Manage Shared iPads

Knox Manage supports Shared iPad, which is a mode for iOS devices that allows different users to log in to one iPad and receive a personalized experience with iPad features and their apps and files. Device users can either sign in with their Managed Apple ID and enjoy persistent apps and files, or start a temporary session, which is a guest mode that deletes all user data after the session ends. Shared iPads are enrolled and provisioned through Apple Device Enrollment Program (DEP) profiles. An individual policy on a Shared iPad either applies to the entire device (through the device profile) or to the user account (through the user profile) for the duration of the shared user's session. For more details on how policies apply, see Configure Shared iPad policies.

Supported devices

For Shared iPad mode, Knox Manage currently supports the following devices:
  • iPad (5th generation) and later
  • iPad Pro
  • iPad Air 2 and later
  • iPad mini 4 and later, with the following minimum requirements:
    • 32 GB storage
    • iOS 13.4 or higher
    • Deployed by Apple DEP and in Supervised mode

Deploy Shared iPads

Registering and syncing Shared iPads is very similar to setting up devices using DEP. For establishing device-wide policies, a staging user is assigned to the Share iPad through the DEP configuration. The device-wide profile and apps are configured and assigned to this staging user. For establishing user-level policies, Apple Business Manager syncs your actual users' Managed Apple IDs to KM. Once they are synced and you have corresponding KM users, you can then assign profiles with policies to them.

As soon as you register an iPad through Apple Business Manager, it immediately enters the staging state and applies the assigned DEP profile. Therefore, it is crucial that you carefully configure your default DEP profile in advance, and take into account common policies and apps that need to apply to all users.

To deploy Shared iPads with KM:

  1. If you haven't already, create an Apple Business Manager account.
  2. Factory reset all your iPads intended for Shared iPad mode.
  3. Register a Managed Apple ID for each user through Apple Business Manager.
  4. Configure a default DEP profile on the KM console.
  5. Configure each device user and associate a profile with them on the KM console.
  6. Sync the iPads with KM.

Add and manage Shared iPad users

Just like with other devices managed through the DEP, you can map devices users to Managed Apple IDs manually or sync them through AD/LDAP.

To manually sync a Managed Apple ID with a KM user, when you create the user account on the KM console, fill the Managed Apple ID field:

The Managed Apple ID field on the Add User page

When you sync Managed Apple IDs to KM users through AD/LDAP, on the Advanced > AD/LDAP Sync > Sync Service page, under Mapping Information, you can see the Managed Apple ID field synced from Apple Business Manager:

The automatically synced Managed Apple ID field on the Sync Service page

View the status of a Shared iPad on the KM console

On the KM console, you can view and specify the management mode of iOS devices on the Device Enrollment > Apple DEP > DEP Device Management page. To assign the device profile to a Shared iPad, select it and click Assign User.

The DEP Device Management page with a device overview containing Shared iPads

On the Device page, you can filter for Shared iPads by selecting Shared as the management type.

Filtering iOS devices on the Device page by the Shared management type

When you hover over the Platform & Management Type of a device, a tooltip shows the current user's Managed Apple ID.

A device's Platform & Management Type column revealing a tooltip that shows the Managed Apple ID of the current user session

Shared iPads receive a Shared Device tab on the Device Detail page. On this tab, you can track the following information about the shared sessions of the iPad:

  • Shared Device User tab — View all device users who had sessions on this iPad, and manually sync the session status of the iPad. Click Detail next to a user to open the Shared Device Detail page, which displays information about the user and their sessions on this iPad.
  • Shared Device Log tab — View the complete history of all sharing events on this iPad.
The Shared Device tab on the Device Detail page, which contains elements specific to Shared iPads

On the Shared Device Detail page, you can view information related to the user's session status, profile policies, group and organization, and device command history while they were using the iPad:

The Shared Device Detail page, with elements specific to Shared iPads

Configure Shared iPad policies

For devices in Shared iPad mode, some policy settings are global in that they apply to the both the device and the current user at the same time, while others are exclusive to either the whole iPad or the user. With Shared iPads, a policy's scope is determined by its policy channel:

Policy channel scopeDevice channel policy groups (staging user)User channel policy groups (users)
CommonSystem, Interface, Security, Application, Phone, Share, Browser, iCloud, Media
By channelWi-Fi, VPN, Certificate, Cellular, AirPRint, Font, App Lock, Global http proxy, Air Play, Web Content Filter, Network Usage RulesExchange, Web Clip, Managed Domains

The order of precedence for common policies is as follows:

  • If the device profile configures a common policy, then its settings remain applied when the device user starts their session.
  • If both the device profile and user profile configure the same common policy, then the group/organization policy settings apply when the device user starts their session.

For the list of policies by channel, see iOS policies.

Assign apps to Shared iPads

For Shared iPads, apps can be assigned through the Volume Purchase Program (VPP), or by the staging user that the device profile is associated with.

Apps for Shared iPads have some restrictions:

  • Since Shared iPads don't use the KM agent, you can only install internal apps through the Install App device command.
  • Device users can't download public apps from the App Store.
  • Apps install between the staging state and user sessions. When a user is signed in, no apps can install.