Редагувати

Поділитися через


Frontline worker for iOS/iPadOS devices in Microsoft Intune

iPad devices are a popular device type for frontline workers (FLW). They're used in different scenarios and industries, including field operations, healthcare, aviation, warehouse, data entry, digital forms, and presentations.

For iPadOS FLW devices, you can use the Shared iPad feature in Intune or use Microsoft Entra shared device mode (SDM). For more information, go to Shared iPad vs Microsoft Entra shared device mode (in this article).

iOS devices can also be used for FLW, but it's not common. For iOS FLW devices, we recommended you use Microsoft Entra shared device mode and Intune together. In Intune, you enroll the device and create a device restrictions configuration profile. In the Intune profile, you can allow (or prohibit) specific apps, and can hide apps.

The following diagram shows the iOS/iPadOS options for frontline worker devices in Intune:

Diagram that shows Apple iOS and iPadOS frontline worker scenario path in Microsoft Intune.

The Shared iPad feature in Intune is designed for frontline workers. Since iPads are a popular Apple device type for frontline workers (FLW), this article focuses on iPad devices.

Use this article to get started with iPad FLW devices in Intune. It includes decisions admins need to make, determining how the device is used, and configuring the home screen & device experience. Specifically:

This article applies to:

  • iPadOS devices owned by the organization and enrolled in Intune

For an overview on FLW devices in Intune, go to FLW device management in Intune.

Note

There are other iOS/iPadOS enrollment options available. This article focuses on the enrollment options commonly used for FLW devices. For more information on all the iOS/iPadOS enrollment options, go to Enrollment guide: Enroll iOS and iPadOS devices in Microsoft Intune.

Shared iPad vs Microsoft Entra shared device mode

For FLW iPad devices, there are two options available - Shared iPad in Intune or Microsoft Entra shared device mode. For iPad devices, admins must pick one option. This decision impacts how you configure the device.

Diagram that shows all the Shared iPad and Entra shared device mode options for iPadOS frontline worker devices in Microsoft Intune.

When using iPad devices for FLW, use the following information to help you decide which option is best for your organization:

Shared iPads are a feature in Intune, and are the recommended and preferred device type for frontline worker devices. These devices are shared among many users, such as in a hospital or school. Each user has their own profile and data, and they can sign in and out of the device.

✅ If the device is an iPad, then use the Shared iPad feature in Intune. For more information on Shared iPads in Intune, go to Shared iPad devices in Intune.

❌ If the device is an iOS device, then use Entra shared device mode. For more information, go to Microsoft Entra shared device mode for FLW and Shared device mode for iOS devices.

Note

For iPadOS devices, Conditional Access isn't supported for Shared iPad. For more information, go to Overview of shared device solutions for iOS/iPadOS.

Tip

For a more detailed comparison of both options, go to Shared iOS and iPadOS devices.

Step 1 - Enroll, enable Shared iPad, and choose a temporary session type

For Shared iPad FLW devices, the first step is to create an Automated Device Enrollment (ADE) profile. ADE is the required enrollment option for Shared iPads. ADE syncs the devices from Apple Business Manager or Apple School Manager.

From an Intune perspective, you configure the enrollment profile and assign the profile to the device. When you create the enrollment profile for Shared iPads, you select the following features:

  1. Enroll without user affinity: This option doesn't associate the devices with a specific user. This option is required for Shared iPads.

  2. Shared iPad: This option enables Shared iPad on the device, and is required. It allows many users to sign in to the device.

  3. Require Shared iPad temporary session: This setting determines if the Shared iPads are used for guest access. Your options:

    • Guest access

      Yes enables temporary sessions. Users sign in to the device as a guest. They don't enter a Managed Apple ID or password. When the user signs out, all user data, sign in info, and browsing history are deleted.

      For example, in healthcare, a medical patient is assigned a shared iPad to check in or fill out forms. When they're done, they sign out and all their local user data is deleted from the device. The next patient can then sign in to the device as a guest and use the device.

    • Partitioned user access

      Partitioned user access is the default behavior for Shared iPads. In Intune, Not configured uses this default behavior. Use this option when an iPad is used by many authenticated users at different times.

      Each user signs in to the device with their federated Entra credentials. User partitions ensure that each user's apps, data, and preferences are stored separately on the iPad. Only the same set of apps used across all device users support partitioned user access.

      When the user locks their profile, their data remains on the device in their own partition. Then, the device is ready for the next user to sign in and use the device.

      The number of users that can sign in also varies by the amount of storage on the device. So, we recommended you plan accordingly and configure the enrollment profile to accommodate your needs.

The following image shows a sample Shared iPad enrollment policy in Intune that enables guest access:

An Automated Device Enrollment (ADE) policy with Shared iPad enabled, and temporary sessions for Shared iPadOS enabled for frontline worker devices in Microsoft Intune.

For more information on these features, and to get started, go to:

Step 2 - Home screen layout and device experience

For Shared iPad FLW devices, next consider what end users do on the devices and the device experience they need for their jobs. This decision impacts how you configure the device.

In Intune, you can create device configuration profiles that configure the home screen and the apps that are shown. Specifically, you create a:

  • Device features policy to configure the home screen layout and other settings you want to apply to the device:

    A device features policy with the home screen layout settings configured for iOS and iPadOS device in Microsoft Intune.

  • Device restrictions policy to configure other device settings, such as using kiosk mode and other settings you want to apply to the device:

    A device restrictions policy with the device settings configured for iOS and iPadOS devices in Microsoft Intune.

    In this policy, you can also create a list of approved apps and hide some system apps. For more information on the settings you can configure, go to iOS and iPadOS device settings to allow or restrict features using Intune.

For a list of the Shared iPad settings you can configure, go to Configure settings for Shared iPads.

For a list of all the device configuration settings, go to: