Getting started with Shared Device Mode for iOS devices

This week is all about Shared Device Mode for iOS (and iPadOS) devices. Shared Device Mode is based on Azure AD and is the Microsoft solution for shared iOS devices. Those shared iOS devices are company-owned multi-user devices. Shared Device Mode is provided for iOS (and iPadOS) 13 and later devices and enables multiple users to use the same Apple device and to sign in and out of apps by using an Azure AD account. When those apps support Shared Device Mode, those apps provide the global sign in and global sign out functionality. That enables a user to sign in to an app, at the start of a shift, and automatically be globally signed in to all apps that support Shared Device Mode. That’s also applicable to the the sign out of an app at the end of a shift. The user will automatically be globally signed out of all apps that support Shared Device Mode, which enables multiple users to easily and securely share an iOS device. This post will go through the different configurations that are required for setting up Shared Device Mode.

Important: At the moment of writing, Shared Device Mode is still an Azure AD preview feature. That means that the feature is provided without a service level agreement. Also, the usage of the feature is not recommended for production environments. 

Recommendation: Unless an organization needs cellphone capabilities, or needs to use iOS devices, Shared iPad is the recommended shared device solution for Microsoft 365 on iPadOS devices.

Note: A big thank you to Tobias Almen for confirming the current behavior of Shared Device Mode.

Creating an enrollment profile for iOS devices with Shared Device Mode

The configuration of Shared Device Mode already starts at the enrollment of an iOS device, as the device should be configured as a company-owned device without user affinity. That can be achieved by using an enrollment profile for iOS devices that are available via Apple Business Manager (ABM). The following six steps walk through the creation of that enrollment profile. After the creation of that enrollment profile, it can be assigned like any other enrollment profile.

1. Open the Microsoft Endpoint Manager admin center portal and navigate Devices > iOS/iPadOS > iOS/iPadOS enrollment > Enrollment program tokens > {YourEnrollmentToken} > Profiles
2. On the {YourEnrollmentToken} | Profiles page, click Create profile > iOS/iPadOS to open the Create profile wizard
3. On the Basics page, provide the following information and click Next

• Name: Provide a name for the profile to distinguish it from other similar profiles
• Description: (Optional) Provide a description for the profile to further differentiate profiles
• Platform: iOS/iPadOS is preconfigured based on the initial start of the wizard

1. On the Management Settings page, provide at least the following information and click Next

• User affinity: Select Enroll without User Affinity as value, as a shared device can’t have user affinity
• Supervised: Select Yes as value, as a shared device must be supervised
• Locked enrollment: Select Yes as value, to make sure that the enrollment is locked on the device
• Sync with computers: Select Allow All as value, to allow the shared device to sync with computers
• Apply device name template (supervised devices only): Select Yes as value to easily identify shared devices
• Device Name Template: Specify a device name template to easily identify shared devices

1. On the Setup Assistant page, provide at least the following information and click Next

• Department: Specify the department name that should be displayed in the Setup Assistant
• Department Phone: Specify the department phone number that should be displayed in the Setup Assistant
• Setup Assistant Screens: Click Toggle All to hide all the screens in the Setup Assistant

1. On the Review + create page, verify the configuration and click Create

Creating a filter for iOS devices with Shared Device Mode

The targeting of policies, profiles and apps for iOS devices with Shared Device Mode, can be simplified by using a filter. That filter can be used to filter all the devices that are enrolled by using the earlier created enrollment profile. The following six steps walk through the creation of that filter.

Important: At the moment of writing not all required configurations support filters. Those configurations might still require a dynamic Azure AD device group and that device group can be configured with the same membership rule.

1. Open the Microsoft Endpoint Manager admin center portal and navigate Devices > Filters (alternative roads to the same configuration are Apps > Filters or Tenant admin > Filters)
2. On the Devices | Overview page, click Create to open the Create Filter wizard
3. On the Basics page, provide the following information and click Next

• Filter name: Specify a unique name to distinguish the filter from other filters
• Description: (Optional) Specify a description to further explain the usage of the filter
• Platform: Select iOS/iPadOS as value

1. On the Rules page, as shown below in Figure 1, create the following configuration and click Next

• Expression 1 – This expressions is used to filter devices based on the enrollment profile that is used
  • And/Or: Not applicable
  • Property: Select enrollmentProfileName as value to filter devices based on the enrollment profile that is used
  • Operator: Select Equals as value to filter devices based on a specifically matched value
  • Value: Specify the name of the just created enrollment profile as value to filter on that enrollment profile

• Figure 1: Filter for iOS devices enrolled with the shared device mode profile

Note: When creating this filter, or a dynamic Azure AD device group, a rule syntax like this (device.enrollmentProfileName -eq “{enrollmentProfileName}”) can be used.

1. On the Scope tags page, configure the required scope tags and click Next
2. On the Review + create page, verify the configuration and click Create

Configuring the Microsoft Enterprise SSO plug-in for iOS devices with Shared Device Mode

The single sign-on experience, for the supported apps, is provided via the Microsoft Enterprise SSO plug-in for Apple devices. That plug-in relies on the Microsoft Authenticator app and requires the Microsoft Authenticator app to be installed to provide that single sign-on experience. The following eight steps walk through the configuration of the Microsoft Enterprise SSO plug-in and the assignment of that configuration to the filtered devices.

Important: As the device is a company-owned device without user affinity, make sure to deploy the Microsoft Authenticator app by using the Apple Volume Purchases Program (Apple VPP) and to use a device license type.

1. Open the Microsoft Endpoint Manager admin center portal navigate to Devices > Configuration profiles
2. On the Devices | Configuration profiles blade, select Create profile
3. On the Create a profile page, provide the following information and click Create

• Platform: Select iOS/iPadOS as value
• Profile: Select Device features as value

1. On the Basics page, provide the following information and click Next

• Name: Specify a unique name to distinguish the device features profile from other device features profiles
• Description: (Optional) Specify a description to further explain the usage of the device features profile

1. On the Configuration settings page, as shown below in Figure 2, configure at least the Single sign-on app extension section by providing the following information and click Next

• SSO app extension type: Select Microsoft Azure AD as value to configure the extension type for Azure AD
• Enable shared device mode: Select Yes as value to change how the device works with apps

• Figure 2: Device feature configuration of single sign-on app extension

1. On the Scope tags page, configure the required scope tags click Next
2. On the Assignments page, configure the assignment to all devices with an include for the earlier created filter and click Next
3. On the Review + create page, verify the configuration and click Create

Note: The include of the earlier created filter makes sure that the assignment is only applicable on the filtered devices.

Configuring the Microsoft Authenticator app for iOS devices with Shared Device Mode

The configuration of Shared Device Mode also requires a specific app configuration for the Microsoft Authenticator app. That app configuration will makes sure that the Microsoft Authenticator app will run in a specific Shared Device Mode. The following seven steps will walk through the configuration of the Microsoft Authenticator app for the Shared Device Mode.

Important: As the device is a company-owned device without user affinity, make sure to deploy the Microsoft Authenticator app by using the Apple Volume Purchases Program (Apple VPP) and use a device license type.

1. Open the Microsoft Endpoint Manager admin center portal navigate to Apps > App configuration profiles
2. On the Apps | App configuration policies blade, click Add > Managed devices to open the Create app configuration policy wizard
3. On the Basics page, provide the following information and click Next

• Name: Specify a unique name to distinguish the app configuration policy from other app configuration policies
• Description: (Optional) Specify a description to further explain the usage of the app configuration policy
• Device enrollment type: (Grayed out) Managed devices
• Platform: Select iOS/iPadOS as value
• Targeted app: Select Microsoft Authenticator as value

1. On the Settings page, as shown below in Figure 3, provide at least the following configuration and click Next

• Configuration settings format: Select Use configuration designer as value
  • Click Add to add the sharedDeviceMode configuration key and set the configuration value for the boolean to true

• Figure 3: App configuration of the Microsoft Authenticator app

1. On the Scope tags page, configure the applicable scope tags and click Next
2. On the Assignments page, configure the assignment by selecting the applicable group and click Next
3. On the Review + create page, review the configuration and click Create

Important: At the moment of writing an app configuration policy is one of the configurations without support for filters.

Getting an iOS device up-and-running in Shared Device Mode

With creating and configuring the different components for Shared Device Mode for iOS devices, the most important work is done and the device enrollment will be automatically. The IT administrator will turn on the device and walk through the Setup Assistant. After completing the Setup Assistant the device will automatically enroll in Microsoft Intune and the Microsoft Authenticator app will be installed. Once the Microsoft Authenticator app is installed, the IT administrator must set up Shared Device Mode. That can be achieved by providing an organization email and clicking Register device as Shared Device, as shown below in Figure 4.

Important: The IT administrator that is setting up Shared Device Mode, must have the Cloud Device Administrator role.

Note: According to the docs, the manually action in the Microsoft Authenticator app is only required during the preview.

After that the iOS device is up-and-running in Shared Device Mode, as shown below in Figure 5. To further test the behavior, Microsoft provides an example frontline worker app. That app is available here. Besides that app, there are, at the moment of writing, no apps available for iOS that support Shared Device Mode.

More information

For more information about Shared Device Mode and Microsoft Intune, refer to the following docs.