Jamf Nation Community

Gabe,
What you are experiencing on both counts is normal.

For example in your note about you said "...gets caught in a loop of trying to finish running setup assistant and picking a language."

Users are no getting caught in a loop. The first time a user logs in the user needs to select the proper language for that Managed Apple ID. Once the users does this once it is set for all future sessions as this is saved in their iCloud profile.

In the case of Share iPad using Federation and iPad passcode is required. Take a look here:
https://support.apple.com/guide/apple-school-manager/intro-to-federated-authentication-apdb19317543/web

Copied from that article:
When you use federated authentication with Shared iPad, the sign-in process is different depending on whether the user already exists in Apple School Manager.
If the user already exists, you must reset their passcode.

If the user doesn’t already exist, they’ll be redirected to sign in using the Microsoft Azure AD screen. Once the user successfully authenticates, they must create a Shared iPad passcode.
The default passcode policy is Standard (8 or more letter and numbers) and can be changed. See Password policy scenarios in Apple School Manager. If the user forgets their passcode, you must use the Reset Shared iPad Passcode in Apple School Manager.

Hope this helps!
Brian

Thanks@brian The looping issue is in fact a looping issue. Each user that tries to login asks for Language, then once selected, it reboots back to the user login screen. Seems like a setting is not allowing it to move forward. I found an article talking about it being a bug and then an offered solution was to download iMazing and run a command that force quits the setup assistant. This fixed the looping issue and allowed each user to login in correctly. (Great first experience with Shared iPads).

My issue with the iPad Passcode is more of a functionality issue with Apple. Why, would we need to have a user login using 2 different things each time they use an iPad? Each time a user logs in with their federated passcode, they then needs to type an iPad passcode. What a waste of our users time. Why wouldn't we be able to disable the iPad passcode and just use the federated login each time a user uses an iPad, since it already always has them login using their 365 account? But again this beef will need to be had with Apple.

Gabe Shackney
Princeton Public Schools

Apple has told me that they're working on implementing the feature of using the user's AD credentials as the passcode, instead of the ASM passcode, to access the shared device. Don't know when it will be available, but it would make it a seamless experience for the user when signing in.

@schickp Not sure why it would have ever been helpful to make users log in twice. Or at least make a "disable passcode" option available.
Hate having to wait for companies to make things useful lol.

Gabe Shackney
Princeton Public Schools

What is the advantage of using Federated....Microsoft thing? Why over complicate everything?

The benefit is actually simplifying the login process (in theory) to just being their username and password that they currently use with all other devices through active directory and ditches the managed apple ID's as a secondary method to login. Its been great other than then apple forcing a 2nd password for the iPads to have to be used. Federated accounts should allow Apple IDs to be auto created and managed based on our Active Directory (which it is doing).

Gabe Shackney
Princeton Public Schools

Forgive my ignorance as I am not familiar with Federated...Apple login window for iPads is numbers......your Active Directory passwords would definitely be numbers, letters, characters and not just numbers, so Federated is adding an extra layer on top to accommodate those passwords? I am glad you said simplifying in theory... sounds like your trying to make iPads work like Windows, no offence intended. Why not just use the iPad codes, simple easy works. Explain to me how federated in Theory, is easier than a passcode of say 1234 for kids in elementary? Trying to understand your view point.

The kids all know their AD logins already since it’s all A 4 digit pin just twice (12341234 at least at the elementary level). This is what they use to login to Macs, PCs, chrome books (and buy lunch). There is no need for an additional pin. I want to disable the requirement for a pin so they just use the code they all already know and therefore teachers and students do not have to learn any other codes or pins to get into a device. We simply have no use for that feature. It’s actually more work to be forced to use the extra pin. It’s actually like Apple is becoming more like Microsoft if they require a pin of their own making on top of a feature designed to make logins easier. Should be pretty easy to make the pin an optional piece. Or to make federated logins supersede the pin. It’s almost like they didn’t really think this through.

Gabe Shackney
Princeton Public Schools

thanks for explaining it so well. You're also aware that Shared iPads, when the kids login, have access to cloud storage of 200 gigs. Which means that kids can access their cloud storage from any computer in the world, and having no pin (pin is their Apple ID login password), well...... however there is a verification code that must be generated within Apple School Manager, to allow them to login to their iCloud account from any other computer. How do you tell Federated logins that when the kid logs in from home on a computer to his iCloud account, that its ok to use his AD credentials.

Sometimes in IT, we only see our needs and not the greater context....reminds me of the story... of the boy that insists, he wants to paint with a hammer.....

I don't think this has changed yet but please chime in if you have different experience. We are still getting prompted for Azure AD password then create an iPad Passcode.

There is no way to disable the iPad Passcode and just use the Azure AD password? Also, I'm required to have at least 8 characters / Upper and Lower Case letters. Can this be changed so that users can use 4 digit pin for their iPad passcode?

your manager loves microsoft. we don't use federated, one less layer to worry about.