Single-User/Multi-User iPads: Are we doing it right?

jlscott's picture

jlscott

Joined: Oct 30, 2013
Your rating: None (1 vote)

There’s quite a lot of information around but no definitive setup and scenario guides, so I thought I’d run this past the community for your thoughts and tips.

We support an Acute hospital who’s thirst for iPads seems unending! To help us manage them we’ve bought Airwatch, in conjunction with using Apple Configurator. There are essentially two scenarios we’re challenged with: a dedicated user / individual and a team or shared device situation.

The dedicated user or individual is easy enough – we get them setup with an Apple ID using their work email (to keep it separate from any home accounts) and enrol them into Airwatch without touching Apple Configurator. Users buy their own apps, although we’re hoping through the enhanced VPP to be able to offer this centrally. We are starting to remove the App Store though, and only provide a route to purchasing and installing apps via the internal Airwatch App Catalog, allowing us to risk assess apps prior to making them available. With our current setup, we’re losing out on some of the management functionality available with supervision, so we’re considering putting that step into the process first – supervise the device then enrol as normal. We don’t install apps with Configurator because we want to avoid the situation where users cannot update an app because it’s tied to our Apple ID.

The second scenario is one or more iPads shared and used by a group of staff (team based). We believe these should be locked down more tightly than for dedicated users. Quite often there is a need for some additional apps to be installed, so we were considering loading this via Configurator at the time of deployment. But this means any updates or new apps require the device be returned to IT for a refresh. So we’re considering setting up a team / generic Apple ID, which the target group of users own and maintain, but which allows them to receive apps and updates over-the-air. This would give them freedom to configure their own payment method, or allow us to assign apps purchased through VPP. I guess the only problem we’d encounter is hitting the limit (10?) on the number of devices an Apple ID can be associated with.
So, that’s where we are currently.

Any thoughts, suggestions and comments would be greatly appreciated!

Top
vdrdad's picture

vdrdad

Joined: Nov 7, 2013
WWW

AppleID Per Device Serial#

Your rating: None (1 vote)

@jlscott

Our Company has adopted a method that individualizes a device and user even in the case of multi-user per device scenarios.

Within your Company ( or client's) Exchange Environment.
1. Create the two main inboxes
a. icloud@mydomain.com
b. appstore@mydomain.com

2. Do not assign Aliases to the Main Accounts

3. Create Sub Accounts and assign up to 1000 Aliases for each account
a. icloud01@mydomain.com
i. 1000 Aliases
b. icloud02@mydomain.com
i. 1000 Aliases
c. icloud03@mydomain.com
i. 1000 Aliases
d. apstore01@mydomain.com
i. 1000 Aliases
e. apstore02@asmnet.com
i. 1000 Aliases
f. apstore03@asmnet.com
i. 1000 Aliases

4. Create Rules on the SubAccount Inboxes, to always forward all mail to the Master Account
a. For icloud01@mydomain.com Forward all mail to icloud@mydomain.com
b. For icloud02@mydomain.com Forward all mail to icloud@mydomain.com
c. For icloud03@mydomain.com Forward all mail to icloud@mydomain.com
d. For appstore01@mydomain.com Forward all mail to appstore@mydomain.com
e. For appstore02@mydomain.com Forward all mail to appstore@mydomain.com
f. For appstore03@mydomain.com Forward all mail to appstore@mydomain.com

5. This method can be replicated as you grow by simply adding accounts following the numerical suffix nomenclature
6. You only Need Access to the Main Accounts

ALIASES
The Alises for those accounts will be created using your Device's Serial Numbers.
For the iCloud Aliases ( S+Serial#+X@mydomain.com )
For the AppStore Aliases ( S+Serial#@mydomain.com )

Do this for each Device by Serial#, Once the Alises are in Place, Start Creating Your AppleID's with ( AIDAB )
Accounts: S+Serial#+X@mydomain.com will send verification e-mail to icloud@mydomain.com
Accounts: S+Serial#+@mydomain.com will send verification e-mail to appstore@mydomain.com

7. Add iCloud Account to iCloud on the imaged device
8. Add the AppStore Accuont to the AppStore on the imaged device
9. If supervised, Disable device from making Account changes, once enrolled on your MDM

NOTE: We have an App that is installed on the device during the imaging process. This App will Read the device Serial# and generate the AppleID and iCloud ID using the above stated nomenclature, ergo, no typing for you.
Additionally, when the app Copies the AppleID using Device Serial#, it will also launch the AppStore to the Install screen for your MDM client App.

Sam Aguilar

Top
iosomg's picture

iosomg

Joined: Nov 22, 2013

What is the reasoning behind

Your rating: None

What is the reasoning behind using separate accounts for iCloud and App Store on each device?

In our experience, we've never had any need to regularly access the email account associated with our individual-device Apple IDs except to initially confirm the account, so we haven't bothered with forwarding, though I can see how depending on how many devices you are initializing, configuring it to forward those confirmation messages could be more efficient. We've never managed to actually get a password reset email unless the account is set up with a recovery email (even though the iForgot system will tell you it has sent one), so we just set use our master email account for that.

Top
vdrdad's picture

vdrdad

Joined: Nov 7, 2013
WWW

Reasoning for Multiple ID

Your rating: None

The Multiple Accounts are created to better control options made available by Apple.

The App Store account is given a simple generic password that can be given to the End User for installs/updates.

The iCloud account is used to activate the iCloud and enable "Activation Lock": Feature on the device before it is deployed.
The iCloud account is given a complex password that is not distributed to the End user, this way, they can not remove it and enable Activation lock with their personal AppleID's

Ergo, we own the accounts for the "Activation lock" feature and thus, do not have to worry about an end user sending back a locked device.

Because we manage our AppleID's based on device serial Numbers, it means we have to troubleshoot the Account at times.
For Example, end user types incorrect password, and we now need to reset, then we are the owners of the Inbox where the reset information is sent to.

We Currently Manage 13,000 apple ID's and none have been set up with a reset e-mail address, since it is not needed.

Sam Aguilar

Top
ahensley's picture

ahensley

Joined: Nov 8, 2013

iCloud Sign in After an Update

Your rating: None

Sam,

I am configuring ~100 iPads for my company that will be used by remote salesmen. I am setting them up initially and supervising with Configurator and managing them on an on-going basis through an MDM.

If the iCloud accounts are set up in your proposed method (supervise and sign in to a corporate iCloud account, then disallow modifying account settings through an MDM), will the user still be forced to enter the iCloud password after an iOS update? It wouldn't be a problem if all the devices were managed on-site from a docking station, but our's are all across the country. Does "disallowing modification of account settings" keep the devices signed in through an iOS update and, therefore, prevent the password prompt? We are using iCloud for Find My iPad. I don't want to be stuck with 100 remote devices that I can't locate since the users don't know the password... Any advice is greatly appreciated!

Thank you,
Ali

Top
iosomg's picture

iosomg

Joined: Nov 22, 2013

Re:iCloud Sign in After an Update

Your rating: None

There is no way to truly keep a device "signed in". Disallowing account access will prevent a user from changing the listed account, but you always need to re-type the Apple ID password for app downloads. Apparently the new Managed Distribution system for VPP codes will allow silent downloads to supervised devices without requiring a password. This system was just released Monday evening so if you know of an MDM who already has it up and running I would love to hear more about how it works.

What settings need re-initialization after an update varies version-to-version, but we have not found any way to update to iOS 7 without requiring the password re-entry.

Top
Aaron Freimark's picture

Aaron Freimark

Joined: Apr 16, 2014
WWW

Apple ID created by app?

Your rating: None

NOTE: We have an App that is installed on the device during the imaging process. This App will Read the device Serial# and generate the AppleID and iCloud ID using the above stated nomenclature, ergo, no typing for you.

How does the app do this?

--
Aaron Freimark, Enterprise iOS founder & Tekserve CTO

Top
Aaron Freimark's picture

Aaron Freimark

Joined: Apr 16, 2014
WWW

10-device limit?

Your rating: None

The "10 device limit" applies to iTunes in the Cloud and paid apps only. We've used a single apple ID for hundreds and hundreds of devices in the past, for use with free & in-house apps. This is a much simpler solution for many shared-use deployments.

Obviously care must be taken to restrict access to the ID: don't add a credit card, keep control of the password, use hard-to-guess security questions, and set up a recovery email. Oh, and never add iMessage to the ID Smile

--
Aaron Freimark, Enterprise iOS founder & Tekserve CTO

Top
vdrdad's picture

vdrdad

Joined: Nov 7, 2013
WWW

iCloud Password after an iOS Update

Your rating: None

I have not been able to test against the scenario where the iCloud PassWord would be required after an iOS Update.

During the iOS 5 to iOS6 update process, the device would prompt for the AppleID account and Password, however, during the iOS6 to iOS 7 upgrade the device does prompt for AppleID and password to enable the iCloud.

if the iCloud is already set up and the password for this secret account has not been modified, then I would assume this password would not be needed since it is not being used to install or update free/paid apps.

Sam Aguilar

Top
vdrdad's picture

vdrdad

Joined: Nov 7, 2013
WWW

How does the app do this?

Your rating: None

iOkit

I found a header file for this Private framework and modified a Project that someone built to read all other device data.

I can Post the Code as project or the IPA if you;d like to try it out.
It is great for depot deployments and our Inventory Department loves using it during the staging process.

Sam Aguilar

Top
Eddie_Fade's picture

Eddie_Fade

Joined: Nov 14, 2013

Terms and Conditions The

Your rating: None (1 vote)

Terms and Conditions

The limit of no. of devices that can be associated with an Apple ID in App Store is for Personal Use only. For education and enterprise use, each device/user must use a dedicated Apple ID.
Buying the App once and deploying it to multiple users by using the same Apple ID is not right.

You can use the same iCloud account for as many devices as you need. But the App Store is something else.

For Free apps, you can install to many devices using the same Apple ID, like using Apple Configurator.

Top
kolin.augie's picture

kolin.augie

Joined: Jan 3, 2014

Please share this Staging App!

Your rating: None

vdrdad,

We are preparing to stage and deploy hundreds of iOS devices in 2014. This app would be very helpful for what we are trying to do. Would you be so kind and share it with us? Big smile

Top

Who is online?

There are currently 0 admins, 0 users and 16 guests online. Connected users: .