Forum Discussion

ErinaBarrientosCepeda's avatar
ErinaBarrientosCepeda
Copper Contributor
Nov 23, 2023
To troubleshoot the iPad login configuration issue, follow these steps:

1. Verify the enrollment profile configuration:

Double-check that the enrollment profile is set to "Enroll with Microsoft Entra shared mode" and not "Enroll without user affinity."
Ensure that the enrollment profile is properly assigned to the iPad in Apple School Manager.
2. Check for device sync:

Verify that the iPad is synced with Apple School Manager.
If the iPad is not synced, initiate a manual sync.
3. Validate device eligibility:

Confirm that the iPad meets the minimum requirements for Microsoft Entra shared mode: iPadOS 13.4 or later with at least 32 GB of storage.
Check if the iPad is enrolled in Intune and has the Microsoft Enterprise SSO plug-in installed.
4. Examine Azure Active Directory (Azure AD) settings:

Ensure that the iPad is properly enrolled in Azure AD.
Verify that the user's Azure AD account is associated with the Managed Apple ID created on the iPad.
5. Check for MDM policies:

Inspect any MDM policies applied to the iPad that might be interfering with the login process.
Verify that there are no conflicting policies or settings that could be preventing the iPad from prompting for login credentials.
6. Reset the iPad and re-enroll:

If the issue persists, consider performing a factory reset on the iPad and re-enrolling it with the correct enrollment profile.
If the issue remains unresolved after following these steps, it is recommended to contact Microsoft support for further assistance. They can provide more in-depth troubleshooting and identify any potential underlying issues.
BaronLeBoost's avatar
BaronLeBoost
Copper Contributor
Feb 23, 2024
1. Enrollment profile is using = Enroll with Microsoft Entra shared mode, and assigned to the test system
2.Device is synced, receives the enrollment profile, goes through initial setup without issue.
3. Authenticator is pushed, receives the SSO configuration. Shows that it is enrolled as a shared iPad.
4. Device registers with Azure AD.
5. There is no login option at lock screen.
  • Ian_Hearnes's avatar
    Ian_Hearnes
    Copper Contributor
    Feb 26, 2024

    Thanks for your observations BaronLeBoost. This is the same as what I'm experiencing. Ta, Ian Hearnes

    • BaronLeBoost's avatar
      BaronLeBoost
      Copper Contributor
      Feb 26, 2024

      After hours of troubleshooting, I figured out quite a bit on this topic;

       

      Shared iPad is very different from Shared Device Mode, the documentation is all spread out, making this unclear.

       

      For Shared iPads, NOT Shared Device Mode, here are the steps you must follow;

       

      • 1. Ensure the connection between Apple Business Manager and Intune or whatever MDM is working properly: the public key and token are up-to-date and refreshed.
      • 2. Set up a federation between ABM and Azure.
      • 3. Configure iPadOS enrollment token;
        • Enroll without User Affinity
        • Supervised: Yes
        • Locked enrollment: Yes
        • Shared iPad: Yes
        • Cached users: depends on size of iPad
        • Timeout: X
      • 4. Once this portion is complete, any ipad that is auto enrolled with the above profile, should reboot and have a login screen.
      • 5. To ensure that the Managed ID log ins work, you will need the SSO configuration;
        • Configuration profile
        • Device Features
        • Sign sign-on app extension
          • Microsoft Entra ID
          • KeyTypeValue
            device_registrationString{{DEVICEREGISTRATION}}
            AppPrefixAllowListStringcom.microsoft.,com.apple.
            browser_sso_interaction_enabledInteger1
            disable_explicit_app_promptInteger1
            Enable_SSO_On_All_ManagedAppsInteger1

       

      https://learn.microsoft.com/en-us/mem/solutions/frontline-worker/frontline-worker-overview-ios-ipados?tabs=sharedipad#step-1---enroll-enable-shared-ipad-and-choose-a-temporary-session-type

      https://support.apple.com/guide/deployment/shared-ipad-overview-dep9a34c2ba2/1/web/1.0

      https://www.petervanderwoude.nl/post/federated-authentication-for-managed-apple-ids/

      https://learn.microsoft.com/en-us/mem/intune/enrollment/device-enrollment-shared-ipad

      https://www.petervanderwoude.nl/post/getting-started-with-shared-ipad-devices/

       

      • JimDango's avatar
        JimDango
        Copper Contributor
        Apr 17, 2024

        BaronLeBoost  You are a gentleman and a scholar for taking the time to be so thorough!  Saved me a lot of time!   I just wanted to add this link to round out your list of support articles.  

        https://learn.microsoft.com/en-us/mem/intune/configuration/use-enterprise-sso-plug-in-ios-ipados-with-intune?tabs=prereq-intune%2Ccreate-profile-intune 

         

        Good article on policy refresh times:  https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-troubleshoot#policy-refresh-intervals 

         

        For article on source of keys:  "Enable_SSO_On_All_ManagedApps"  and   "device_registration" - see:   https://learn.microsoft.com/en-us/entra/identity-platform/apple-sso-plugin#more-configuration-options 

        Again, excellent work on documenting your setup!

Resources