Forum Discussion
Assistance Needed with iPad Login Configuration
2.Device is synced, receives the enrollment profile, goes through initial setup without issue.
3. Authenticator is pushed, receives the SSO configuration. Shows that it is enrolled as a shared iPad.
4. Device registers with Azure AD.
5. There is no login option at lock screen.
Thanks for your observations BaronLeBoost. This is the same as what I'm experiencing. Ta, Ian Hearnes
After hours of troubleshooting, I figured out quite a bit on this topic;
Shared iPad is very different from Shared Device Mode, the documentation is all spread out, making this unclear.
For Shared iPads, NOT Shared Device Mode, here are the steps you must follow;
- 1. Ensure the connection between Apple Business Manager and Intune or whatever MDM is working properly: the public key and token are up-to-date and refreshed.
- 2. Set up a federation between ABM and Azure.
- 3. Configure iPadOS enrollment token;
- Enroll without User Affinity
- Supervised: Yes
- Locked enrollment: Yes
- Shared iPad: Yes
- Cached users: depends on size of iPad
- Timeout: X
- 4. Once this portion is complete, any ipad that is auto enrolled with the above profile, should reboot and have a login screen.
- 5. To ensure that the Managed ID log ins work, you will need the SSO configuration;
- Configuration profile
- Device Features
- Sign sign-on app extension
- Microsoft Entra ID
Key Type Value device_registration String {{DEVICEREGISTRATION}} AppPrefixAllowList String com.microsoft.,com.apple. browser_sso_interaction_enabled Integer 1 disable_explicit_app_prompt Integer 1 Enable_SSO_On_All_ManagedApps Integer 1
https://learn.microsoft.com/en-us/mem/solutions/frontline-worker/frontline-worker-overview-ios-ipados?tabs=sharedipad#step-1---enroll-enable-shared-ipad-and-choose-a-temporary-session-type
https://support.apple.com/guide/deployment/shared-ipad-overview-dep9a34c2ba2/1/web/1.0
https://www.petervanderwoude.nl/post/federated-authentication-for-managed-apple-ids/
https://learn.microsoft.com/en-us/mem/intune/enrollment/device-enrollment-shared-ipad
https://www.petervanderwoude.nl/post/getting-started-with-shared-ipad-devices/
BaronLeBoost You are a gentleman and a scholar for taking the time to be so thorough! Saved me a lot of time! I just wanted to add this link to round out your list of support articles.
https://learn.microsoft.com/en-us/mem/intune/configuration/use-enterprise-sso-plug-in-ios-ipados-with-intune?tabs=prereq-intune%2Ccreate-profile-intune
Good article on policy refresh times: https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-troubleshoot#policy-refresh-intervals
For article on source of keys: "Enable_SSO_On_All_ManagedApps" and "device_registration" - see: https://learn.microsoft.com/en-us/entra/identity-platform/apple-sso-plugin#more-configuration-options
Again, excellent work on documenting your setup!
Happy to help!
I’ll see what I can dig up in my notes. These may have been leftover from shared device mode.
- Thank you for your detailed response BaronLeBoost!
We had understood that Federated authentication for Managed Apple IDs wasn't required for this solution, and that's where we have probably gone wrong.
I will enable and then retry.
Ta, Ian Hearnes- You don’t necessarily need the federated auth and can do shared accounts with managed Apple ids. Both ways worked for me
