Guide for Apple IT: Shared iPad for Business

Posted on May 18, 2020

As of iPadOS 13.4, Apple has introduced a great new feature for enterprises: Shared iPad for business. Previously only available in Apple School Manager, iPadOS now supports Shared iPad using Managed Apple IDs from Apple Business Manager. Leveraging Shared iPad will make it easier for enterprises to create efficient and secure shared-device environments for their employees.

In this article, we’re going to take a look at what Shared iPad is and what it means for businesses that want to take advantage of it. Here’s a quick overview of what we’ll cover:

  • What is Shared iPad?
  • Who Should Use It?
  • History of Shared iPad
  • How to Deploy Shared iPad for Business

 

What is Shared iPad?

Shared iPad is a fantastic new feature that gives businesses a true multi-user experience for company-owned iPad devices. This is the first time a native Apple solution has been released for sharing iOS devices in enterprises, and it has big implications for mobile device management (MDM) and IT moving forward. What makes Shared iPad for business possible is its integration with Apple Business Manager, your MDM solution, and Managed Apple IDs (for more information on these, see our guide to Managed Apple ID for Business.)

What Does it Look Like for End Users?

Essentially, the process looks like this: when a user signs into a device with Shared iPad (we’ll cover how using Managed Apple ID for business comes into play here later), iPadOS gives them their own partitioned section of the device’s storage space, and their Managed Apple ID stores their data in iCloud, allowing the end user to have a seamless experience on any device they log in to.

Shared ipad -2

The device also communicates with the MDM solution that it’s enrolled in to configure the device and app settings accordingly. When the user logs out, their information becomes inaccessible to any other users and will not be recalled until they enter their credentials again. This is made possible by the built-in data separation that we just mentioned, which assigns every user of the shared iPad their own partition of the disk, each encrypted with a different password created by the user.

Who Should Use Shared iPad?

Previously, businesses that used Apple devices and wanted to set up a shared device environment had to rely on third-party solutions, as we’ll discuss later. With the release of Shared iPad for business, they can now easily share devices among multiple employees – quickly and securely.

This means there’s really no shortage of applications for Shared iPad for business. From nurses sharing devices throughout their shifts to teams in retail, logistics, and distribution taking advantage of the new feature, Shared iPad is a big step forward in terms of streamlining and securing shared devices.

 

History of Shared iPad

Before Shared iPad for business became available, it was introduced as part of Apple School Manager in iOS 9.3. This feature greatly simplified how iPad devices were deployed by education customers, and how they were used by students and staff, by combining iCloud services and Managed Apple IDs from Apple School Manager to store and recall student data.

This makes it possible to share an iPad among multiple students, recalling relevant user information whenever the correct login credentials are typed in. Shared iPad is a form of a shared-use deployment, which is one of two common deployment styles:

  • Shared-Use: The shared-use deployment option is best suited for environments in which devices will be shared between students (such as in a classroom, a lab, or a library). This requires a system that will store student information separately and allow each student to quickly access their information on the device.
  • One-to-One: The one-to-one deployment is best suited for environments in which all users will receive their own devices (for instance, if a school purchases iPad devices for a particular grade level, a department, an entire school district, or a university).

These deployment methods aren’t mutually exclusive – schools can use a mix of both to create a deployment strategy that works best for their specific needs. For instance, a K–8 school could create a shared-use environment for kindergarteners through fourth graders, and then implement a one-to-one environment for fifth through eighth grade.

shared ipad for business history in education

Image source: support.apple.com

Using Shared iPad in the classroom is a cost-effective way to give multiple students access to the same devices – while still personalizing their learning experiences. In an education and business setting, Shared iPad can now be used to deliver the same personalization experience on a set of Shared iPad devices.

Shared iPad for Business

After Apple’s most recent update, businesses that use Apple Business Manager and an MDM solution can take advantage of Shared iPad, which is a big step up from previous solutions.

Before Shared iPad for business was supported, businesses that wanted to share devices among their employees had to rely on custom workflows for resetting the devices between uses, or third-party programs that could work with an MDM to quickly provision a device for a user. While these workflows and solutions can authenticate users and deliver relevant data to the device, they just can’t provide a user experience that’s as smooth and secure as a native solution.

That’s where Shared iPad comes in. Leveraging Apple Business Manager and Managed Apple IDs, Shared iPad lets employees easily continue their work on multiple devices. Unlike previous solutions, this feature also includes encrypted data separation and syncs information from iCloud, giving users a seamless experience while keeping their information secure.

 

How to Deploy Shared iPad for Business

In this section, we’re going to discuss some of the requirements to use Shared iPad, a few best practices regarding user limits, a note on Apple ID management for business, and a step-by-step guide to deploy Shared iPad using Kandji.

Shared iPad Requirements

Before you deploy Shared iPad, you need to make sure that you meet the requirements. Here’s what you need:

  • Eligible Apple devices: Shared iPad for business is supported on iPad mini (4th generation or later), iPad Air 2 (or later), iPad (5th generation or later), and iPad Pro. All devices must have at least 32 GB of storage, and they must be enrolled via Automated Device Enrollment (learn more in our device enrollment guide).
  • Apple Business Manager: In order to enroll your iPad devices via Automated Device Enrollment, you will need to ensure your devices are available to you in Apple Business Manager. If you or your reseller haven't done this yet, you can use this method. This requires using a clean device, so you’ll have to reset your iPad.
  • Managed Apple ID: Each Shared iPad user will be associated with a Managed Apple ID for business. As we’ll talk about later, if your Apple Business Manager instance is federated with Azure Active Directory (Azure AD), then a Managed Apple ID will be created automatically when your end user signs in for the first time. You can also read our guide on Apple’s new requirement to verify Managed Apple ID domains.
  • MDM solution: You’ll need an MDM solution that’s built for Apple devices, and that supports Shared iPad. Our MDM, Kandji, makes it simple to enable Shared iPad on your devices as well as take additional actions like remotely logging someone out of a Shared iPad.

shared ipad log out user remotely mdm

Optimal Number of Users

While setting up Shared iPad using your MDM solution, you’ll have to set a maximum number of local users that each device can support before they are offloaded. The optimal number will depend on your use case and device. We’ll explain why below, just know that it’s important to keep this number as low as possible. This will give your users the maximum amount of storage, minimize iCloud communications, and achieve a faster sign-in experience.

Once you enable Shared iPad, a minimum amount of system space for the operating system and apps will be reserved. The remaining space will be evenly distributed to the maximum number of users that you’ve specified. Below, you can see a visual example of how a configuration of five maximum users would be partitioned. 

Once the maximum number of local users is reached, the user that has not logged in for the longest amount of time will be removed, allowing the current user to login. 

shared ipad partitioning usage storage space

Image source: help.apple.com

Creating Managed Apple IDs for Users

The release of Shared iPad for business has left many IT administrators wondering if they’ll have to manually create Managed Apple IDs for each user. The answer to this question depends on your Apple Business Manager configuration:

  • Federated with Azure AD: If your Apple Business Manager instance is federated with Azure AD, then your users can simply type in their email address on any Shared iPad. After this, they will be directed to sign in with Microsoft (or whatever identity provider your Azure AD points to). Once authenticated, a Managed Apple ID will be created, and the user will be asked to create a Shared iPad Password. This is the best method in terms of streamlining Apple ID management for business.
  • Not Federated with Azure AD: If your Apple Business Manager instance is not federated with Azure AD, then you will have to manually create and distribute Managed Apple IDs from Apple Business Manager. This will have to be done for each user who will interact with iPad devices with Shared iPad enabled.

As you can see, the most streamlined Shared iPad environment will be accomplished with an instance of Apple Business Manager that’s federated with Azure AD. We should note that the base tier of Azure AD is free, and it can be easily federated to other identity providers or directory services (such as on-premise AD, OneLogin, or Okta), meaning you could federate your provider where your users would authenticate. For more information, see Apple’s support article on federation.

How to Set Up Shared iPad for Business

If you’re using Kandji, setting up Shared iPad is as simple as enabling a new Auto Enroll configuration from the Library and choosing the maximum number of users allowed on that iPad.

kandji shared ipad max number of users managed apple ids-2

After you enable Shared iPad in your MDM solution, you will need to reset and enroll your iPad devices via Automated Device Enrollment (formerly DEP). Once enrolled, your iPad devices will restart and Shared iPad will be enabled. Once Shared iPad is configured in your MDM, all Setup Assistant screens that would normally appear after activation are automatically skipped during the enrollment process. It’s important to note that the only way to remove a device from Shared iPad is to erase the device.

You should also consider whether or not your Shared iPad devices should allow Guest users (also called Temporary User Sessions). In iPad OS 13.4 or later, users can begin a temporary session by tapping Guest at the login screen – without entering login credentials. After a Temporary User Session is ended by logging out, all of the user’s data is deleted. Shared iPad for business supports this functionality, letting you easily log in to a device to perform a quick task. This is a great fit for devices in, for instance, a conference room where employees can freely pick them up and use them.

However, this may not be ideal in business environments where iPad devices are connected to secure networks. This could leave network resources open to compromise, as untrusted users could gain access to intranet resources by logging in as the Guest user (for instance, in a retail setting where an iPad is connected to a secure network with access to a program such as SAP). In cases like these, the ability to start a Temporary User Session can easily be disabled via a Restrictions Profile option, as shown below:

restrictions profile disallow guest user shared ipad

Shared iPad and Content Caching 

Because Shared iPad involves synchronizing data with iCloud, it needs to leverage different forms of caching to maintain a smooth sign-in experience for users. If content caching is enabled in your network, Shared iPad can download a copy of a user's data from a local content caching device, rather than having to retrieve it from iCloud every time. This ensures that the multi-user experience is as efficient as possible.

This is accomplished by caching locally, synchronizing with iCloud, and leveraging in-network content caching:

  • Local Caching: Shared iPad caches users locally on the iPad. If you use Kandji as your mobile device management (MDM) solution, you can set the maximum number of users that can be cached in your Auto-Enroll Profile. Note that, once the device is set up, this cannot be changed – to make changes, you must modify the Auto-Enroll profile and then reset/enroll the iPad.
  • Content Caching on macOS: Shared iPad also caches user data to iCloud. macOS content caching devices can be leveraged in your network to improve network performance and achieve a faster sign-in experience for users signing in to a device for the first time. Any macOS device (as long as it’s capable of running the latest version of macOS) can be configured as a content caching device. It is important that your network and cache are configured correctly to support this, please reach out to Kandji or AppleCare Enterprise support with any questions on configuration. You can learn more about content caching on macOS in Apple's support article here

 

Apple’s decision to support Shared iPad for business is an exciting development that has a lot of implications for enterprises that could benefit from a shared-device environment. Here at Kandji, we’ve already made it easy to enable and configure Shared iPad, and we look forward to building out even more powerful capabilities for shared-device environments. With powerful features like zero-touch deployment, one-click compliance, and offline remediation, Kandji has everything you need to enroll, configure, and secure your devices.

Request access to Kandji today.