IBM Security MaaS360

 View Only

Using Shared Apple Devices With MaaS360

By Matt Shaver posted Thu December 10, 2020 06:56 PM


iOS device management has grown by leaps and bounds over the last few years.   Apple seems to be taking user feedback more seriously and implementing features that both frustrate (deprecating strict features from non-supervised devices) and delight (non-DEP to DEP conversion) admins across the world.  One of the more useful features that iOS supports, that gets little lip-service compared to other features, is their shared device solution.  As of our 10.80 release, MaaS360 extends our shared device support from Apple School Manager only, to Apple Business Manager devices as well.

So, let's get started.....


Apple shared devices require some setup in both the Apple Business Manager (ABM) portal, as well as in MaaS360.  It's also not going to be supported across all devices, it's limited to iPads only, and specific storage and model minimums must be met.

From the Apple website:

Devices must have at least 32 GB of storage and be supervised. Shared iPad is supported on:

  • iPad Pro

  • iPad (5th generation or later)

  • iPad Air 2 (or later)

  • iPad mini (4th generation or later) 

Managed Apple IDs are also required - these are created and managed entirely in the ABM portal.  Please refer to Apple documentation for more info.

The managed Apple IDs should be assigned to users in the MaaS360 portal, though this is not an absolute requirement, failing to do so could result in some unintended consequences (such as user profiles not being received - email configurations, for example).  Currently, managed Apple IDs need to be manually added in the portal - either on a user-by-user basis, or using our bulk update tool in the user directory (this will work for users syncing from AD/LDAP sources, in addition to MaaS360 local users).

Alternatively, admins may autofill the managed Apple ID field with the users company email address, just be aware that this is a global setting, and users who have created personal IDs with their company email will not be eligible for managed IDs.



Lastly, in the MaaS360 portal, there has to be a streamlined enrollment profile created specifically for shared devices.
There are a couple of items worth pointing out:
  • When the Apple Shared Device option is selected, the "Authenticate User" option disappears.  This is because users enrolling shared devices will never authenticate against MaaS360 or our services.  The device will not presentt a MaaS360 credential prompt, it will just enroll.  Users will then login with their managed Apple ID credentials. 
  • There are partition types that can be selected to determine how the devices allot space to users.
    • Resident Users - Determine the estimated maximum number of users from 2-99.  This will not place any caps on user data, however, additional users may be blocked from logging in as storage capacity is reached.
    • Quota Size - determine the maximum amount of data allotted to each user (in MB).  These caps may not dip below certain minimums that are determined by the amount of device storage.  Keep in mind that system and app storage is a shared space that should be removed from the total amount of device storage when determining the limits. From Apple:
      • Devices with a storage capacity of 32 GB: 10 GB for the system, 8 GB for apps and media. The remaining storage is divided among the number of defined users, with 1 GB minimum per user.

        Note: Photos won’t sync with a managed Apple ID account for quotas of 1 GB. Only use 1 GB as a minimum when necessary.

      • Devices with a storage capacity 64 GB or greater: 10 GB for the system, 16 GB for apps and media. The remaining storage is divided among the number of defined users, with 2 GB minimum per user.

        Here is a sample of the amount of storage capacity that could be allotted to each user (System and Apps and Media partition sizes are static):


Now that the basics are laid out, let's take a look at......

Enrollment & User Experience

The device should be assigned the appropriate DEP profile and in a factory reset or out-of-box state.  Boot it up, select your language, and connect to your network.  The device will mostly take over from here.
Just a few screens will load, and it will briefly appear as if the device is resetting - there will be an Apple logo and a loading bar - but this is expected part of the process.  The final screen will be a login prompt for a managed Apple ID.

Users will log in with their Apple ID and password.  The following screens will depend on whether or not the user has logged in with their Apple ID anywhere else or logged in on the device previously.
If the Apple ID has never logged in to any system and the temp password is being used, the user will get prompts to enter a new password, as well as some personal info such as a phone number to receive SMS messages for a second factor code (2FA is a requirement)
Once this is complete, the user will be logged in and can begin to use the device.  On future logins they will only be prompted for their credentials.
The device experience will be mostly the same for the users for day-to-day workflows, but there will be some small differences, mostly in the settings.  They won't be able to view the MDM certificate or device reset settings in any capacity.

In order to log out, users can push the sleep/wake button to get to the lock screen, and tap "Sign Out" in the bottom right corner

After the first user logs in, all subsequent users will see the sign in screen with the ability to choose an existing user, add a new user, or sign in as a "Guest" if the MDM policy allows it (Guest users do not get storage allocations).

Now, let's take a look at the......
Portal Admin View

When the device is initially enrolled, before a user has signed in, the device will appear in the portal with no user (keep this in mind when leveraging on groups to sort devices to the proper policies - shared devices have a unique field to easily sort then in to groups). 

Scenario 1 - If a user logs in with a managed Apple ID that is not associated with a user in the portal, the device will be enrolled, remain on the default assigned policy, and won't receive any user specific settings (such as email configurations).  It will also remain in an unassigned state.
Scenario 2 - If the managed Apple ID is associated with a user in the MaaS360 portal, then the device will automatically become assigned to said user, and remain associated until they log out, at which point it will revert to it's original unassigned state.  This can be applied retroactively - if a user is given a managed Apple ID in the portal after the device is enrolled, the device will become assigned to that user the next time it checks in to the portal. 

In addition, in the device view, under the Summary tab, there is a new section titled Display Active Users List.  This will list out all the user records from the information cached on the device.  Admins may choose to logout the active user or delete a user from the device.  Note: Neither of these actions prevents the user from logging back in with their managed Apple ID.  In order to lock logins, the ID must be disabled in the ABM portal.
Admins may also view information such as storage used, login status, and if there is any data pending an iCloud sync.
There are many potential use cases in which shared devices may be useful.  I believe this is why Apple extended the project beyond just educational environments.  Medical facilities, manufacturing, trucking, and more are all industries that can benefit from shared iPads over just 1:1 device assignment.  The good news is that the service is free to use, and already included for all ABM and MaaS360 clients.  You can begin testing scenarios to understand if this is right for you immediately.