Citrix Endpoint Management

Shared iPads

The shared iPad feature allows multiple users to use an iPad. The user experiences can be personalized even though the devices are shared. You can use shared iPads for education.

Prerequisites for Shared iPads

  • Apple School Manager
  • Citrix Endpoint Management
  • Any iPad Pro, iPad 5th generation, iPad Air 2 or later, and iPad mini 4 or later
  • At least 32 GB of storage
  • Supervised

Configure Shared iPads for education

Multiple students in a classroom can share an iPad for different subjects taught by one or several instructors.

Either you or instructors enroll Shared iPads and then deploy device policies, apps, and media to the devices. After that, students provide their managed Apple ID credentials to sign in to a Shared iPad. If you previously deployed an Education Configuration policy to students, they no longer sign in as an “Other User” to share devices.

Endpoint Management uses two communications channels for Shared iPads: The system channel for the device owner (instructor) and the user channel for the current resident user (student). Endpoint Management uses those channels to send the appropriate MDM commands for the resources supported by Apple.

Resources that deploy over the system channel are:

Resources that deploy over the user channel are:

  • Device policies: Apps Notifications, Home Screen Layout, and Restrictions

    Endpoint Management supports only those device policies over the user channel.

When configuring device policies, you specify the deployment channel in the policy setting Profile scope.

Device Policies configuration screen

To remove device policies that you deployed over the user channel, be sure to choose a Deployment scope of User for the Profile Removal policy.

General workflow

Typically, you provide preconfigured and supervised Shared iPads to instructors. The instructors then distribute the devices to students. If you don’t distribute pre-enrolled Shared iPads to instructors: Be sure to provide the instructors with their Endpoint Management server passwords so they can enroll their devices.

The general workflow for configuring and enrolling Shared iPads is as follows.

  1. Use the Endpoint Management server console to add ASM accounts (Settings > Apple Deployment Program) with Shared mode enabled. For more information, see “Manage ASM accounts for Shared iPads” next.
  2. As described in this section, add the required device policies, apps, and media to Endpoint Management. Assign those resources to delivery groups.
  3. Have the instructors perform a hard reset on the Shared iPads. The Remote Management screen for enrollment appears.
  4. The instructors enroll the Shared iPads. Endpoint Management deploys configured resources to each enrolled Shared iPad. After an automatic restart, instructors can share the devices with students. A sign in page appears on the iPad.
  5. A student chooses the class and then enters their Managed Apple ID and temporary ASM (ASM) password. The Shared iPad authenticates to ASM and prompts the student to create an ASM password. For the next sign into the Shared iPad, the student provides the new ASM password.
  6. Another student who is sharing the iPad can then sign in by repeating the previous step.

Manage ASM accounts for Shared iPads

If you already use Endpoint Management with Apple Education: You have an existing ASM account configured in Endpoint Management for devices that aren’t shared, such as the devices used by instructors. You can use the same ASM and the same Endpoint Management server for both shared and non-shared devices.

Endpoint Management supports these deployment scenarios:

  • A group of Shared iPads per class

    In this scenario, you assign the Shared iPads to a class of students. The iPads stay in the classroom. Instructors who teach different subjects in that class use the same set of iPads.

  • A group of Shared iPads per instructor

    In this scenario, you assign the Shared iPads to an instructor, who uses those iPads for the various classes that they teach.

Organize Shared iPads into device groups

ASM lets you organize devices into groups by creating multiple MDM servers. When you assign the Shared iPads to an MDM server, create a device group for each group of Shared iPads, per class or per instructor:

  • Group 1 of Shared iPads > Device Group 1 MDM Server
  • Group 2 of Shared iPads > Device Group 2 MDM Server
  • Group N of Shared iPads > Device Group N MDM Server

Add ASM accounts for each device group

When you create multiple ASM accounts from the Endpoint Management server console, you automatically import groups of Shared iPads (one for each class or instructor):

  • Device Group 1 MDM Server > Device Group 1 account
  • Device Group 2 MDM Server > Device Group 2 account
  • Device Group N MDM Server > Device Group N account

Requirements specific to Shared iPads are as follows:

  • One ASM account for each device group with these settings enabled:
    • Require device enrollment
    • Supervised mode
    • Shared mode
  • For a given educational organization, be sure to use the same Education suffix for all ASM accounts.

Apps for Shared iPads

Shared iPads support assignment of device-based volume purchase apps. Before deploying an app on a Shared iPad, Endpoint Management sends a request to the Apple volume purchase server to assign volume purchase licenses to devices. To check the volume purchase assignments, go to Configure > Apps > iPad and expand Volume Purchase.

Media for Shared iPads

Shared iPads support assignment of user-based volume purchase iBooks. Before deploying iBooks on a Shared iPad, Endpoint Management sends a request to the Apple volume purchase server to assign volume purchase licenses to students. To check the volume purchase assignments, go to Configure > Media > iPad and expand Volume Purchase.

Media configuration screen

Deployment rules for Shared iPads

For Shared iPad deployment, the rules at the delivery group level don’t apply because they relate to user properties. To filter the policies, apps, and media for each group of devices: Add a deployment rule for the resources based on the account name. For example:

  • For the Device Group 1 account, set this deployment rule:

  Apple Deployment Program account name
  Only
  Device Group 1 account

  • For the Device Group 2 account, set this deployment rule:

  Apple Deployment Program account name
  Only
  Device Group 2 account

  • For the Device Group N account, set this deployment rule:

  Apple Deployment Program account name
  Only
  Device Group N account

Device Policies configuration screen

To deploy the Apple Classroom app only to instructors (using unshared iPads), filter the resources by ASM shared status with these deployment rules:


Deploy this resource regarding ASM shared mode
only
unshared

Or:


Deploy this resource regarding ASM shared mode
except
shareable

Apps configuration screen

Delivery groups for Shared iPads

For the device group for each instructor:

  • Configure one delivery group. For the instructor, assign all the classes that the Education Configuration policy defines.

Delivery Groups configuration screen

  • That delivery group must include these MDM resources:
    • Device policies:
      • Education Configuration
      • Lock Screen Message
      • Apps Notifications
      • Home Screen Layout
      • Restrictions
      • Maximum Resident Users
      • Passcode Lock Grace Period
    • Required volume purchase apps
    • Required volume purchase iBooks

Delivery Groups configuration screen

Security actions for Shared iPads

In addition to existing security actions, you can use these security actions for Shared iPads:

  • Get Resident Users: Lists the users that have active accounts on the current device. This action forces a sync between the device and the Endpoint Management console.
  • Logout Resident User: Forces a log out of the current user.
  • Delete Resident User: Deletes the current session for a specific user. The user can sign in again.

Security Actions screen

After you click Delete Resident User, you can specify the user name.

Security Actions screen

Results of security actions appear on the Manage > Devices > General and Manage > Devices > Delivery Groups pages.

Get information about Shared iPads

Find information specific to Shared iPads on the Manage > Devices page:

  • Look up:
    • Whether a device is shared (ASM shared)
    • Who is logged in to the shared device (ASM logged-in user)
    • All users assigned to the shared device (ASM resident users)

Devices configuration screen

  • Filter the device list by its ASM Device Status:

Devices configuration screen

  • View details about the user logged in to a Shared iPad, on the Manage > Devices > Logged-in User Properties page.

Devices configuration screen

Devices configuration screen

  • See the channel used to deploy resources to instructors and users in a delivery group on the Manage > Devices > Delivery Groups page. The Channel/User column shows the type (System or User) and the recipient (instructor or student).

Devices configuration screen

  • Get information about resident users:
    • Has data to sync: Whether the user has data to be synchronized to the cloud.
    • Data quotas: The data quota set for the user in bytes. A quota might not appear if user quotas are temporarily off or aren’t enforced for the user.
    • Data used: The amount of data used by the user in bytes. A value might not appear if an error occurs as the system gathers the information.
    • Is logged in: Whether the user is logged on to the device.

Devices configuration screen

  • View the push status for both channels.

Devices configuration screen

Shared iPads