an account can login. The data within the session will not be saved after signing out.
Shared iPad users
23. When you signin with an user whom has already used a Shared iPad.
24. Instead of being redirected to https://login.microsoftonline.com for authentication. You will get the question to enter the Shared iPad Passcode (only for federated users).
25. The Language and location will be loaded from their profile and A cached profile for the user will be created on the iPad.
Hi Aad,
I am going through this now with a client and he swears he never set up a shared iPad yet he is being prompt for a passcode during the enrollment process.
He does not know the passcode, any ideas?
Hi Rah,
At which step is the client getting prompted for a passcode?
Did he/she removed the device from the apple ID before doing a factory reset, it could be the passcode belongs to the appleid which was used previously on the device.
regards, Aad
Hello, I tried to do this an I have followed all your steps above and the device after pulling the remote management profile immediately goes to Microsoft Sign in prompt. Is there some specific licensing that needs added to get the “Shared iPad” device to auto enroll?
Hi, if using for a pure Guest mode (not federated as it is not strictly a requirement), is an apple id and passcode still enforced? Thanks
Hi,
Thanks for the detailed elaboration! Really Useful and beneficial.
Quick Question:
If there are multiple users who want to login with their Managed Apple ID’s and need to access LOB Applications, how can they be accessible? We have such apps deployed once the device is enrolled in Intune, then LOB apps are available in Intune Company Portal app to install. Does this mean every user will have their own Intune Profile when they login with their Apple ID into Shared iPad? As user also want to access the Outlook to check their emails.
Hi Ako,
You should assign applications on a shared device to the device and not to the user. So you should assign the LOB apps to the device. Each user who logs in to the device will have their own profile. This prevents them from seeing other users’ information.
Hope this answers your questions.
regards, Aad