Microsoft Intune is a very flexible endpoint management solution that offers organizations easy and secure management for devices and applications. One of the recent features released is the ability to enroll iOS/iPadOS in Entra Shared Mode, allowing multiple users to share a single device securely without any manual action to log out from all applications before handing the device over to next user.
This approach is ideal for environments such as retail, healthcare, and education where shared device scenarios is needed.
Table of Contents
What is Entra ID Shared Mode?
Entra Shared Mode is a very special and genuine Microsoft Entra ID Feature that Intune deploy on the top of Management Profile. Entra Shared Mode is built on SSO (Single sign on and sign out).
When Front-line need to handover device to next employee, he just need to sign-out from one Application and sign-out message will be broadcasted among all Application compatible with it. Same Feature will allow next user need to sign-in once in only one Application and credentials will be shared silently among all Compatible Applications.
Apple Entra ID Shared Mode Requirements
To enroll iOS or iPadOS device using Entra Shared mode, you need the following requirements:
- Apple Business Manager or Apple School Manager: to sync Corporate Devices from Apple and assign them to “Microsoft Entra shared mode”
- VPP Token (Volume Purchase Program): to assign VPP Applications to enrolled Apple devices.
- SSO Configuration Profile: to enable “Entra shared mode” on enrolled Apple Devices.
Entra ID Shared Mode Applications
Microsoft shared an article explaining all necessary steps to help you integrating your (In-House) Application with SSO. Article Lists also all Microsoft Applications that currently support SSO Feature:
- Microsoft Teams
- Microsoft Viva Engage
- Outlook
- Microsoft Power Apps
- Microsoft 365
- Microsoft Power BI Mobile
- Microsoft Edge
How to enroll iPad through Entra ID Shared Mode
Below steps will cover with snapshots the Administrative Actions to enable iOS/iPad Entra Shared Mode in Intune
Entra ID Shared Mode Enrollment Profile
1- Open Intune Portal > Devices > iOS/iPadOS > Enrollment > Enrollment Program Token and then select your ABM or ASM Token.
2- Select Profiles and Click on (+ create profile) to create new iOS/iPadOS Profile.
- User Affinity: MUST be Microsoft Entra Shared Mode
- Locked Enrollment: is recommended to prevent users from removing the Management Profile.
- Await Final Configuration: is recommended as well to push all policies and configurations during iPad Setup Assistant
3- It’s very Important to Apple Device Name Template so you can identify easily Corporate Enrolled Entra Shared Mode Devices
Assign Profile to iPad Device
After adding all purchased iPad Devices to Apple Business Manager, ensure they’re all synchronized through ABM Token to Intune.
And then you can bulk select devices and assign them Entra Shared Profile all at once.
Shared Mode Configuration Profile
And now as the device is ready for enrollment, only left task is to create ENtra ID Shared Profile and assign it to device group.
Profile is Responsible of activating the Shared ID Mode and enable SSO to silently sign-in users and sign-out them once device is handed over to next user.
- Access Intune Portal > Devices > iOS/iPad > Configurations > Create New Profile and select Device Feature.
- Select Single sign-on app extension and configure it as below snapshot
SSO App type: Microsoft Entra ID
Shared Device Mode: Enabled
Additional Configuration:- Key: device_registration
- Type: String
- Value: {{DEVICEREGISTRATION}}
User Experience during Enrollment
As any normal user-less enrollment, Device will try to check with Apple Servers if it’s included in any Apple Business/School Manager
Then it’ll try to wait for manual-consent to enroll iPad
All Configuration Profiles will be sent to device during setup assistant with (Await Final Configuration – Enabled)
VPP Applications will be installed afterwards.
Azure Shared Mode Registration
It’s very important to activate Entra ID Shared Mode on the device by opening Microsoft Authenticator Application.
It’ll load a bit then will successfully register the device through Entra ID Shared Mode and show Entra Device ID
Now, device is ready to be used.
Application Usage
Now, any user will use the device, he only need to sign-in once for any Application compatible with SSO (As mentioned above). When the user opens next App he’ll never need to add credentials again.
Accordingly, Sign-out from any Application will sign-out user from all Apps.
Best Practice
- Use Dynamic Group to assign Applications and Configuration Profiles (as per Microsoft Recommendations)
- Company Portal App is not supported so, Apps assigned to device should be VPP Apps Device-License.
- Unlike Shared-iPad, Entra Shared Mode is supporting Application Protection and Conditional Access Policies.
Conclusion
In conclusion, enrolling Apple devices in Microsoft Intune with Microsoft Entra ID shared mode presents a significant advancement in device management for engineers. The integration of single sign-in and single sign-out capabilities simplifies the user experience, allowing users to authenticate seamlessly across applications with minimal effort. This streamlined process not only enhances productivity but also facilitates the efficient handover of devices between users, ensuring that transitions are smooth and secure. By leveraging these powerful tools, organizations can optimize their device management strategies and improve user satisfaction.
need to have a look for all IntuneBytes Enrollment articles, this is the repository for all Platforms Enrollment Articles posted.
Leave a Reply