I’m seeing more and more requests from organisations looking to test or implement Shared iPad for business. There are a number of reasons to look at Shared iPad but the most common theme I hear is that they want to offer a containerised secure experience, whilst still allowing an element of customisation. Over the last few weeks, I’ve been doing some testing and thought I’d note how to set it up using Workspace ONE.

Pre-Reqs

  • A requirement on MDM (Mobile Device Management) and a bind to ABM for Device Enrollment Program and Volume Purchase Program.
  • Managed Apple IDs (either via Azure or created in ABM)
  • iPadOS 13.4+ device, with 32gb of storage and supervised.
  • Workspace ONE console version 20.07+

This guide is written with the understanding that you have Azure AD, DEP, and VPP integrated already. If required, happy to make a guide on how to intergrate those solutions.

Apple Business Manager

Within your Apple Business Manager portal, you need to federate your Azure AD tenant. This can be done by going into Settings > Accounts and found under Federated Authentication and following Apple’s instructions. There are caveats to this, so make sure you fully understand what you are doing before registering your Company’s domain.

You can then validate your Managed Apple IDs from within the Accounts section.

You will also need to assign your iPads to the correct MDM Server within your ABM Settings page.

Workspace ONE – DEP Profile

Within your Workspace ONE tenant, you need to configure a DEP profile. To access this navigate to All Settings > Devices and Users > Apple > Device Enrollment Program. You’ll want to select Add Profile and create a new one with the following.


  • Custom Enrollment: Off
  • Authentication: Off
  • Staging Mode: Multi user device
  • Default Staging User: Staging user account
    • This is a Staging Account created within Workspace ONE under Accounts > Users. This could just be a Default Staging User requiring no action.
  • Shared Devices: Enabled

Once completed, under Devices > Lifecycle > Enrollment Status you’ll want to find your device and assign it to the newly made Profile.

Console configuration

Under Settings > Device and Users > Apple > Managed Apple ID make sure this is enabled with the correct Apple ID Format lookup value.

Applications

The best part about the design behind Shared iPad is that when a user logs in, all the data associated with that user is securely stored in their own partition. They will only see the apps which are assigned to them.

We will be using Internal or VPP to distribute out these applications and look to use Device Based Licenses which will be synced across from your Apple Business Manager portal. This supports both Custom and Public applications.

When a user logs in for the first time any application which is associated with them will be installed and this is a one-time event. When the user logs out, the applications are hidden and then un-hidden on their next successful login. This is providing a secure container for that user to access only the applications necessary to perform their role.

You will assign these out just as normal from within the Application > Purchased tab.

Profiles

Shared iPad at current in Workspace ONE uses the Device Channel and Profiles can be assigned just like any other iOS payload. Profiles are deployed as the user logs in, so each time a user logs in a fresh profile is installed.

These can be found under Devices > Profiles and Resources > Profiles.

Testing

Turn on your iPad and connect it to a WiFi network. Once connected the Remote Management page will launch. Select Next and allow the Shared iPad profile to configure.

It’ll then ask you to Sign in with your Apple ID to continue. Here you’ll enter your Email Address and then be asked for your Passcocde (note this will be your Azure password).

You’ll be logged in as your Managed Apple ID and all Workspace ONE Profiles and Applications will be deployed. Sign in to your Intelligent Hub and then check your device is correctly stating the right user and also showing as Shared iPad.

To sign out and log in with another user, lock the home screen and select Sign Out in the bottom right. This will then give you the option to add another User or select Guest mode if enabled.

To see this process in action, please see below a video reflecting Shared iPad from our Product team and found on our official VMware End-User Computing YouTube channel.

Any questions please reach out. I’ve had a lot of fun testing this functionality and I’m really glad to see adoption rising.

Some links to helpful documentation :

https://support.apple.com/en-gb/guide/mdm/cad7e2e0cf56/1/web/1

https://techzone.vmware.com/blog/what-are-shared-ipads-business

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/AppleBusinessManager/GUID-AWT-C-DEVICEENROLLMENT.html

Spread the love