Apple debuts multi-user iPadOS sessions for enterprise users
Shared iPad, previously exclusive to education, brings multi-user concepts to enterprise iPad use cases, and Apple admins should learn how it can support their organization.
Apple made a significant announcement regarding iPad device functionality in the enterprise: iPadOS 13.4 has brought Shared iPad for Business to Apple's line of tablets.
Shared iPad is a mode that offers multi-user support, and Apple first released the multi-user concept for education customers back in 2016 with iOS 9.3. With iPadOS multiple user sessions, a managed user can go up to any institutional iPad, log in, and access all of their apps, settings and data from Apple's iCloud storage to the local files app. Longtime desktop admins can think of this as the iPad equivalent of roaming profiles.
A shared iPad for enterprise always seemed like an attractive option, but it was hardly a guarantee that Apple would ever release something like this. And in the meantime, there were plenty of other approaches to enabling multiple user iPads, via app-level solutions, MDM and GroundControl.
Now that Apple has finally released multi-user, shared device capabilities at the system level for enterprise iPads, how does this work and what does it mean?
How does the multiple user iPad session work?
Apple has posted some documentation for Shared iPad, and since it's been around in education for a few years, the enterprise mobility management (EMM) community already has some experience with it.
To use Shared iPad for multiple users, customers will need an Apple Business Manager instance, a mobile device management (MDM) server or unified endpoint management (UEM) product that supports Shared iPad; some modern iPads; and managed Apple IDs for users.
Apple admins can set up managed Apple IDs in a number of ways, including via federation with Microsoft Azure Active Directory (AD). This article will focus on Azure AD for now, but readers can check out Apple's documentation for login flows using other methods.
iPadOS home screen
Azure AD federation for business users came out in the fall of 2019 with iOS 13.1 and User Enrollment, so some key integration questions aren't fully fleshed out yet. For example, it's unclear how to deal with users that already made a consumer Apple ID with their corporate email address.
Users can log into any iPad set up for shared usage by their organization with their Azure AD username and password user accounts. The iPad will prompt the users to create a passcode on the iPad, and then the iPad will sync their apps, data, settings and email accounts from iCloud. The iPad caches all this data locally on the iPad, and when the user comes back, they'll see a list of recent users they can select.
Given the data synced to the iPad and the need to set a passcode, Apple's documentation recommends having users return to the same device whenever possible. Customers can also cache iCloud data on their network, using the content caching features in macOS.
Shared iPad for multiple users now has a temporary guest mode as well. No username or passcode is required for this mode. If a user logs in with this mode, the iPad locks down settings and options and deletes any data the user caches from iCloud when the user is done.
Managing iPads shared with multiple users
There are a variety of MDM commands and profiles for managing Shared iPads. Shared iPads operate in supervised mode, which supports many different restrictions. On top of that, there are additional features, settings, apps and services that are restricted for Shared iPad and Managed Apple IDs. IT can also manage storage allocations.
Users can log into any iPad set up for shared usage by their organization with their Azure AD username and password.
Because managing a shared iPad requires an MDM server, IT admins will have to wait and see how their EMM or UEM vendor exposes all of the settings. For example, VMware Workspace One and Kandji UEM platforms both have added support for the multi-user iPadOS sessions. Until then, Apple admins have the Shared iPad documentation listed above, and MDM settings for IT and MDM documentation for developers.
What does the shared iPad for multiple users mean for businesses?
Some vendors in the EMM market have already created their own multi-user options, but having these new capabilities at the OS level is going to open up even more options.
Apple has been on a tear with enterprise features recently, and Shared iPad for Business is just another example of this. Other recent updates include an educational testing mode for MacOS devices, proxy support with the Apple Push Notification Service, and iCloud Drive folder sharing.
Businesses considering Shared iPad for Business should keep several factors in mind:
First, there's the need for Managed Apple IDs, Apple Business Manager and iCloud storage. Some customers might be waiting until Azure AD can take advantage of this feature or hoping that Apple adds support for other identity providers. Using iCloud as the syncing mechanism also means that some organizations might need to prevent their applications from storing any sensitive data in other locations.
Second, looking at Windows roaming profiles as an analogous technology, there were many documented issues with Windows roaming profiles' logon times. Many of these issues will apply with Shared iPad, too. Administrators could even hide apps via MDM, similar to desktop app masking approaches like FSLogix, to speed up login times.
Admins will have to wait for their EMM or UEM vendor to provide support, but Jamf announced support soon after Apple's announcement of this feature. Jamf administrators will have a leg up in quickly adopting this feature and functionality.
Editor's Note: This article was first posted in March 2020. It has since been updated.
