- *BASICS*
- The Knox Ecosystem
- White Paper
- Samsung Knox Portal
- Knox Cloud Services
- General Knox Support
- Knox Licenses
- *FOR IT ADMINS*
- Knox Admin Portal
- Knox Suite
- Knox Platform for Enterprise
- Introduction
- How-to videos
- Before you begin
- Get started with UEMs
- Introduction
- Blackberry UEM
- Citrix Endpoint Management
- FAMOC
- IBM MaaS360
- Microsoft Intune
- MobileIron Cloud
- MobileIron Core
- Samsung Knox Manage
- SOTI MobiControl
- VMware Workspace ONE UEM
- Knox Service Plugin
- Release notes
- Migrate to Android 11
- FAQs
- Troubleshoot
- KBAs
- Knox Mobile Enrollment
- Introduction
- How-to videos
- Get started
- Features
- Register resellers
- Add an admin
- Create profiles
- Google device owner support
- MDM compatibility matrices
- Device users
- Activity log
- Enroll and unenroll devices
- Configure devices
- Provide KME feedback
- Use the Knox Deployment App (KDA)
- Recover Google FRP locked devices using KME
- Role-based access control (RBAC)
- Release notes
- FAQs
- Troubleshoot
- KBAs
- On-Premise
- Knox Configure
- Mobile
- Wearables
- Shared Device
- KBAs
- Knox Capture
- Introduction
- How it works
- How-to videos
- IT admins: Get started
- Getting started with Knox Capture
- Step 1: Launch Knox Capture
- Step 2: Create a scanning profile
- Step 3: Select apps and activities
- Step 4: Configure the scanner
- Step 5: Set keystroke output rules
- Step 6: Test apps in your configuration
- Step 7: Share your configuration
- Step 8: Deploy Knox Capture in Managed mode
- End users: Get started
- Features
- Release notes
- FAQs
- Troubleshoot
- Knox Asset Intelligence
- Knox Manage
- Introduction
- How-to videos
- Get started
- Video: Getting started with Knox Manage
- Integration with Managed Service Provider
- Access Knox Manage
- Configure basic environments
- Create user accounts
- Create groups
- Create organization
- Set up devices and profiles
- Set up Knox Manage deployment with a Knox Suite license
- Manage Chromebooks
- Manage Android devices with the Android Management API
- Manage Shared iPads
- Configure
- Licenses
- Organization
- Users
- Sync user information
- Groups
- Devices
- Content
- Applications
- View applications
- Add applications
- Introduction
- Add internal Android and iOS applications
- Add internal Windows applications
- Add public applications using Google Play Store
- Add public applications using iOS App Store
- Add public applications using Managed Google Play Private
- Add public applications using Managed Google Play Store Private Web
- Add public applications using Microsoft Store
- Add Chrome OS applications
- Assign applications
- Introduction
- Assign internal Android and iOS applications
- Assign iOS App Store applications
- Assign Google Play applications
- Assign Managed Google Play applications
- Assign Managed Google Play Private applications
- Assigned Managed Google Play Public Web App
- Assign Windows applications
- Assign Chrome OS applications
- Manage applications
- Volume Purchase Program for iOS
- Profile
- Knox E-FOTA
- Certificates
- Advanced settings
- Monitor
- Kiosk devices
- Knox Remote Support
- Active Directory
- Microsoft Exchange
- Mobile Admin
- Appendix
- Release notes
- Features
- FAQs
- KBAs
- Knox E-FOTA
- Introduction
- How-to videos
- Get started
- Features
- EMM integration
- Appendix
- Release notes
- FAQs
- KBAs
- Troubleshoot
- Knox E-FOTA On-Premises
- Legacy Knox E-FOTA products
- Knox Guard
- Introduction
- How-to video
- Get started
- Using Knox Guard
- Dashboard
- Manage devices
- Introduction
- Accept or reject devices
- Upload devices
- Delete devices
- Complete payment
- Send payment overdue notification
- Enable or disable SIM control
- Download devices as CSV
- View device log
- View device deletion log
- Start and stop blinking reminder
- Lock and unlock devices
- Update lock message
- Send relock timestamp
- Turn on/off relock reminder
- Manage policies
- Manage licenses
- Manage resellers
- Manage admins and roles
- Activity log
- Knox Deployment App
- Release notes
- FAQs
- KBAs
- Support
- Samsung Care+ for Business
- *FOR RESELLERS*
- Knox Deployment Program
- *FOR MANAGED SERVICE PROVIDERS*
- Knox MSP Program
Knox Manage supports Shared iPad, which is a mode for iOS devices that allows different users to log in to one iPad and receive a personalized experience with iPad features and their apps and files. Device users can either sign in with their Managed Apple ID and enjoy persistent apps and files, or start a temporary session, which is a guest mode that deletes all user data after the session ends. Shared iPads are enrolled and provisioned through Apple Device Enrollment Program (DEP) profiles. An individual policy on a Shared iPad either applies to the entire device (through the device profile) or to the user account (through the user profile) for the duration of the shared user's session. For more details on how policies apply, see Configure Shared iPad policies.
Supported devices
For Shared iPad mode, Knox Manage currently supports the following devices:- iPad (5th generation) and later
- iPad Pro
- iPad Air 2 and later
- iPad mini 4 and later, with the following minimum requirements:
- 32 GB storage
- iOS 13.4 or higher
- Deployed by Apple DEP and in Supervised mode
Deploy Shared iPads
Registering and syncing Shared iPads is very similar to setting up devices using DEP. For establishing device-wide policies, a staging user is assigned to the Share iPad through the DEP configuration. The device-wide profile and apps are configured and assigned to this staging user. For establishing user-level policies, Apple Business Manager syncs your actual users' Managed Apple IDs to KM. Once they are synced and you have corresponding KM users, you can then assign profiles with policies to them.
As soon as you register an iPad through Apple Business Manager, it immediately enters the staging state and applies the assigned DEP profile. Therefore, it is crucial that you carefully configure your default DEP profile in advance, and take into account common policies and apps that need to apply to all users.
To deploy Shared iPads with KM:
- If you haven't already, create an Apple Business Manager account.
- Factory reset all your iPads intended for Shared iPad mode.
- Register a Managed Apple ID for each user through Apple Business Manager.
- Configure a default DEP profile on the KM console.
- Configure each device user and associate a profile with them on the KM console.
- Sync the iPads with KM.
Add and manage Shared iPad users
Just like with other devices managed through the DEP, you can map devices users to Managed Apple IDs manually or sync them through AD/LDAP.
To manually sync a Managed Apple ID with a KM user, when you create the user account on the KM console, fill the Managed Apple ID field:
When you sync Managed Apple IDs to KM users through AD/LDAP, on the Advanced > AD/LDAP Sync > Sync Service page, under Mapping Information, you can see the Managed Apple ID field synced from Apple Business Manager:
View the status of a Shared iPad on the KM console
On the KM console, you can view and specify the management mode of iOS devices on the Device Enrollment > Apple DEP > DEP Device Management page. To assign the device profile to a Shared iPad, select it and click Assign User.
On the Device page, you can filter for Shared iPads by selecting Shared as the management type.
When you hover over the Platform & Management Type of a device, a tooltip shows the current user's Managed Apple ID.
Shared iPads receive a Shared Device tab on the Device Detail page. On this tab, you can track the following information about the shared sessions of the iPad:
- Shared Device User tab — View all device users who had sessions on this iPad, and manually sync the session status of the iPad. Click Detail next to a user to open the Shared Device Detail page, which displays information about the user and their sessions on this iPad.
- Shared Device Log tab — View the complete history of all sharing events on this iPad.
On the Shared Device Detail page, you can view information related to the user's session status, profile policies, group and organization, and device command history while they were using the iPad:
Configure Shared iPad policies
For devices in Shared iPad mode, some policy settings are global in that they apply to the both the device and the current user at the same time, while others are exclusive to either the whole iPad or the user. With Shared iPads, a policy's scope is determined by its policy channel:
| Policy channel scope | Device channel policy groups (staging user) | User channel policy groups (users) |
|---|---|---|
| Common | System, Interface, Security, Application, Phone, Share, Browser, iCloud, Media | |
| By channel | Wi-Fi, VPN, Certificate, Cellular, AirPRint, Font, App Lock, Global http proxy, Air Play, Web Content Filter, Network Usage Rules | Exchange, Web Clip, Managed Domains |
The order of precedence for common policies is as follows:
- If the device profile configures a common policy, then its settings remain applied when the device user starts their session.
- If both the device profile and user profile configure the same common policy, then the group/organization policy settings apply when the device user starts their session.
For the list of policies by channel, see iOS policies.
Assign apps to Shared iPads
For Shared iPads, apps can be assigned through the Volume Purchase Program (VPP), or by the staging user that the device profile is associated with.
Apps for Shared iPads have some restrictions:
- Since Shared iPads don't use the KM agent, you can only install internal apps through the Install App device command.
- Device users can't download public apps from the App Store.
- Apps install between the staging state and user sessions. When a user is signed in, no apps can install.
