The concept of users sharing devices may seem familiar even for organizations just embarking on their digital workspace journey. However, outside of IT teams focusing on K-12 or Education users, there wasn’t a native Apple solution for preparing an iOS device to be used by multiple accounts in parallel. Apple built devices on the notion of single user association, both for consumer and business use. But there has been a plethora of vertical-specific use cases in the enterprise—especially in Healthcare, Retail and Financial Services—that warranted the need for shared use of these devices.
Let’s do a quick review of existing solutions that help with shared device use cases:
Check In-Check Out with Workspace ONE Intelligent Hub: VMware Workspace ONE Intelligent Hub has helped organizations use iPhones and iPads to operate in a Shared mode with the help of Intelligent Hub. Intelligent Hub authenticates the user – Active Directory as well as SAML – to then customize the device using MDM APIs to deliver the right set of applications and configurations. And on checkout, the Intelligent Hub application gets locked onto the foreground with an in-built workflow ready for the next user to Check-In and use the device. For more information, see Shared Devices.
Imprivata (GroundControl): GroundControl has been a broadly used solution in the Healthcare and Retail space to assist with re-purposing devices quickly for users with a full-device wipe. And subsequently allowing quick checkout of devices by scanning proximity enabled badges.
These existing solutions suffice for the majority of needs today, however, a couple of limitations prevented them from being an optimal solution:
Shared data storage: One of the biggest challenges with Check-In Check-Out with Hub is the concern of residual data from one user to another. Due to the inability to wipe app-level data or system-level data in a granular fashion, there was a limitation in the amount of data separation that was previously possible. GroundControl overcomes this challenge by efficiently performing a full device wipe and restoring to a usable state with the help of a physical connection to Macs running their LaunchPad solution. However, there has always been a much-needed solution that offers native data separation between users that didn’t warrant a full-device wipe.
Disconnected experience: MDM can customize most of the apps and configurations for a particular user. However, when they access a shared device, the application data doesn't always sync from one device to another. While certain apps may have built-in logic to sync data from previous sessions, it is dependent on individual applications to implement these workflows. The overall shared device experience was never a smooth handoff of restoring the state from the previous session.
With iOS 13.4, Apple has officially released Shared iPads for Business. Through integration with Apple Business Manager and Managed Apple IDs, admins can onboard any supported iPad in a "shared" mode, which allows users to sign in with their Managed Apple IDs. Users see a personalized home screen experience until they log out, and the next user picks up the device to sign in and continue the process.
Shared iPad for Business is a new concept for many organizations, so this page is a guide to what to expect, why it is essential, and some items to consider when preparing your devices for Shared iPads. Stay tuned for more information on how to start testing Shared iPads for Business with a future version of VMware Workspace ONE® UEM in the coming weeks.
What are Shared iPads for Business?
Shared iPad for Business is a solution developed by Apple to use MDM APIs to trigger a mode on supported devices to create a mandatory “sign in” process before gaining access to the home screen of the device. This “sign in” is done with user’s Managed Apple IDs created in Apple Business Manager automatically through federation with Azure Active Directory or manually (not recommended for production use).
When a user signs into a device, iOS (or iPad OS) provides the user with a separate partition of the device's disk space to ensure their data is separate from all other users. MDM providers can be notified of this user sign in and personalize the device for that user based on the settings the admin has configured. Any data saved by the user is captured to their Managed Apple ID iCloud storage, allowing them to sync this data on their next login.
This solution offers a native check-in/check-out experience with built-in security and integration with existing Apple Business Manager and Managed Apple ID technologies.
What is the End-User Experience for Shared iPads for Business?
Rather than read about the experience, you can watch the end-user experience in the following video.
What are the Prerequisites to Begin Using Shared iPads for Business?
There are a few requirements that must be met for organizations to adopt Shared iPads for Business. Review the following to ensure your Apple environment meets the upfront criteria.
Apple devices must be iPads w/ 32GB storage or higher
To provide each user with their secure storage partition, the iPad itself must have enough disk space to allow multiple users. Each user typically needs at least a few GBs to perform their day-to-day tasks. The greater the total device storage, the more users can be configured on a device simultaneously. Once maximum capacity is reached, the iPad automatically removes the oldest accounts by last login time to make room for the new user's data partition.
Managed Apple IDs for sign in
When users sign into a Shared iPad, Apple must trust the authentication of the user. Apple achieves this by creating a Managed Apple ID for each user that intends to leverage these devices. Apple Business Manager admins can achieve this by manually creating these accounts or federating to an identity provider like Azure Active Directory. For more information on creating Managed Apple IDs, look at Apple’s support pages here.
Devices added to Apple Business Manager for onboarding
Supported iPads must be added to Apple Business Manager and onboarded using an automated enrollment profile with the Shared mode enabled. The automated enrollment profile is mostly similar to the one used to authenticate a 1:1 iPad and skip Setup Assistant screens for rapid onboarding.
What do I get with Shared iPads?
Shared iPads come with some unique advantages that other shared device solutions do not offer in comparison. These capabilities seem to distinguish Shared iPads as a top solution for multi-user devices in the Apple ecosystem.
Built-in data separation and encryption
As previously mentioned, the data separation in shared iOS is a gamechanger in the world of shared devices. Other solutions mentioned attempt to achieve this by hiding access to features or performing full device wipes. With Apple's Shared iPads, each partition is unique per user and encrypted with a different device passcode created locally by the user. Apple Business Manager admins also have the option to create this device passcode on behalf of users or reset this passcode if needed.
Locked-down system settings
Although device supervision offers admins access to APIs to lockdown Apple devices, Shared mode takes this one step further by completely hiding most or all the functionality of several system apps and settings out of the box for all users. For example, shared iPads altogether remove the Software Updates section within the Settings app. Solutions like Workspace ONE's OS Updates framework becomes the primary method to manage device updates effectively. The full list of restrictions is extensive, so we encourage readers to review Apple's support page on this topic:
Personalized user experience
As users log in with their Managed Apple ID, the managing MDM provider is notified of this change and can perform personalization actions only to show the resources needed by the targeted user. Personalization could include app configuration, SSO, and even customized Home Screen layout. Be on the lookout for more to come from VMware regarding these unique capabilities.
“Guest mode” for auth-less device access
For situations needing immediate device access, or anonymous access, Apple has added a new capability called a Temporary Session or Guest Mode. This mode provides immediate access to the device's Home Screen with no Managed Apple ID or device passcode prompt. This is great when quick access to identity independent information is needed. Guest mode can be deactivated by MDM if necessary.
Hopefully, this gives color and clarity to the new and exciting experiences to come with Shared iPads for Business. Apple continues to raise the bar and expand its feature-rich ecosystem to pioneer solutions that become the new standard for achieving success in the enterprise. VMware is eager to see how the landscape of multi-user devices shifts with this release, and we plan to share our exciting innovations around these components soon.
Stay tuned for more information on how to use Shared iPads for Business with a future version of Workspace ONE UEM in the coming weeks.
Additional Authors and Contributors
Robert Terakedis, Senior Technical Marketing Manager, End User Computing, VMware.