Jamf Nation Community

ajanicke · ‎08-11-2023

We're trying to setup a few loaner devices at our schools in the event a kid forgets their iPad.

I setup two iPad 9th gens for testing, setup the ADEP profile for a shared device, all users are setup in ASM.

I logged in as a user and was prompted to create a passcode, great. Then I logged out and logged in with another user and it worked the same.

The problem is now when you go to the other iPad to sign in it takes the shared iPad passcode, logs in for about 10-15 seconds, the automatically logs the user out stating "Login failed please try again"

I've been messing with them for about a day and just can't find any reason for this to be happening. Has anyone else ever seen this issue?

ajanicke · ‎09-25-2023

I've got this figured out for our configuration for now. We have a content filter that uses an SSL Cert, Web Content Filter, and an App that passes the username to our filter.

Turns out the Filter does not support multiple users on iPads.

So what we ended up doing is getting rid of the app that passes the username, getting rid of custom keys for the app, keeping the Web Content Filter and SSL Cert configurations on our profile.

This works in our case since the network still has an umbrella policy based on subnets so this may not be everyone's solution but it was ours. If you do need web content filtering on a shared iPad try to make it as generic as possible. Our provider might be behind the times with this but once we made it more general and got rid of the companion app things started working as intended.

View solution in original post

rsaeks · ‎08-31-2023

We are seeing a similar behavior in jamf pro with managed apple IDs on devices setup for shared iPad. We've made sure devices are up to date (iPadOS 16.6) and date & time is set correctly.

ajanicke · ‎08-31-2023

I've actually been back on this task for the past day or two.

What I'm finding is the shared iPad feature does not seem to consistently login the user with their Apple ID. When the Apple ID is not properly passed to the iPad it will allow a login for a brief 5-10 seconds then boot the user out saying it "Failed the login" but really the iPad failed to login the Apple ID.

These tests were also done with the restored iPad Pros with the most recent OS.

rsaeks · ‎08-31-2023

Are you seeing this behavior limited to student managed apple IDs vs teachers? I tested my MAID on the device and wasn't logged out automatically.

ajanicke · ‎08-31-2023

I am as our students would be the only ones using these devices. We have some test student accounts we use for testing and they've all had the same behavior when logging into another shared device.

I'm also seeing on Jamf School under "Shared Users" the "Data to Sync" is "Yes" for the users that are having issues. But on the original shared device where I setup the accounts and set the shared passcode this is set to "No"

I'm not sure what this could be as the little amount of time I'm in the account I can quickly see that all profiles we have assigned are coming down. The profiles just consisting of Wi-Fi, some very loose restrictions, and our Content Filter all in their own profile.

christens3n · ‎09-13-2023

I am experiencing this issue as well. A reset of the user's password in Apple School Manager seems to allow you to stay logged in on the device. But I'm not sure yet if that breaks the account on the other iPads the user might log into.

ajanicke · ‎09-13-2023

It does. It's a temp fix but barely. We talked with our Apple Rep and he was not able to reproduce and he sat with us for around an hour doing different troubleshooting tactics. He was able to get it running in his instance of Jamf School but ours is just breaking for some reason. We still haven't gotten to the bottom of it yet. Seems shared iPads are still very much in their infancy so if you have an alternative I would suggest going with that.

rsaeks · ‎09-14-2023

Thanks for the info about resetting the users password. Since we are 1:1 and our shared devices are used as loaners for when a student may forget their device at home or have an issue where they need troubleshooting, resetting a password isn't a scalable solution we can implement. (I'm sure we are all in the same boat about the work-around so this is more of a why it couldn't be done for jamf impact). Every time a student needs to borrow a device taking the time to reset their Apple ID password, walk the student through resetting their password (we are K-8) and then needing to have them re-login to their Apple ID on the assigned device would cause a significant amount of extra work / lost instructional time for that student. Hopefully there is a more systematic solution that doesn't require intervention on our part on a per-student basis.

ajanicke · ‎09-14-2023

Just curious, do you guys use any kind of SAML or OAuth such as AD, Azure, Okta, or Google etc.. ?

christens3n · ‎09-14-2023

We do not at this time. Just a straight provisioning of MAIDs on a subdomain from our SIS.

rsaeks · ‎09-20-2023

No SAML / SSO for us either.

rsaeks · ‎09-20-2023

We have found the password reset helps with users logging in. 16.6.1 didn't resolve the issue for us and I don't *quite* yet want to update a test device to 17 to test it out on that OS. Has anyone else tried iPadOS 17 to see if that fixes the issue?

ajanicke · ‎09-25-2023

I've got this figured out for our configuration for now. We have a content filter that uses an SSL Cert, Web Content Filter, and an App that passes the username to our filter.

Turns out the Filter does not support multiple users on iPads.

So what we ended up doing is getting rid of the app that passes the username, getting rid of custom keys for the app, keeping the Web Content Filter and SSL Cert configurations on our profile.

This works in our case since the network still has an umbrella policy based on subnets so this may not be everyone's solution but it was ours. If you do need web content filtering on a shared iPad try to make it as generic as possible. Our provider might be behind the times with this but once we made it more general and got rid of the companion app things started working as intended.

rsaeks · ‎09-27-2023

That's a great find! We were able to do the same thing with our devices to get things going. What's interesting is the config profiles / device / setup is all the same as it was last school year (in our case the devices are the same and we didn't wipe them over the summer), so either an app update from the vendor with the filtering software introduced an issue with Shared iPad, or an iPadOS update (from 16.x -> 16.5.1+) introduced an issue.

ajanicke · ‎09-27-2023

Correct, we got in contact with our filtering provider and they let us know that a shared config is just not supported and only a 1:1 was supported. I'm not sure if this is the usual thing with Web Content Filtering providers but for us we had to open a ticket with them to get that information. Again, we have network policies in place so they still get the student policy but when it comes across our filter if we have an issue we just see ipad/domain as the user. Kinda lackluster but between me and the network engineer he can see any incidents and I can cross reference our Jamf shared devices for who was logged in at the time. We also only have a small amount of about 30 shared devices. Might not be the best solution on a larger scale.

Glad to know this worked for you!

Jamf Nation Community

Shared iPad immediately logging out users