Manage shared iPads
Last updated November 20th, 2023
Knox Manage supports Shared iPad, which is a mode for iOS devices that allows different users to sign in to one iPad and receive a personalized experience with iPad features and their apps and files. Device users can either sign in with their Managed Apple ID and enjoy persistent apps and files, or start a temporary session, which is a guest mode that deletes all user data after the session ends. Shared iPads are enrolled and provisioned through Apple Automated Device Enrollment (ADE) profiles. An individual policy on a Shared iPad either applies to the entire device (through the device profile) or to the user account (through the user profile) for the duration of the shared user’s session. For more details on how policies apply, see Configure Shared iPad policies.
For Shared iPad mode, Knox Manage currently supports the following devices:
- iPad (5th generation) and late
- iPad Pro
- iPad Air 2 and late
- iPad mini 4 and later, with the following minimum requirements:
- 32 GB storage
- iOS 13.4 or higher
- Deployed by ADE and in Supervised mode
Deploy Shared iPads
Registering and syncing Shared iPads is very similar to setting up devices using Automated Device Enrollment. For establishing device-wide policies, a staging user is assigned to the Share iPad through the ADE configuration. The device-wide profile and apps are configured and assigned to this staging user. For establishing user-level policies, Apple Business Manager syncs your actual users’ Managed Apple IDs to Knox Manage. Once they are synced and you have corresponding Knox Manage users, you can then assign profiles with policies to them.
As soon as you register an iPad through Apple Business Manager, it immediately enters the staging state and applies the assigned ADE profile. Therefore, it is crucial that you carefully configure your default ADE profile in advance, and take into account common policies and apps that need to apply to all users.
To deploy Shared iPads with Knox Manage:
If you haven’t already, create an Apple Business Manager account.
Factory reset all your iPads intended for Shared iPad mode.
Register a Managed Apple ID for each user through Apple Business Manager.
Configure a default ADE profile on the Knox Manage console.
Configure each device user and associate a profile with them on the Knox Manage console.
Add and manage Shared iPad users
Just like with other devices managed through ADE, you can map devices users to Managed Apple IDs manually or sync them through AD/LDAP.
To manually sync a Managed Apple ID with a Knox Manage user, when you create the user account on the Knox Manage console, fill the Managed Apple ID field:
When you sync Managed Apple IDs to Knox Manage users through AD/LDAP, on the Setting > Identity & Directory > Connection page, under Mapping Information, you can see the Managed Apple ID field synced from Apple Business Manager:
View the status of a Shared iPad on the Knox Manage console
On the Knox Manage console, you can view and specify the management mode of iOS devices on the Device Enrollment > Apple ADE > ADE Device Management page. To assign the device profile to a Shared iPad, select it and click Assign User.
On the Device page, you can filter for Shared iPads by selecting Shared as the management type.
When you hover over the Platform & Management Type of a device, a tooltip shows the current user’s Managed Apple ID.
Shared iPads receive a Shared Device tab on the Device Details page. On this tab, you can track the following information about the shared sessions of the iPad:
- Shared Device User tab — View all user sessions and temporary sessions on this iPad, and manually sync the session status of the iPad. Click Detail next to a user to open the Shared Device Details page, which displays information about the user and their sessions on this iPad.
- Shared Device Log tab — View the complete history of all sharing events on this iPad.
On the Shared Device Details page, you can view information related to the user’s session status, profile policies, group and organization, and device command history while they were using the iPad:
Send device commands
Like regular managed iPhones and iPads, you can send device commands to Shared iPads to control device behavior and retrieve information about it and its current status. For certain commands, the device must have an active user session with the Knox Manage agent running. You can send commands to one device at a time. For details about which commands require the agent, see iOS device commands.
To send a device command during a staging user session, use the standard method on the Knox Manage console.
To send a device command during a Managed Apple ID user session:
- On the Device page, click the name of a Shared iPad. The details page for that iPad opens.
- Click the Shared Device tab.
- Click Device Command, then select a command to send.
Configure Shared iPad policies
For devices in Shared iPad mode, some policy settings are global in that they apply to the both the device and the current user at the same time, while others are exclusive to either the whole iPad or the user. With Shared iPads, a policy’s scope is determined by its policy channel:
|Policy channel scope||Device channel policy groups (staging user)||User channel policy groups (users)|
|Common||System, Interface, Security, Application, Phone, Share, Browser, iCloud, Media|
|By channel||Wi-Fi, VPN, Certificate, Cellular, AirPRint, Font, App Lock, Global http proxy, Air Play, Web Content Filter, Network Usage Rules||Exchange, Web Clip, Managed Domains|
The order of precedence for common policies is as follows:
- If the device profile configures a common policy, then its settings remain applied when the device user starts their session.
- If both the device profile and user profile configure the same common policy, then the group/organization policy settings apply when the device user starts their session.
For the list of policies by channel, see iOS policies.
Assign apps to Shared iPads
For Shared iPads, managed apps can be assigned through the Volume Purchase Program (VPP), or by the staging user that the device profile is associated with.
Managed apps on Shared iPads have some restrictions:
- Device users can only install internal and VPP apps from the Knox Manage agent. They can’t download apps from the public App Store.
- Apps install between the staging state and user sessions. When a user is signed in, no apps can install.
Knox Manage agent on Shared iPads
The Knox Manage agent is supported on Shared iPads. This optional EMM app offers the following benefits:
- Device users can manually install internal and VPP apps as needed, without your needing to install them through a device command.
- Send device commands, including for sending push notifications and retrieving the device’s location.
- The Knox Manage profile for your Shared iPads can apply based on the Day & Time profile event.
During a shared user session, the user’s Knox Manage identity is passed to the agent, signing them in automatically and providing them access to the app store in the agent’s interface.
Deploy the Knox Manage agent
To deploy the Knox Manage agent to Shared iPads in your tenant:
Begin following the instructions in Manage VPP applications to add and assign the agent as a VPP app.
When assigning the agent to your users, set the Assignment Type to Device, and Install Type to Automatic. If set to manual installation, the app can’t be deployed to the Shared iPad.
Finish adding and assigning the app.
Is this page helpful?
Thank you for your feedback!