Not long ago, we shared two in-depth articles exploring everything you need to know about Entra Shared Mode for Apple devices and Managing Apple Shared iPad in Intune. In this IntuneBytes article, we delve deeper into the distinctions between these two solutions, offering valuable insights to help you make an informed decision and select the ideal option to meet your organization’s unique needs.
Table of Contents
Shared* Concept!!
For Entra-Shared Mode Devices, “Sharing” Concept is App-Based which means that the whole OS Storage is available for all logged users and not distributed between them. And users are logging to the App with their own credentials to get access (based on his role, license..etc.)
However for Apple Shared-iPad (which is Apple Feature that Intune enforce on iPads) the “Sharing” Concept is OS-Based which means that when every user start to Login to the device, there will be a Dedicated Storage Space for his Apps, Personalization and all of his Data.
In contrast to Shared iPad, Entra Shared Mode simplifies app distribution across multiple users, making it an efficient choice for IT departments.
and this justify the next point.
Hardware
Requirements
Apple Shared-iPad requires minimum storage 32 GB and Specific Device Models.
- All iPad Pro models
- iPad (5th generation) or later
- iPad Air 2 or later
- iPad mini (4th generation) or later
However Entra Shared Mode doesn’t requires any Hardware requirements.
Applicability
Shared iPad is an Apple Solution for iPad Devices only, however Entra Shared Mode is available for iPhones and iPads as well.
How to access the device?!
Unlock the device
As explained above Shared iPad shared based on OS itself, that’s why user need a Managed Apple ID to access the device. However for Entra Shared Mode Devices you don’t need Managed Apple ID to access the device.
Managed Apple ID
For Shared-iPad either you enable federation for Managed Apple ID to automatically created with every account created in your on-premise environment. Or manually create Managed Apple ID for every user.
Guest Mode (Temporary Login)
For users who need access to Shared-iPad but doesn’t have Managed Apple ID (i.e. HealthCare Organizations) , Admin can permit access to iPad as Guest Account but this need to be planned ahead (because option is allowed via DEP Enrollment Profile and any change in Enrollment Profile will not be effective unless device is wiped and enrolled again to get all new Profile Configurations).
Reference: Microsoft Automated Device Enrollment Profile Article
However for Entra Shared Mode Devices, User Must have license to access Applications installed (M365 Apps)
Shared Profiles in Intune Portal
This Section is only applicable on Shared iPad
Monitor Logged in Users
Shared iPad have the option to share all logged-in profiles with MDM Solution. So, from Intune you can click on Devices, iOS/iPad and select the Shared iPad then click on left-side on Users to see all users logged in to the device.
In Entra Shared Mode feature is not applicable and not needed because users are logging to Apps only.
Low Storage Problem!
Sometimes Shared iPad may run out of space if logged in users are increasing or users are extensively utilizing the free-space by downloading Files/Apps.
You can delete some Profiles from iPad by following steps shared from Microsoft:
- Navigate to Intune Portal > Devices > iOS/iPad and select Shared iPad
- Click on Users of left-side then select biggest user per-storage used and delete
Plan it ahead !!
If you’re running on low budget and all iPad Devices in your Organizations are 32GB Storage or device is used by many many users. you need to plan it ahead to avoid alot of future manual clean-up.
1- In DEP Enrollment Profile you can control number of cached users to be low number. With this every new users (exceeding this number) will enforce first logged in user to log out and free more space.
Entra Shared Mode allows efficient resource sharing among users while maintaining individual user settings and data privacy.
2- Or disable Guest Login Session Via Device Restriction Policy or Settings Catalog (see below snapshots respectively)
Configuration Profiles
SSO Policy
SSO Profile is Mandatory for Entra Shared Mode but not in Shared iPad. How to configure it > check previous article.
SSO Profile is applicable in Shared iPad.
Other Profiles
For Shared iPad Home Layout, Most or restriction profiles are all applicable in User & Device Assignment but VPN, Certificates and WIFI are only Applicable for Device Assignment to be utilized (device wide) not user based. Check Microsoft article
For Entra Shared Mode, user-based profiles are Not Applicable.
Organizations leveraging Entra Shared Mode can enjoy a consistent experience, as all applications are uniformly accessible across devices.
Applications
Applicable Apps
Apps available for Shared iPad and Entra Shared Mode are VPP Device based license or LOB Apps only. And MUST be assigned as Required to Device Group only.
But for Entra Shared Mode and because it’s built on SSO Feature, Apps Targeted (MSFT Apps or LOB Apps) MUST be Applicable with SSO to ensure that all User Sensitive-Data are removed with sign-out and user have smooth experience with single sign-in.
Company Portal
Company Portal App is not applicable in Entra Shared Mode and Shared iPad.
Downloading Apps every time!!
Every time new-user accessing the Shared iPad, Apps will be downloaded again in user’s profile. However for Entra Shared Devices Applications are downloaded only once and they are available for all users.
Application Management
Entra Shared Mode is particularly beneficial for organizations that utilize both iPads and iPhones, streamlining user experiences across devices.
Application Protection
Application Protection and Configuration (Managed Apps Application Configuration Profiles) are all applicable with Entra Shared Mode ONLY and NOT Shared iPad.
Note: Because Entra Shared Mode is based on App-Level, It’s more convenient to Prevent Local Saving for any Sensitive Files via Application Protection Policy.
Application Configuration
Managed Device Application Configuration Profile is applicable for both Entra Shared Mode devices and Shared iPads.
Devices operating under Entra Shared Mode ensure that sensitive information is securely handled, aligning with organizational compliance policies.
With Entra Shared Mode, users can quickly switch between applications without losing their context, which enhances productivity.
Implementing Entra Shared Mode can lead to cost savings by reducing the need for dedicated devices per user.
Conditional Access Policies
Conditional Access Policies are compatible with Entra Shared Mode Devices only.
Device Usability
Due to nature of Entra Shared Mode devices, Device can be handed over among users from the same Department that commonly use the same Applications.
While Shared iPad can be used among different departments where every user will have his own Apple ID and receive personalization through applicable user-policy Apps.
Conclusion
In summary, both Apple iPads enrolled in Shared iPad mode and Apple devices enrolled in Entra Shared Mode within Microsoft Intune provide robust shared-use experiences tailored for different organizational needs. However, they differ significantly in their implementation, capabilities, and use cases. Entra Shared Mode is particularly effective for organizations looking for a cohesive and efficient multi-user environment.
In summary, both Apple iPads enrolled in Shared iPad mode and Apple devices enrolled in Entra Shared Mode within Microsoft Intune provide robust shared-use experiences tailored for different organizational needs. However, they differ significantly in their implementation, capabilities, and use cases.
Shared iPad Mode focuses on leveraging Apple’s native multi-user framework, offering a rich, device-centric experience. It is ideal for organizations fully integrated with Apple’s ecosystem, as it supports multiple user profiles, personalized settings, and data segregation using Managed Apple IDs. This mode enhances user experience with features like offline support and seamless handoff between sessions but requires the use of Apple School Manager (ASM) or Apple Business Manager (ABM).
Entra Shared Mode, on the other hand, is more versatile and works across various Apple devices. It caters to organizations invested in Microsoft ecosystems, enabling multi-user access with Azure AD accounts. This mode is simpler to configure and does not depend on Apple-specific services, making it suitable for hybrid environments. While it lacks native offline functionality and certain Apple-specific features, it provides a unified Microsoft-powered identity and app management experience.
Choosing between these two enrollment modes depends on organizational priorities. If seamless Apple-native features and a personalized user experience are paramount, Shared iPad is the preferred option. However, for enterprises prioritizing integration with Microsoft’s identity management and app ecosystem, Entra Shared Mode offers the flexibility and scalability to meet diverse needs.
By understanding these distinctions, IT administrators can make informed decisions to implement the most suitable shared device solution for their organization’s ecosystem and user requirements.
Leave a Reply