In this blog i will take you through the steps to configure Apple Shared iPad for Apple Business Manager in Workspace ONE UEM
In this video Joris and i will take you through the Apple Business Manager story in the NLVMUG last year: (Dutch only)
A little introduction about Shared iPad for Apple Business Manager:
Shared iPad is a technology that is integrated into iPadOS to allow multiple users to use the same iPad. With the use of Managed Apple ID a user can login to an iPad and it will download their settings and application data from iCloud. After logout the application data will be stored on the device for later use and faster login:
Apple created this technology years ago exclusively for education with Apple School Manager. This meant that the Shared iPad technology was only available to Schools and Universities.
March 2020 this changed as Apple introduced Shared iPad for Apple Business Manager with the release of iPadOS 13.4. This means that now every organization can implement this technology. To use Shared iPad there are a couple of requirements:
- iPadOS 13.4
- Apple School Manager or Apple Business Manager
- Automated Device Enrollment configured (DEP)
- Apps and Books integrated (VPP)
- Supported MDM tool for example Workspace ONE UEM
- Managed Apple ID’s (part of Apple School or Apple Business Manager)
- A Supervised iPad either purchased through a certified Apple reseller or with Apple Configurator
Configuration of Shared iPad in Workspace ONE UEM
To configure Shared iPad you will need to go through some steps in Workspace ONE UEM. I will walk you through them
Configure DEP Profile to assign to your iPad
Assign iPad to DEP Profile
Erase and enroll iPad.
Login with Managed Apple
Step 1: Configuration in Workspace ONE UEM
Login to your Workspace ONE UEM tenant and navigate to Groups and Settings -> Devices & Users -> Apple -> Device Enrollment Program:
Make sure your token is still valid. If not, go through the renewal process before proceeding.
Click on Add Profile to create a new DEP profile
Turn the Authentication Off and choose in Staging Mode for Multi User Device
For the Staging User, you can either use the Default Staging User or create a new Basic User and assign that user here. In this example I use the Default Staging User.
Go through the rest of the profile options to configure how the Setup Assistant experience will look like.
Enabling Shared Devices option will make the iPad enroll in to Shared iPad mode and will prompt the user for a Managed Apple ID:
Organization Group assignment
To change the Organization Group the device will move to after a users enrolls, you can edit those settings in: All Settings -> Devices & Users -> General -> Shared Device. Keep in mind that with Shared iPad for Apple Business Manager there is no option to prompt the user for Organization Group.
Step 2: Managed Apple ID and enrollment user
For the user to sign in the iPad, a Managed Apple ID is required. This Apple ID is created in Apple Business Manager under People -> Accounts
For the creation of Managed Apple ID you have 2 options: Create them Manual or use Azure Active Directory Federation/SCIM import.
Azure AD Federation
If you want to go with Azure AD federation, keep in mind that a specific domain needs to be federated like; fondo.nl and all the current existing Apple ID’s on that domain should be changed to something different. For example if john.appleseed@fondo.nl is already in use on your domain, it cannot be used for a Managed Apple ID. Apple can send a 60 day notice to the owner of the Apple ID and ask the user to change the Apple ID to something different. If the user did not change it within the 60 days, Apple can automatically change it to a temporary username.
In this example i will use a manual created Managed Apple ID for the domain fondo.nl:
Use the Reset Password button to create a password for the user. ( the user will need to change it the first time it logs in )
Back in Workspace ONE UEM, you can change the behaviour of Managed Apple ID’s. Go to: Settings -> Devices & Users -> Apple -> Managed Apple ID.
For example if you have federated to Azure Active Directory and the format of the Apple ID is not the same as email.
You can change the format of the Managed Apple ID’s. In this example i will leave the settings default:
Create user in Workspace ONE
You should also create the same user in Workspace ONE UEM, either through a directory like AD or create a local account. The iPad will be assigned to the same user in Workspace ONE UEM after they login to the iPad. For example: i created a user John Appleseed. After John Appleseed login to the iPad it will automatically be assigned to the same user in UEM. Make sure the email address of the user is the same as the Managed Apple ID of the user.
Step 3: Assign and enroll iPad
After the configuration in both UEM and Apple Business Manager is complete. The iPad needs to be assigned to the profile in UEM and reset to default settings. Go to Devices, Lifecycle -> Enrollment Status:
Make sure you sync your iPad from Apple Business Manager with Add -> Sync Devices
After the iPad is available in the console, you can assign the DEP profile you have created in step 1.
To make the profile active on the iPad, you need to reset it to factory default. If the device is already enrolled you can do this by doing an Device Wipe in the console, otherwise go to the settings on the iPad and reset the device.
After the iPad has rebooted, walk through the Setup Assistant steps until you reach the login screen:
Login with your Managed Apple ID: john.appleseed@fondo.nl and the iPad will be enrolled and assigned to the user in UEM.
Important Notes:
After enrolling the iPad you can see a couple of limitations looking at the device settings. Settings like cellular, background etc are not available on Shared iPad at this moment. Apple is constantly developing implementing new features for Shared iPad, but before implementing take a look at the Apple and VMware Article’s for more detailed information:
Apple Support Article
Workspace ONE Documentation
Comments
Post a Comment