Most of my customers and partners are striving to bring simplicity to students and educators and Single Sign On with a unique set of user credentials is one way to achieve this. With a goal like this, it makes sense to leverage the powerful cloud identity features of Azure Active Directory (AzureAD/AAD) and I realised that I blogged two years ago to the day about the Managed Apple ID federation features AzureAD supports. How time flies and with that in mind I wanted to share another amazing post from Peter van der Woude where he walks through using a combination of Managed Apple IDs, Microsoft Intune and iPads in Shared iPad mode to achieve a great outcome.
Read the original full post here
I’ve mentioned plenty of times before on this blog that I won’t ‘reinvent the wheel’ and am happy to acknowledge when others have written an amazing blog post that I can’t top, and I think in this instance you should definitely read Peter’s blog directly. For now, I’ll simply add some educational context for my readership.
Why This Makes Sense In Education
I’ve been in many schools where iPads are being used and typically they do not use Shared iPad Mode, preferring instead to leverage a managed iPad that is ‘user-less’ – students simply pick it up and have a generic experience. This requirement is often driven by the fact iPads are frequently used by younger students where having a unique username/password to authenticate into any device can be a barrier to learning.
That said, with older students and especially with educators who may be using shared devices, managing Shared iPads makes more sense as you may wish to apply policies where certain users are restricted to certain apps – and it’s at this point that Intune really shines in the management of Shared iPads and Peter’s blog touches on this:
Assign apps and policies to device groups, as user assigned apps and policies will not apply on Shared iPad devices.
Assign apps as required to device groups, as available apps (and the Company Portal app and website) are not supported on Shared iPad devices.
Only Apple VPP apps, line-of-business apps and weblinks can be distributed to Shared iPad devices, as the App Store can not be used.
Disable the App Store via a device configuration profile (setting: Block App store), as the App Store is available on Shared iPad devices but the app installations are disabled.
Block guest sign in via a device configuration profile (setting: Block Shared iPad temporary sessions), to prevent temporary sessions and public access to the Shared iPad devicesSource blog post
Ultimately, however, the secret sauce here is the Managed Apple ID achieved via federation with AzureAD as it is this which allows students and educators to have a unique cloud identity across the major ecosystems used in education: Microsoft 365, Apple and Google (you can read by blog on configuring SSO from AzureAD to Google here). As a school IT Decision Maker, I can’t stress enough the importance of making smart choices when it comes to your cloud identity as you don’t want to end up in the proverbial technological cul-de-sac: a dead end where your students and educators can’t access the resources they need.
By choosing AzureAD, you will have virtually limitless integration policies and have access to incredibly powerful features such as Conditional Access to protect both users and your institutional data – check my blog post about this here:
Using Conditional Access To Protect Student and Staff Identity With Location Based Policies – SamuelMcNeill.com
Furthermore, iPads allow educators and students to leverage the built-in support for inking and touch that Office365 provides, and with Shared iPad those apps such as OneNote, Word, PowerPoint etc will all be automatically activated and authenticated when the user signs in with their Managed Apple ID – further reducing any barriers to learning and accessing the tools for the classroom.
If you’re an IT Admin looking for a technical blog post on how to implement Shared iPad mode with Intune, look no further than Peter’s post here. If you’re an eLearning lead or ITDM in a school that uses iPads, then hopefully my brief explanation of how centralizing your cloud identity on AzureAD above provides you with some food for thought as you lead your institution’s classrooms towards the cloud!