The shared iPad feature allows multiple users to use an iPad. The user experiences can be personalized even though the devices are shared. You can use shared iPads for education.
Prerequisites for Shared iPads
- Apple School Manager
- Citrix Endpoint Management
- Any iPad Pro, iPad 5th generation, iPad Air 2 or later, and iPad mini 4 or later
- At least 32 GB of storage
Configure Shared iPads for education
Multiple students in a classroom can share an iPad for different subjects taught by one or several instructors.
Either you or instructors enroll Shared iPads and then deploy device policies, apps, and media to the devices. After that, students provide their managed Apple ID credentials to sign in to a Shared iPad. If you previously deployed an Education Configuration policy to students, they no longer sign in as an “Other User” to share devices.
Endpoint Management uses two communications channels for Shared iPads: The system channel for the device owner (instructor) and the user channel for the current resident user (student). Endpoint Management uses those channels to send the appropriate MDM commands for the resources supported by Apple.
Resources that deploy over the system channel are:
- Device policies, such as Education Configuration, Lock Screen Message, Maximum Resident Users, and Passcode Lock Grace Period
Device-based volume purchase apps
Apple doesn’t support Enterprise apps or user-based volume purchase apps on Shared iPads. Apps installed on a Shared iPad are global to the device and not per user.
User-based volume purchase iBooks
Apple supports assignment of user-based volume purchase iBooks on Shared iPads.
Resources that deploy over the user channel are:
Device policies: Apps Notifications, Home Screen Layout, and Restrictions
Endpoint Management supports only those device policies over the user channel.
When configuring device policies, you specify the deployment channel in the policy setting Profile scope.
To remove device policies that you deployed over the user channel, be sure to choose a Deployment scope of User for the Profile Removal policy.
Typically, you provide preconfigured and supervised Shared iPads to instructors. The instructors then distribute the devices to students. If you don’t distribute pre-enrolled Shared iPads to instructors: Be sure to provide the instructors with their Endpoint Management server passwords so they can enroll their devices.
The general workflow for configuring and enrolling Shared iPads is as follows.
- Use the Endpoint Management server console to add ASM accounts (Settings > Apple Deployment Program) with Shared mode enabled. For more information, see “Manage ASM accounts for Shared iPads” next.
- As described in this section, add the required device policies, apps, and media to Endpoint Management. Assign those resources to delivery groups.
- Have the instructors perform a hard reset on the Shared iPads. The Remote Management screen for enrollment appears.
- The instructors enroll the Shared iPads. Endpoint Management deploys configured resources to each enrolled Shared iPad. After an automatic restart, instructors can share the devices with students. A sign in page appears on the iPad.
- A student chooses the class and then enters their Managed Apple ID and temporary ASM (ASM) password. The Shared iPad authenticates to ASM and prompts the student to create an ASM password. For the next sign into the Shared iPad, the student provides the new ASM password.
- Another student who is sharing the iPad can then sign in by repeating the previous step.
Manage ASM accounts for Shared iPads
If you already use Endpoint Management with Apple Education: You have an existing ASM account configured in Endpoint Management for devices that aren’t shared, such as the devices used by instructors. You can use the same ASM and the same Endpoint Management server for both shared and non-shared devices.
Endpoint Management supports these deployment scenarios:
A group of Shared iPads per class
In this scenario, you assign the Shared iPads to a class of students. The iPads stay in the classroom. Instructors who teach different subjects in that class use the same set of iPads.
A group of Shared iPads per instructor
In this scenario, you assign the Shared iPads to an instructor, who uses those iPads for the various classes that they teach.
Organize Shared iPads into device groups
ASM lets you organize devices into groups by creating multiple MDM servers. When you assign the Shared iPads to an MDM server, create a device group for each group of Shared iPads, per class or per instructor:
- Group 1 of Shared iPads > Device Group 1 MDM Server
- Group 2 of Shared iPads > Device Group 2 MDM Server
- Group N of Shared iPads > Device Group N MDM Server
Add ASM accounts for each device group
When you create multiple ASM accounts from the Endpoint Management server console, you automatically import groups of Shared iPads (one for each class or instructor):
- Device Group 1 MDM Server > Device Group 1 account
- Device Group 2 MDM Server > Device Group 2 account
- Device Group N MDM Server > Device Group N account
Requirements specific to Shared iPads are as follows:
- One ASM account for each device group with these settings enabled:
- Require device enrollment
- Supervised mode
- Shared mode
- For a given educational organization, be sure to use the same Education suffix for all ASM accounts.
Apps for Shared iPads
Shared iPads support assignment of device-based volume purchase apps. Before deploying an app on a Shared iPad, Endpoint Management sends a request to the Apple volume purchase server to assign volume purchase licenses to devices. To check the volume purchase assignments, go to Configure > Apps > iPad and expand Volume Purchase.
Media for Shared iPads
Shared iPads support assignment of user-based volume purchase iBooks. Before deploying iBooks on a Shared iPad, Endpoint Management sends a request to the Apple volume purchase server to assign volume purchase licenses to students. To check the volume purchase assignments, go to Configure > Media > iPad and expand Volume Purchase.
Deployment rules for Shared iPads
For Shared iPad deployment, the rules at the delivery group level don’t apply because they relate to user properties. To filter the policies, apps, and media for each group of devices: Add a deployment rule for the resources based on the account name. For example:
- For the Device Group 1 account, set this deployment rule:
Apple Deployment Program account name Only Device Group 1 account
- For the Device Group 2 account, set this deployment rule:
Apple Deployment Program account name Only Device Group 2 account
- For the Device Group N account, set this deployment rule:
Apple Deployment Program account name Only Device Group N account
To deploy the Apple Classroom app only to instructors (using unshared iPads), filter the resources by ASM shared status with these deployment rules:
Deploy this resource regarding ASM shared mode only unshared
Deploy this resource regarding ASM shared mode except shareable
Delivery groups for Shared iPads
For the device group for each instructor:
- Configure one delivery group. For the instructor, assign all the classes that the Education Configuration policy defines.
- That delivery group must include these MDM resources:
- Device policies:
- Education Configuration
- Lock Screen Message
- Apps Notifications
- Home Screen Layout
- Maximum Resident Users
- Passcode Lock Grace Period
- Required volume purchase apps
- Required volume purchase iBooks
- Device policies:
Security actions for Shared iPads
In addition to existing security actions, you can use these security actions for Shared iPads:
- Get Resident Users: Lists the users that have active accounts on the current device. This action forces a sync between the device and the Endpoint Management console.
- Logout Resident User: Forces a log out of the current user.
- Delete Resident User: Deletes the current session for a specific user. The user can sign in again.
After you click Delete Resident User, you can specify the user name.
Results of security actions appear on the Manage > Devices > General and Manage > Devices > Delivery Groups pages.
Get information about Shared iPads
Find information specific to Shared iPads on the Manage > Devices page:
- Look up:
- Whether a device is shared (ASM shared)
- Who is logged in to the shared device (ASM logged-in user)
- All users assigned to the shared device (ASM resident users)
- Filter the device list by its ASM Device Status:
- View details about the user logged in to a Shared iPad, on the Manage > Devices > Logged-in User Properties page.
- See the channel used to deploy resources to instructors and users in a delivery group on the Manage > Devices > Delivery Groups page. The Channel/User column shows the type (System or User) and the recipient (instructor or student).
- Get information about resident users:
- Has data to sync: Whether the user has data to be synchronized to the cloud.
- Data quotas: The data quota set for the user in bytes. A quota might not appear if user quotas are temporarily off or aren’t enforced for the user.
- Data used: The amount of data used by the user in bytes. A value might not appear if an error occurs as the system gathers the information.
- Is logged in: Whether the user is logged on to the device.
- View the push status for both channels.