I work a lot with industry verticals such as retail, healthcare, manufacturing, and others who offer shared device experiences to their end users and customers. Many organizations utilize Intune to manage information worker devices and are looking to move their shared device real-estate over as well. Windows kiosk has been a staple for management through Intune for many years and within the last two years, Android and Apple devices (specifically iPads) have gained a rich set of shared device platform and app supported features. Features such as Azure AD shared device and shared iPad have improved the handheld shared device experience for many organizations.
For this months post I demonstrate a healthcare scenario of assigning a device to a patient and when they’re released from care, initiating a workflow to logoff the active user or guest from a shared iPad. To demonstrate this scenario I needed to create my own patient management application utilizing Power Apps and as with my previous posts, I also utilize Power Automate to automate actions.
Requirements
- Microsoft Intune
- Azure Active Directory
- Microsoft Graph
- Power Automate
- Power Apps (optional) or third-party service
- Apple Business Manager or Apple Configurator
Let’s get started!
The scenario utilizes the platform supported shared iPad experience. For more details about Apple shared iPad please visit: Shared iPad overview – Apple Support
As with most work I publish the Microsoft Graph is heavily utilized. To logout guests and users from devices we’ll utilize the following Graph API: logoutSharedAppleDeviceActiveUser action – Microsoft Graph v1.0 | Microsoft Docs
Below are the supported methods:
POST /users/{usersId}/managedDevices/{managedDeviceId}/logoutSharedAppleDeviceActiveUser
POST /deviceManagement/managedDevices/{managedDeviceId}/logoutSharedAppleDeviceActiveUser ß this is what I utilize for this scenario
POST /deviceManagement/detectedApps/{detectedAppId}/managedDevices/{managedDeviceId}/logoutSharedAppleDeviceActiveUser
Overview
For the purposes of this post, I have an iPad enrolled with Automate Device Enrollment (ADE) with Intune. The profile is set to configure the iPad as a shared device supporting temporary sessions (no Apple ID required). I also have a few apps deployed that every guest user will see and will be able to sign-in to. When the user no longer needs the use of the device, a command is sent to logout the active user, all sign-in and data are cleared from the apps/device and the device is staged for the next user.
Below is the specific graph call I utilize, all we need to do is include the deviceID in the query:
https://graph.microsoft.com/v1.0/deviceManagement/managedDevices/deviceID/logoutSharedAppleDeviceActiveUser
Apple Profile for shared iPad
The profile I have configured in Intune for ADE is below; notice I require shared iPad temporary session so only guest access is allowed; however, logout also supports users who sign-on with apple IDs.
Power Automate
As with my previous posts, I have an app registered in Azure AD with the proper Graph API permissions assigned. I also generate a client secret in the Azure AD registered app and use the ClientID and Secret in HTTP actions in the Flow. Always check what API permissions the Graph API supports then adjust the Azure AD registered app permissions if needed.
I utilize three separate Flows for this process:
- Get iPads – queries Intune Graph for all iPads
- Update device name with patient name – changes the device name and management name to the name of the assigned person and appends the serial number for additional identification.
- Log off user – logs the user off when released from care and changes the device and management name.
Get iPads
This Flow pulls all the enrolled iPads from Intune and populates them in a Power Apps collection. You can populate this data by accessing any service with an API, however I utilize Power Apps for demonstration purposes only.
The HTTP action is self explanatory so I won’t go into details.
{
"type": "object",
"properties": {
"@@odata.context": {
"type": "string"
},
"@@odata.count": {
"type": "integer"
},
"value": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"deviceName": {
"type": "string"
},
"operatingSystem": {
"type": "string"
},
"serialNumber": {
"type": "string"
},
"model": {
"type": "string"
},
"managedDeviceName": {
"type": "string"
}
},
"required": [
"id",
"deviceName",
"operatingSystem",
"serialNumber",
"model",
"managedDeviceName"
]
}
}
}
}
Response (this sends back the data from Parse JSON action in an array format to a Power Apps collection)
{
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"deviceName": {
"type": "string"
},
"operatingSystem": {
"type": "string"
},
"serialNumber": {
"type": "string"
},
"model": {
"type": "string"
},
"managedDeviceName": {
"type": "string"
}
}
}
}
Update device name with patient name
In the following Flow I update the device name and management name, however updating either is completely optional. I change the device name and management name because I add text to show that the device has been assigned to a patient.
The following two Graph APIs allow renaming of the device and management name:
- Set device name: setDeviceName action – Microsoft Graph beta | Microsoft Docs
- Set management name: managedDevice resource type – Microsoft Graph v1.0 | Microsoft Docs
There are three variables created that are utilized in the Power App to send over the proper user and device information. When integrating with a third-party service, the variable should be referenced either by a built-in or custom connector.
I also have two HTTP actions, one to rename the device and the other to update the management name of the device. Both are self-explanatory so I won’t go into details.
Log off user (i.e. guest)
When a patient is released from care, this Flow will log off the active user on the device and make it ready for the next user by clearing all sign-in info and data from apps. As with the Flow above, we’ll utilize the same Graph APIs to update the device and management names.
The following two Graph APIs allow renaming of the device and management name:
- Set device name: setDeviceName action – Microsoft Graph beta | Microsoft Docs
- Set management name: managedDevice resource type – Microsoft Graph v1.0 | Microsoft Docs
There are two variables created that are utilized in the Power App to send over the proper device information. When integrating with a third-party service, the variable should be referenced either by a built-in or custom connector.
I also have three HTTP actions, one to logoff the active user, the other two are to rename the device and update the management name (optional) with text to show the device is available for assignment again. All three HTTP actions are self-explanatory, so I won’t go into details.
Building an app to test the process with Power Apps
Dataverse (optional)
I created a simple table in the Power Platform dataverse to store device and user assignments. The data is also utilized to populate fields and when a patient is selected from a dropdown list, the device information will also show up for that particular user. This type of data though could easily be stored and accessed in a third party service.
Power Apps (optional)
This section is for demonstration purposes only so I won’t go into how I created the app (if you’re interested just reach out to me directly), however the goal here is to spark ideas and imagination about utilizing a service to interact with device assignments and automated log off when a device no longer needs to be assigned to an individual.
Patient device assignment screen
Device release screen
Additional Shared iPad features
For more information about shared iPad please visit: Shared iPad devices – Microsoft Intune | Microsoft Docs
There’s some additional configuration options as well, for example if we didn’t want to integrate using Graph we could set the maximum number of seconds of inactivity until either the user or temporary session logs out:
Maximum seconds of inactivity until user session logs out: The minimum allowed value for this setting is 30. If there isn’t any activity after the defined period, the user session ends and signs the user out. If you leave the entry blank or set it to zero (0), the session will not end due to inactivity. Available for devices in Shared iPad mode running iPadOS 14.5 and later.
Require Shared iPad temporary session only: Configures the device so that users only see the guest version of the sign-in experience and must sign in as guests. They can’t sign in with a Managed Apple ID. Available for devices in Shared iPad mode running iPadOS 14.5 and later.
When set to Yes, this setting cancels out the following shared iPad settings, because they are not applicable in temporary sessions:
-
Maximum cached users
-
Maximum seconds after screen lock before password is required
-
Maximum seconds of inactivity until user session logs out
Maximum seconds of inactivity until temporary session logs out: The minimum allowed value for this setting is 30. If there isn’t any activity after the defined period, the temporary session ends and signs the user out. If you leave the entry blank or set it to zero (0), the session will not end due to inactivity. Available for devices in Shared iPad mode running iPadOS 14.5 and later.
This setting is available when Require Shared iPad temporary session only is set to Yes.
Source: Enroll iOS/iPadOS devices by using ADE – Microsoft Intune | Microsoft Docs
Conclusion
That’s it! I hope this gave you some ideas on how to integrate and manage shared iPads within your organization, whether it be devices for employees to access or customers, Intune supports a variety of shared experiences across Android, Apple, and Windows devices.
Mobility, Management, & Security 