Shared iPad devices with Apple Business Manager

If you have an Apple Business Manager account loaded in Core, you can enable Shared iPad devices between multiple employees. This allows organizations to share devices between multiple employees. Employees can sign in using a Managed Apple ID and access their custom profile with Mail accounts, files, app data, etc. The data is stored in iCloud, allowing the employee to log into any Shared iPad.

A sample case study for using Shared iPad devices for Apple Business Manager is in the healthcare industry, where a doctor and nurses can share one device.

Administrators of Shared iPad devices can manually create accounts, Managed Apple IDs and passwords and federate to an identity provider like Azure Active Directory.

If the Administrator installs an app for Shared iPad devices, all users will have that app. Apps for Shared iPad devices are loaded through registration for Apple-licensed apps. The Send Installation Request on device registration or sign in check box in the App Catalog must selected.

Requirements for Shared iPad devices for Apple Business Manager

Below are the requirements for enabling Shared iPad devices:

An Apple Business Manager account
Managed Apple ID - Managed Apple ID to be associated with each enrolled device. This Managed Apple ID provides authentication for MDM management and app licensing. When the MDM pushes down apps and media, necessary Apple licenses are assigned to the Managed Apple ID associated with the device. Admins can manually create these accounts or federate to an identity provider like Azure Active Directory.

Shared iPad devices must have at least 32 GB of storage and be supervised.

Enabling Shared iPad devices for Apple Business Manager

There is only one step for enabling Shared iPad devices:

Add an Enrollment Profile and set the sessions for Shared iPad devices. See Creating an Apple Enrollment profile for Apple Business Manager

Shared iPad supported configurations

Below are the supported configurations. If these configurations are to be pushed per Shared iPad device user, then you need to create or edit existing configurations to have $MANAGED_APPLE_ID$. You should have already created Managed Apple ID in Apple Business Manager for each Shared iPad device user and also created a separate account for each of the below configurations.
- CalDAV
- CardDAV
- Google Account
- Subscribed Calendars
- Exchange
- Email
- Managed App Configuration
$MANAGED_APPLE_ID$ is also used in a user enrollment scenario, not to be confused with the Shared iPad device scenario.
For more information, see:

If you are creating new configurations, add label support for Shared iPad devices. See Managing Labels in Getting Started with Core.
MANAGED_APPLE_ID is the only substitution variable that changes in iPad sharing when a device user logs in. (Other device substitution variables can still be used, but it does not denote a device user) If you updated any configurations with user substitution variable $MANAGED_APPLE_ID$, push the configuration. The user substitution will only push on the user channel for Shared iPad devices.
Once the Shared iPad device user logs in, the Shared iPad settings display in the Device Details page. You can also search on specific Shared iPad fields, see Advanced searching for more information.

Creating an Apple Enrollment profile for Apple Business Manager

Apple Device Enrollment profiles allow you to apply a set of mobile device management (MDM) features to the devices assigned to a given Apple deployment program account. There is no limit to the number of Device Enrollment profiles, however, you can assign only one default enrollment profile per Apple School Manager account.

"Apple deployment program" means either Apple Business Manager or Apple School Manager.

The Apple Device Enrollment profile allows you to specify:

Account details, such as the department of the organization to which the Apple deployment program account is assigned, and the phone number device users may call for support
The default profile, indicating whether the enrollment profile is automatically assigned to all devices in the Apple deployment program account
MDM features, such as enabling supervision, requiring MDM enrollment, shared iPad, and allowing devices to pair with a host
Setup options, such as whether device users are permitted to skip screens in the Setup Assistant
Certificates, such as anchor certificates (from which the chain of trust is derived) and pairing certificates (allowing the bearer of the certificate to pair with the device)
Enrollment options, such as whether to use anonymous, PIN-based enrollment

For tvOS, the Apple device enrollment profile does not get downloaded until AFTER the Wi-Fi is configured. It is advised you use ethernet for tvOS device enrollment.

Procedure

In the Admin Portal, go to Devices & Users > Apple Device Enrollment.
Select a Apple deployment program account, and then go to Actions > Add Enrollment Profile.
The Add Enrollment Profile dialog box opens.
Create or edit an enrollment profile.
Click Save.
If you have assigned the enrollment profile as the default for devices in your Apple deployment program account, the enrollment profile is tagged with a purple icon that reads Default.

Apple device enrollment profile settings

The following table describes the Apple device enrollment profile settings.

Table 15. Device enrollment profile

Item

Description

Profile Name

Enter a name for the device enrollment profile. Required.

Description

Enter a description of the device enrollment profile.

Department

Enter the name of the department associated with the account. Required.

Support Phone Number

Enter the support phone number for the Apple deployment program account. Required.

Default Enrollment Profile

Select to have all devices added to this account be automatically assigned to the default profile.

If you change the default profile for your Device Enrollment account, existing devices are not affected. This means devices that were previously assigned to the old default enrollment profile continue to be assigned to the old default enrollment profile.

Authentication Type

Password

Select to enable enrollment with a username and password. Device users enter their username and password when prompted.

Select to enable PIN-based enrollment. Core will prompt the device user to enter their username and a PIN.

To enable PIN-based enrollment for an individual device:

Go to Devices & Users > Devices.

Select Add > Single Device.

Search for the User.

Select the Device Platform. Choices are Android, iOS, macOS or Windows.

If you select iOS or macOS, the Include Registration PIN only for Apple Device Enrollment field activates. Select this check box.

Enter a username, operator, and mobile number (or select This devices has no phone number) for the device, as you normally would.

Make other selections for Device Ownership, Device Language, and User Notification.

Click Register.

To enable PIN-based enrollment for multiple Apple deployment program devices using bulk registration:

Create a CSV file containing the information you need to bulk register a number of devices.
Add the field Include DEP Only Registration Pin (TRUE or FALSE) to the CSV file, with a value of TRUE for all devices for which you want to enable anonymous Apple Device Enrollment.

For more information about single or bulk device registration in Core, see the following sections in Getting Started with Core.

“Single device registration”
“Registering multiple devices”
“Bulk device registration CSV file requirements”

Anonymous

Select to enable device enrollment without assigning a username and password during enrollment. After completing the Device Enrollment, the device will be in a signed-out state (with no user assigned).

Usernames will be assigned after devices are distributed, using the Secure Sign In web clip. For more information about the Secure Sign In web clip, see Multi-User Support.

You cannot use the Anonymous enrollment option on macOS devices.

Enable SAML

As part of DEP profile, the MDM server provides custom enrollment URL along with standard URL to get the MDM profile to Apple server. This URL can be used to enforce your own authentication model or to provide any other information.

Select this to support external IdP with DEP enrollment.

This feature is applicable for iOS 13.0 and macOS 10.15 devices or supported newer versions.

You must have SAML enabled. (See "Configuring SAML/IdP support" in the Core System Manager Guide.) If the IdP has not been configured properly, and is not reachable, the Enable SAML check box will not display.
Once set up for SAML on iReg or DEP devices, you will not be able to disable SAML from the System Manager. You must first de-select Enable SAML in the Device Registration page before you can disable the IdP SAML connection in the System Manager.

Custom Enrollment

Custom Enrollment URL

(iOS 13.0+ and macOS 10.15+) Create custom enrollment web page(s).

Specify your own custom web page (web view) to authenticate device users during Device Enrollment. Use this page to display custom information such as authentication type, branding, consent text, and privacy policy. See Adding a custom Automated Device Enrollment web page for more details.

Enter the URL, such as https://mycustomweburl.com. This URL defines the value of the custom URL to present to the device user in a web view.

MDM Options

Enable supervision

Select to allow Apple School Manager devices to be supervised. Supervision allows the use of additional device restrictions and configurations (For iOS 13+ and macOS 10.15+, Supervised mode will be selected by default).

In iOS 13+ and supported later versions, all devices using Apple Device Enrollment will be supervised and the iOS will ignore the is_supervised flag.

For more information about applying restrictions to supervised Apple devices, see iOS and tvOS restrictions settings.

Require MDM enrollment

Select to force users to apply the enrollment profile when Setup Assistant runs.

In iOS 13+ and supported newer versions, all Apple Device Enrollments are mandatory.

(For iOS 13+ & macOS 10.15+, selected by default).

Allow MDM profile removal

Select to allow device users to remove the device from device management. Supervision is required to disallow removal.

Allow pairing

Select to allow host pairing functions, such as iTunes synchronization. Pairing is always allowed for hosts that have valid pairing certificates (Not applicable for iOS 13+ & macOS 10.15+).

Enable Shared iPad (multi-user)

If this field is selected, you MUST also have the Await device configuration during Apple device enrollment field selected.
For Apple Business Manager, this is applicable to iOS 14.5 and later.

Only Apple-licensed apps are sent to Shared iPad devices through registration. This is set up by selecting the Send Installation Request on device registration or sign in option in the AppCatalog. For more information, see “Using the wizard to import iOS apps from the Apple App Store" in the Core Apps@Work Guide.

Be sure to also select the following settings: Enable supervision and Require MDM enrollment.

For Apple Business Manager, when this field is selected, new options display:

Allow Guest / Temporary Sessions Only - Guest / temporary shared iPad users to use the iPad, but the data in the guest's partition is deleted when the user logs out. The next guest that logs into the same iPad will start afresh.

When the Allow Guest / Temporary Sessions Only field is selected, only the Guest/Temporary Session Timeout (seconds) field displays. Enter the number of seconds into the field. If this field is left blank, the timeout will use the iPad's system defaults. If set to zero, there will be no timeout. Maximum limit is 1800 seconds.

If Allow Guest/Temporary Sessions Only is deselected, the following fields display:

Use Device Defaults - Select to set the session timeouts and let Apple figure out the Quota Size for you.
Set Maximum Resident Users - Set the number of users on the Shared iPad. Apple will then automatically allocate the quota space evenly between the number of users. 32 is the maximum number of users allowed on a shared iPad.

If the maximum resident users is set to five users on a Shared iPad, and a sixth user logs in, the data from the oldest user on the Shared iPad gets deleted.
Set Quota Size (MB) - The size allocated for the user's data on the Shared iPad. For example, on a 100 GB iPad with 10 users, then each user has 10 GB for that iPad.

Administrators need to choose either Set Max Residence User or Set Quota Size.
Guest/Temporary Session Only - If left blank, the timeout will use the iPad's system defaults. If set to zero, there will be no timeout. Maximum limit is 1800 seconds. Once the temporary session has ended (user logs out), the data is deleted from the iPad. Label to be used: Allow only Temporary Session.
User Session Timeout (seconds) - If left blank, the timeout will use the system defaults. If set to zero, there will be no timeout. Maximum limit is 1800 seconds. Label to be used: Set Timeout for User Session - Seconds.

Be sure to also select the following settings: Enable supervision and Require MDM enrollment.

Await device configuration during Apple device enrollment

Wait until policies and configurations are pushed to devices

Select to configure all iOS devices to be kept in the Setup Assistant until all policies and configurations have been pushed to the devices. This step is optional, but it can reduce support calls.

When registering a Apple School Manager device, the device will be held in the Setup Assistant screen until Core receives confirmation that the profiles and configurations for that device have been pushed to the device. The Apple School Manager device is then released from the Setup Assistant screen. Alternatively, the device is released from the Setup Assistant screen after the specified time limit has passed and Core has not received acknowledgment that the profiles and configurations have been pushed to the device.

If a Apple School Manager device checks in with Core, and Core detects this device is still awaiting its profiles and configurations, Core sends a command to release the Apple School Manager device from the Setup Assistant, if a command has not already been sent. This option applies to iOS devices only.

Time Limit (Minutes) - Enter the number of minutes for which you want to hold all iOS devices in the Setup Assistant. The default is 1 minute.

For macOS devices, selecting Await device configuration during Apple device setup has the effect of allowing account setup during the Apple Device Enrollment process.

Auto Advance Setup

Device will tell Setup Assistant to automatically advance through its screens (Applicable for tvOS and macOS 11.0 and later versions.)

Setup Options

Skip All Options (Applicable to iOS 13.0, macOS 10.14, and macOS 10.15 or supported newer versions. Default setting is disabled.)

Skip Location Services

Skip Restore from Backup

Skip Move from Android

Skip signing in to Apple ID and iCloud

Skip Terms and Conditions

Skip passcode creation

Skip Siri

Skip automatically sending diagnostic information

Skip Registration Screen (macOS only)

Skip Touch ID Setup

Skip Apple Pay Setup

Skip Zoom Setup

Skip FileVault Setup Assistant Screen (macOS only)

Skip DisplayTone Setup

Skip the Home Button screen

Skip iCloud Storage

Skip the Tap To Set Up option in AppleTV (tvOS only)

Skip the Aerial Screensavers Setup in AppleTV (tvOS only)

Skip on-boarding informational screens

Skip the screen for Apple Watch migration

Skip iCloud Analytics screen (macOS only)

Skip Apple TV home screen layout sync screen (tvOS only)

Skip the Apple TV provider sign in screen (tvOS only)

Skip the Where is this Apple TV? screen (tvOS only)

Skip the Privacy screen

Skip the iMessage and FaceTime screen

Skip the Screen Time screen (Applicable to macOS 10.15 or supported newer versions.)

Skip the Mandatory software update screen

Skip the Add cellular plan screen

Skip the Choose Your Look screen (Applicable to iOS 13.0 and macOS 10.14 or supported newer versions.)

Skip Express Language Setup pane (Applicable to iOS 13.0 or supported newer versions.)

Skip Preferred Language Order pane (Applicable to iOS 13.or supported newer versions.)

Skip Get Started pane(Applicable to iOS 13.0 or supported newer versions.)

Skip the Accessibility pane (Applicable to macOS 11.0 or supported newer versions.) If the Mac is connected to Ethernet and the Device Enrollment profile is downloaded, skips the Accessibility pane.

Skip the Restore Completed pane(Applicable to iOS 14.0 or supported newer versions.)

Skip the Software Update Complete pane (Applicable to iOS 14.0 or supported newer versions.)

Select the screens to be skipped when Setup Assistant runs on Apple School Manager or Apple Business Manager devices.

Note the following:

Selecting Skip signing in to Apple ID and iCloud auto-selects the Skip Apple Pay Setup option.
Selecting Skip passcode creation auto-selects the Skip Apple Pay Setup and Skip Touch ID Setup options.
Selecting Skip Touch ID Setup auto-selects the Skip Apple Pay Setup option.
Skip on-boarding informational screens - The information in this screen is used for user education, for example: Cover Sheet, Multitasking & Control Center.

You can choose to skip or enable as many screens as you like. Device users will be able to set up skipped features later.

Show custom text on the Login page

Select to show customized text on the login page when users log in to their Apple School Manager devices.

In the text field that appears when selecting this option, enter your customized text. You can enter up to 50 characters.

Anchor Certificates

Click Browse, to select an anchor certificate. Click Add to add an additional anchor certificate.

The anchor certificate allows the device to trust the connection to Core. This is the certificate from which the chain of trust is derived.

Certificate files must be in DER or PEM format.

Pairing Certificates

Click Browse, to select a pairing certificate. Click Add to add an additional pairing certificate. The pairing certificate allows the device to securely pair with a host possessing this certificate when Allow Pairing is disabled.

Certificate files must be in DER or PEM format.

macOS account creation

Users must enroll macOS devices in the Apple School Manager with an administrator account. You can prompt users to create an administrator account for themselves, or you can create an administrator account in Core, which Core then pushes to macOS Apple School Manager devices.

Prompt primary account setup to users

Select to prompt the device user to set up a primary account for the macOS Apple School Manager device.

You can prompt the user to create a regular account or an administrator account. If you prompt users to create a regular account, you will still need to create an administrator account for enrolling macOS devices in Apple School Manager. This is because device enrollment on macOS devices requires the use of an administrator account.

Regular user: The device user is prompted to create a regular user account. If you select this option, you must still create an administrator account for use on the Apple School Manager device in the Setup Managed macOS Admin Account section.
Admin user: The device user is prompted to create an administrator account to be used when enrolling the device in Device Enrollment. You can create an additional administrator account that Core synchronizes with Apple School Manager devices by selecting the Create a new admin user account option.

For macOS devices, be sure to select Await device configuration during DEP setup, as this option has the effect of allowing account setup during the Apple Device Enrollment process.

Skip primary account setup

Apple School Manager device user will not be prompted to setup an account when enrolling the device in Device Enrollment. You create an administrator account in Core instead, so that an administrator account exists on the device when the user enrolls in Device Enrollment.

Select to create a new user with administrator privileges for use when configuring the Apple School Manager device.

As there is no primary account that can be used as an admin user, you must create an admin user in the next section of this window.

Create a new admin user account

Select to enable the creation of an administrator account.

Device Enrollment on macOS devices requires the use of an administrator account.

Setup Managed macOS Admin Account

Username

Enter the username of the macOS device. This is the name that is displayed when logging on to the device.

The administrator account you create will be associated with the macOS device bearing this username.

Full Name

Enter the name of the macOS device as defined in macOS under Settings > Sharing > Computer Name.

The administrator account you create will be associated with the macOS device bearing this name.

Password

Enter a password for the administrator account and confirm it.

Hide managed administrator account in Users & Groups

Select this option to hide the administrator account from device users. When selecting Settings > Users & Groups on a macOS Apple School Manager device, the administrator account will be hidden from view.

Retiring Shared iPad devices

Wipe the device prior to retiring the device. Once you retire a device, the MDM profile is removed and the Admin cannot make remote MDM commands or changes. This leaves the Shared iPad without MDM and the device user cannot erase or reset the device since it's Shared iPad. If this happens, The only way to erase or reset the Shared iPad device once is to connect to Apple Configurator and select the Allow Erase All Content and Settings (supervised devices only) option.