Configuring Shared Device for iOS/iPadOS

Before you begin

When enabling a Shared Device configuration, you must ensure the following requirements are met:

If you're adding Shared Device mode to an existing setup or one that previously used only Microsoft SSO, a logout is required to apply the updated configuration. This ensures the new settings take effect properly across the device.
When a device is assigned the Microsoft Authenticator Single Sign-On (SSO) profile configuration, Shared Device sign-in is restricted. Only users belonging to groups connected through the directory linked to the Microsoft Authenticator SSO application can successfully sign in.
Before enabling Shared Devices with a user group configuration linked to a different directory or IdP connection, administrators must first log out users authenticated via Microsoft Authenticator SSO. They also need to revoke the Microsoft Authenticator SSO profile from the device to ensure proper configuration.
The latest SOTI MobiControl Agent must be deployed and enabled on the device. Use an App Policy to install the SOTI MobiControl Agent.

About this task

This task provides detailed steps on configuring the Shared Device feature on iOS/iPadOS devices.

Note: Shared Device is supported only for MSAL apps on iOS 14 or later.

Procedure

In the Devices view, right-click the device group where you want to apply the Shared Device configuration and select Advanced Configurations.
Choose Apple from the platform family list, then select Shared Device (iOS Only).

Note: You can add both Android and iOS/iPadOS devices within the same group, but you must configure them individually.
In the Shared Device (iOS Only) dialog box, enable the Enable Shared Device configuration toggle.

Configure the Shared Device options:


Option	Description
Apply Changes to All Child Groups and Devices	Apply shared device settings to all child groups and devices.
User Groups	Select to add a user group. Choose from: LDAP Microsoft Entra ID Identity Providers If no directory service or IdP is configured, select Manage Services to set up a new connection. For more information, refer to Identity Management for instructions on associating your identity management system with SOTI MobiControl. To configure a directory, see Configuring Directory.
Allow Only Log In and Log Out Capabilities	The SOTI MobiControl Agent app becomes restrictive and limit users interaction to login/logout only. Users can view the logged-in user and logs information.
After A Set Period	Schedule automatic logout after a specified duration (1—1500 hours or 5—1500 minutes).
Relocate Device Back to Home Device Group on Logout	Return the device to its original group when the user logs out. Settings and configurations from the destination group are replaced with those of the home group.
Clear Managed Application Data When User Logs Out	Remove all managed application data upon logout.
Disable Device Passcode When User Logs Out	Remove the device passcode upon logout.

Select Save to apply the Shared Device settings.

Results

Shared Device is now enabled on your devices. Device users can log in with their directory service or IdP accounts and configure the device to their requirements.

Tip:

Use Searching With Properties queries to target devices based on their shared devices status. Applicable device properties include: Shared Device Current User, Shared Device Current User Status, and Shared Device Last User.
Search for the error states listed in Shared Device Error States.
You can also generate reports based on shared device users or shared device terms and conditions (see Generating a Report).

What to do next

Enhance security by assigning a Single App Mode profile from the iOS/iPadOS profiles section to the parent device group. This creates a focused, kiosk-like experience, similar to Android lockdown mode.