Apple Shared Device Mode and Guest Temporary Sessions
Devices owned by organizations in either Apple Business Manager or Apple School Manager can now enable a powerful iPadOS feature designed by Apple called Shared iPad (or Shared Device) mode. In this mode, iPadOS is deployed by Cisco Meraki Systems Manager in a way where multiple users can share a single device and have their own personal experience separate from other local users. Administrators can enable storage to be completely removed at every session with temporary guests session. iPadOS separates its local storage so local users use completely separate storage from other local users to keep content secure from user to user. And with optional Managed Apple IDs session, end user’s content can be securely backed up and restored from iCloud at every Shared Device session.
There are two main types of configurations for Shared iPad: Temporary Guest Sessions and Managed Apple ID Sessions.
Note: In Temporary Guest Sessions: the local data is destroyed when the user logs out.
In Managed Apple ID Sessions: the locally stored content is saved to iCloud when the user logs out.
Some older iPad models and device storage sizes do not support this feature. Please check with Apple if your device and storage size is currently supported for Shared iPad mode.
Shared iPad with Temporary Guest Sessions
The Shared iPad with Temporary Guest Sessions is a great way to have users quickly use a device and then sign out so all the local data is cleared at the end of the session. From Systems Manager we can enable this special mode on iPadOS, set it to Temporary Sessions Only, and enable the auto logout time for the guest users. To do this, setup a DEP profile containing the following for a simple Shared iPad in Temporary Guest mode. These settings are applied in the Systems Manager > DEP page and applied during the device's initial setup. For more information about configuring DEP settings, see here.
The important fields for this configuration are:
Shared iPad: yes
Await Configuration: yes
Temporary Sessions Only: yes
Temporary Sessions Timeout: *optional, set timeout value in seconds so users are auto logged out*
During the iPadOS Setup Assistant, the device will now enable Apple's native Shared iPad feature.
In this mode, "Guest" is shown in the top left corner as well as a clear message that "Your data will not be saved after signing out". Also, the organization's management name will appear on the lock screen to the user. These items provide the user with the confidence and clarity in what to expect for this mode. Simply tap the home button or swipe up and the user is logged into the temporary guest session. In this mode, a new temporary container is built on the device locally which will be destroyed when the user logs out (or the optional session time expires).
The full layout of the device can be configured via Systems Manager's Homescreen Layout profile, as well as all the device's apps, restrictions, wallpaper, Wi-Fi, and other configurations that Systems Manager can apply on iPadOS. So when the user logs in, the device will be configured exactly as needed.
When the user locks the screen, they will see a "Sign out" button in the bottom right. Tapping this will log out the guest user and destroy their local content (so the next user is ready to use a clean iPad guest login).
All local content of the guest's container is destroy at each sign out. This gives every guest a clean iPad state to use.
Shared iPad with Managed Apple ID Sessions
The Shared iPad with Managed Apple ID Sessions is a great way to have multiple users access device share a device while securely keeping their data backed up to iCloud. The user's Managed Apple IDs are created on either business.apple.com or school.apple.com. Users will be given a native iPadOS login window on the iPad, so they can login with their own Managed Apple ID. Users from one login session will not be able to see any content/data from the another user's login-- each login is a completely separate container on the iPad's local storage. From Systems Manager, we can enable this special mode on iPadOS. To do this, setup a DEP profile containing the following (below) for a simple Shared iPad in Managed Apple ID mode. These settings are applied in the Systems Manager > DEP page and applied during the device's initial setup. For more information about configuring DEP settings, see here.
The important fields are:
Shared iPad: yes
Await Configuration: yes
Resident Users: *optional number of local users expected, so device can allocate its local storage cache most efficiently*
User Session Timeout: *optional, set timeout value in seconds so users are auto logged out*
During the iPadOS Setup Assistant, the device will now enable Apple's native Shared iPad feature.
To login to the iPad, users must sign in with their Managed Apple ID. Managed Apple IDs are created in the business.apple.com or school.apple.com portal.
*Optional step for Schools and Educational Organizations
Admins of schools can use school.apple.com to configure classes and sync them into Systems Manager as an Education profile. This allows the lock screen in Shared iPad mode to show a conveniently lock screen with the classes/accounts, so users can quickly find their class and sign in to their Managed Apple ID. This also allows Teachers to use the Apple Classroom app to control their classes' devices, view their screen during class time, and enable special classroom features. For more information about these School integrations, please see how to configure Shared iPad and One-to-One iPads for Apple Classroom.
Optionally disable the guest's sign in option with a Systems Manager restriction "Allow shared device temporary session".
When the user signs in, their previious iCloud data will be restored (from their Managed Apple ID account). The user's name will be shown in the top left corner of the iPad while they are logged in. And of course, the full layout of the device can be configured via Systems Manager's Homescreen Layout profile, as well as all the device's apps, restrictions, wallpaper, wifi, and other configurations that Systems Manager can apply on iPadOS. So when the user logs in, the device will be configured exactly as needed. These configurations can be applied on a per-user basis via user tags, to give different devices configurations based on who is the current account signed into the device.
Any supported data is saved to the user's Manged Apple ID iCloud account. This allows users to sign in to another Shared iPad device later, and iCloud data is restored, to give parity of data between multiple Shared iPad log ins.
To sign out, simply lock the device and press "sign out" in the bottom right (or if a User Session Timeout time was configured, the device is auto logged out after a certain amount of time.