With Cortado, you can manage iPads that are shared by several users. In this case each user is provided with their own profile on a single shared iPad. To do this you need iPads that have been registered in the Apple Business Manager. This How-To will show you how to configure a device to make it available to several users.
The aim is to configure iPads so that several users can share one device. For this purpose, each user will have a separate portion of the hard drive space made available to them, which they can then personalise for themselves.
iPads will be required that meet the following (hardware) requirements:
- a minimum of 32 GB storage space,
- iPad Pro; iPad (5th generation or newer); iPad Air 2 (or newer); iPad mini (4th generation or newer),
- managed Apple IDs, with which the users can sign in to a shared iPad,
- devices that are owned by the company and are lodged with Apple Business Manager,
- a user to carry out the initial enrollment of the iPads.
If all these prerequisites have been met, proceed as follows:
1. Importing SharediPadAdmin into the Administration Portal
For the initial configuration of the shared iPad, create a new user (referred to as SharediPadAdmin in the following) in the Administration Portal. To do this, proceed as described here. Note that SharediPadAdmin requires a password. Simply allocate a password when creating the user (arrow in illus.).
Note! Users of shared iPads don’t need to be imported into the Administration Portal. They only need a managed Apple ID.
2. Creating a new profile for the Automated Device Enrollment (ADE)
The steps outlined briefly in the following are described in detail here.
Note! In any case, create a new ADE profile for the shared iPads, do not use an existing one.
- Download the ADE certificate in the Administration Portal under Administration→ Settings→ Apple Automated Device Enrollment→Download.
- Then open the Apple Business Manager. Create a new mdm server in the Apple Business Manager for the shared iPads and upload the ADE certificate.
- Download the token.
- Now open the Cortado Administration Portal under Administration→ Settings→ Apple Automated Device Enrollment.
- Click on Add under ADE Profil in the right column (arrow in illus.).
Create a new ADE profile for the shared iPads:
- Enable the checkboxes Supervised and Shared iPad.
- Upload the token from the Apple Business Manager (arrow in illus.).
3. Creating a new policy and assigning to the SharediPadAdmin
- Create a new policy. To do so, select Administration→ Policies→ iOS/iPadOS in the Administration Portal.
- Retain Supervised Devices as the enrollment method (arrow in illus.).
- Specify how much storage space (MB) each user may use on the iPad (middle arrow in the illus.). Take note of the instructions from Apple on this.
- Specify the number of users per shared iPad (lower arrow in illus.). If this value is greater than the value for the maximum possible number of users that the device supports, Cortado MDM uses that value instead.
- Set after how many seconds of inactivity user sessions should be terminated. The minimum value is 30 seconds. If this value remains at 0, the session is not terminated in case of inactivity.
- You can also set a grace period for online authentication when logging in a shared iPad requires network authentication. If the value remains at 0, network authentication is requested every time. This is useful, for example, if iPads are not permanently online on the Internet, but are sometimes only offline or on the intranet. This way, the authentication against the Apple server can be delayed for a certain number of days.
- If the Allow temporary sessions checkbox is selected, users can log in as guests (or with managed Apple ID). If only temporary sessions are allowed, users can only log in as a guest. Logging in with managed Apple ID is then not possible. In difference to the login with managed Apple ID, the data of users who are logged in as guest are not stored.
- You can also specify after how many seconds of inactivity temporary sessions should be terminated. The minimum value is 30 seconds. If the value remains at 0, the session is not terminated in case of inactivity.
- In addition, you can set default domains to be displayed in the QuickType keyboard in the login screen of the shared iPad.
Then select the corresponding policy in the left column of the Administration Portal and click on Assign. Assign the new policy to SharediPadAdmin.
4. Initial enrollment of the iPads
The iPads can now be enrolled. It is assumed that the devices are new and unused or have been restored to factory settings. Further advice on the initial enrollment can be found here.
- Log on to the device with the SharediPadAdmin user name and password (see above).
- Then carry out all the setup steps previously specified in the ADE profile (see above).
- Then give the iPad to a user. They can then sign in with their managed Apple ID.
After that, other users can register and create profiles.
You can get an overview by selecting the iPad under Administration→ Devices (left arrow in the illus.). The shared iPad has been assigned to SharediPadAdmin (in the example, email@example.com, right arrow in the illus.). You can see which users are registered on the device (lower arrow in illus.).
When you create new apps, profiles, policies, etc., assign them either directly to the device or to the SharediPadAdmin.