Basics
The Knox Ecosystem
White Paper
- Introduction
  - The Samsung Knox Platform
  - Feature Summary
- Core Platform Security
- Network Security
  - Virtual Private Networks
  - Network Platform Analytics
- Certificate Management
- Device Management
- User Authentication
  - Biometric Authentication
- App and Data Protection
- Appendix
Samsung Knox Portal
Knox Cloud Services
- Sign in with SSO
General Knox Support
Knox Licenses
For IT admins
Knox Admin Portal
- About
- Introduction
  - Select Knox services
- Features
- Knox Remote Support
- Release notes
Knox Suite
- Introduction
- How-to videos
- Get started
- Learn more about Knox Suite
- Enterprise Edition devices
- FAQ
- KBAs
Knox Platform for Enterprise
- Introduction
- How-to videos
- Before you begin
  - Before you begin
  - User agreements for Android device management
- Get started with UEMs
- Knox Service Plugin
- Release notes
- Migrate to Android 11
  - Device management modes
  - Prepare Knox for Android 11
- FAQs
- Troubleshoot
  - Get device logs
- KBAs
Knox Mobile Enrollment
- Introduction
- Get started
- Features
- Release notes
- FAQ
- Troubleshoot
  - Get support
- KBAs
- On-Premise
Knox Configure
- Mobile
- Wearables
- Shared Device
- FAQ
- KBAs
Knox Capture
- Introduction
- How it works
- How-to videos
- IT admins: Get started
- End users: Get started
  - Getting started with Knox Capture
- Features
- Release notes
- FAQ
- KBAs
- Troubleshoot
Knox Asset Intelligence
- Introduction
- Get started
- Set up reported device data
- Features
- Troubleshoot
  - Device-side errors
  - Portal-side errors
- Real-time location service
- Release notes
- FAQ
- KBAs
Knox Manage
- Introduction
- How-to videos
- Get started
- Configure
- Monitor
- Kiosk devices
- Knox Remote Support
- Active Directory
- Microsoft Exchange
- Mobile Admin
- Appendix
- Release notes
- Features
- FAQ
- KBAs
Knox E-FOTA
- Introduction
- How-to videos
- Get started
- Features
- EMM integration
- Appendix
  - Install an app to devices through an EMM
  - EMM compatibility matrix
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox E-FOTA On-Premises
- Legacy Knox E-FOTA products
  - Knox E-FOTA Advanced
  - Knox E-FOTA on MDM
Knox Guard
- Introduction
- How-to video
- Get started
- Using Knox Guard
- Release notes
- FAQ
- KBAs
- Support
Samsung Care+ for Business
- Introduction
- Get started
- Submit claim
- Features
- Release notes
- FAQ
- KBAs
For Knox Partners
Knox Deployment Program
Knox MSP Program

Manage Shared iPads

Knox Manage supports Shared iPad, which is a mode for iOS devices that allows different users to log in to one iPad and receive a personalized experience with iPad features and their apps and files. Device users can either sign in with their Managed Apple ID and enjoy persistent apps and files, or start a temporary session, which is a guest mode that deletes all user data after the session ends. Shared iPads are enrolled and provisioned through Apple Automated Device Enrollment (ADE) profiles. An individual policy on a Shared iPad either applies to the entire device (through the device profile) or to the user account (through the user profile) for the duration of the shared user's session. For more details on how policies apply, see Configure Shared iPad policies.

Supported devices

For Shared iPad mode, Knox Manage currently supports the following devices:

iPad (5th generation) and later
iPad Pro
iPad Air 2 and later
iPad mini 4 and later, with the following minimum requirements:
- 32 GB storage
- iOS 13.4 or higher
- Deployed by ADE and in Supervised mode

Deploy Shared iPads

Registering and syncing Shared iPads is very similar to setting up devices using Automated Device Enrollment. For establishing device-wide policies, a staging user is assigned to the Share iPad through the ADE configuration. The device-wide profile and apps are configured and assigned to this staging user. For establishing user-level policies, Apple Business Manager syncs your actual users' Managed Apple IDs to Knox Manage. Once they are synced and you have corresponding Knox Manage users, you can then assign profiles with policies to them.

As soon as you register an iPad through Apple Business Manager, it immediately enters the staging state and applies the assigned ADE profile. Therefore, it is crucial that you carefully configure your default ADE profile in advance, and take into account common policies and apps that need to apply to all users.

To deploy Shared iPads with Knox Manage:

If you haven't already, create an Apple Business Manager account.
Factory reset all your iPads intended for Shared iPad mode.
Register a Managed Apple ID for each user through Apple Business Manager.
Configure a default ADE profile on the Knox Manage console.
Configure each device user and associate a profile with them on the Knox Manage console.
Sync the iPads with Knox Manage.

Add and manage Shared iPad users

Just like with other devices managed through ADE, you can map devices users to Managed Apple IDs manually or sync them through AD/LDAP.

To manually sync a Managed Apple ID with a Knox Manage user, when you create the user account on the Knox Manage console, fill the Managed Apple ID field:

The Managed Apple ID field on the Add User page

When you sync Managed Apple IDs to Knox Manage users through AD/LDAP, on the Advanced > AD/LDAP Sync > Sync Service page, under Mapping Information, you can see the Managed Apple ID field synced from Apple Business Manager:

The automatically synced Managed Apple ID field on the Sync Service page

View the status of a Shared iPad on the Knox Manage console

On the Knox Manage console, you can view and specify the management mode of iOS devices on the Device Enrollment > Apple ADE > ADE Device Management page. To assign the device profile to a Shared iPad, select it and click Assign User.

The ADE Device Management page with a device overview containing Shared iPads

On the Device page, you can filter for Shared iPads by selecting Shared as the management type.

Filtering iOS devices on the Device page by the Shared management type

When you hover over the Platform & Management Type of a device, a tooltip shows the current user's Managed Apple ID.

A device's Platform & Management Type column revealing a tooltip that shows the Managed Apple ID of the current user session

Shared iPads receive a Shared Device tab on the Device Details page. On this tab, you can track the following information about the shared sessions of the iPad:

Shared Device User tab — View all user sessions and temporary sessions on this iPad, and manually sync the session status of the iPad. Click Detail next to a user to open the Shared Device Details page, which displays information about the user and their sessions on this iPad.
Shared Device Log tab — View the complete history of all sharing events on this iPad.

The Shared Device tab on the Device Details page, which contains elements specific to Shared iPads

On the Shared Device Details page, you can view information related to the user's session status, profile policies, group and organization, and device command history while they were using the iPad:

The Shared Device Details page, with elements specific to Shared iPads

Send device commands

Like regular managed iPhones and iPads, you can send device commands to Shared iPads to control device behavior and retrieve information about it and its current status. For certain commands, the device must have an active user session with the Knox Manage agent running. You can send commands to one device at a time. For details about which commands require the agent, see iOS device commands.

To send a device command during a staging user session, use the standard method on the Knox Manage console.

To send a device command during a Managed Apple ID user session:

On the Device page, click the name of a Shared iPad. The details page for that iPad opens.
Click the Shared Device tab.
Click Device Command, then select a command to send.

Sending a device command on the Shared Device tab of the Device Details page

Configure Shared iPad policies

For devices in Shared iPad mode, some policy settings are global in that they apply to the both the device and the current user at the same time, while others are exclusive to either the whole iPad or the user. With Shared iPads, a policy's scope is determined by its policy channel:

Policy channel scope	Device channel policy groups (staging user)	User channel policy groups (users)
Common	System, Interface, Security, Application, Phone, Share, Browser, iCloud, Media
By channel	Wi-Fi, VPN, Certificate, Cellular, AirPRint, Font, App Lock, Global http proxy, Air Play, Web Content Filter, Network Usage Rules	Exchange, Web Clip, Managed Domains

The order of precedence for common policies is as follows:

If the device profile configures a common policy, then its settings remain applied when the device user starts their session.
If both the device profile and user profile configure the same common policy, then the group/organization policy settings apply when the device user starts their session.

For the list of policies by channel, see iOS policies.

Assign apps to Shared iPads

For Shared iPads, managed apps can be assigned through the Volume Purchase Program (VPP), or by the staging user that the device profile is associated with.

Managed apps on Shared iPads have some restrictions:

Device users can only install internal and VPP apps from the Knox Manage agent. They can't download apps from the public App Store.
Apps install between the staging state and user sessions. When a user is signed in, no apps can install.

Knox Manage agent on Shared iPads

The Knox Manage agent is supported on Shared iPads. This optional EMM app offers the following benefits:

Device users can manually install internal and VPP apps as needed, without your needing to install them through a device command.
Send device commands, including for sending push notifications and retrieving the device's location.
The Knox Manage profile for your Shared iPads can apply based on the Day & Time profile event.

During a shared user session, the user's Knox Manage identity is passed to the agent, signing them in automatically and providing them access to the app store in the agent's interface.

NOTE — On the device user's first shared session while the Knox Manage agent is running, they are prompted to read and agree to the agent's Privacy Policy. The agreement is tied to the installation, so if the agent is reinstalled at a later date, they will be prompted to agree to the policy again.

Deploy the Knox Manage agent

To deploy the Knox Manage agent to Shared iPads in your tenant:

Begin following the instructions in Manage VPP applications to add and assign the agent as a VPP app.
When assigning the agent to your users, set the Assignment Type to Device, and Install Type to Automatic. If set to manual installation, the app can't be deployed to the Shared iPad.
Finish adding and assigning the app.