Configure Intune education settings for shared iPad devices

Note

Intune doesn't currently support configuring the Classroom app. This article is only applicable for users with existing iOS education profiles in Intune.

Intune supports the iOS Classroom app that helps teachers to guide learning, and control student devices in the classroom. In addition, to the Classroom app, Apple supports the ability for student iPad devices to be configured such that multiple students can share a single device. This document guides you to achieve this goal with Intune.

For information about configuring dedicated (1:1) iPad devices to use the Classroom app, see How to configure Intune settings for the iOS Classroom app.

Before you start

The prerequisites to use the shared iPad capabilities are:

Step 1 - Import your school data into Azure Active Directory

Use Microsoft's School Data Sync (SDS) to import school records from an existing Student Information System (SIS) to Azure Active Directory (Azure AD). SDS synchronizes information from your SIS and stores it in Azure AD. Azure AD is a Microsoft management system that helps you organize users and devices. You can then use this data to help you manage your students and classes. Learn more about how to deploy SDS.

How to import data using SDS

You can import information into SDS by using one of the following methods:

  • CSV files - Manually export and compile comma-separated value (.csv) files
  • PowerSchool API - An SIS provider that simplifies syncing with Azure AD
  • OneRoster - A CSV format that you can export and convert to sync with Azure AD

Find out more

Step 2 - Create and assign an iOS Education profile in Intune

Configure general settings

  1. Sign in to Intune.
  2. On the Intune pane, choose Device configuration.
  3. On the Device configuration pane under the Manage section, choose Profiles.
  4. On the profiles pane, choose Create profile.
  5. On the Create profile pane, enter a Name and Description for the iOS education profile.
  6. From the Platform drop-down list, choose iOS.
  7. From the Profile type drop-down list, choose Education.
  8. Choose Settings > Configure.

Next, you need certificates to establish a trust relationship between teacher and student iPads. Certificates are used to seamlessly and silently authenticate connections between devices without having to enter user names and passwords.

Important

The teacher and student certificates you use must be issued by different certificate authorities (CAs). You must create two new subordinate CAs connected to your existing certificate infrastructure; one for teachers, and one for students.

iOS education profiles support only PFX certificates. SCEP certificates are not supported.

Certificates you create must support server authentication in addition to user authentication.

Configure teacher certificates

On the Education pane, choose Teacher certificates.

Configure teacher root certificate

Under Teacher root certificate, choose the browse button to select the teacher root certificate with the extension .cer (DER, or Base64 encoded), or .P7B (with or without full chain).

Configure teacher PKCS#12 certificate

Under Teacher PKCS#12 certificate, configure the following values:

  • Subject name format - Intune automatically prefixes the certificate common name with leader, for the teacher certificate, and member, for the student certificate.
  • Certification authority - An Enterprise Certification Authority (CA) that runs on an Enterprise edition of Windows Server 2008 R2 or later. A Standalone CA is not supported.
  • Certification authority name - Enter the name of your certification authority.
  • Certificate template name- Enter the name of a certificate template that has been added to an issuing CA.
  • Renewal threshold (%) - Specify the percentage of the certificate lifetime that remains before the device requests renewal of the certificate.
  • Certificate validity period - Specify the amount of remaining time before the certificate expires. You can specify a value that is lower than the validity period in the specified certificate template, but not higher. For example, if the certificate validity period in the certificate template is two years, you can specify a value of one year but not a value of five years. The value must also be lower than the remaining validity period of the issuing CA certificate.

When you have finished configuring teacher certificates, choose OK.

Configure student certificates

  1. On the Education pane, choose Student certificates.
  2. On the Student certificates pane, from the Student device certificates type list, choose Shared iPad.

Configure student root certificate

Under Device root certificate, choose the browse button to select the student root certificate with the extension .cer (DER, or Base64 encoded), or .P7B (with or without full chain).

Configure device PKCS#12 certificate

Under Student PKCS#12 certificate, configure the following values:

  • Subject name format - Intune automatically prefixes the certificate common name with leader, for the teacher certificate, and member, for the device certificate.
  • Certification authority - An Enterprise Certification Authority (CA) that runs on an Enterprise edition of Windows Server 2008 R2 or later. A Standalone CA is not supported.
  • Certification authority name - Enter the name of your certification authority.
  • Certificate template name - Enter the name of a certificate template that has been added to an issuing CA.
  • Renewal threshold (%) - Specify the percentage of the certificate lifetime that remains before the device requests renewal of the certificate.
  • Certificate validity period - Specify the amount of remaining time before the certificate expires. You can specify a value that is lower than the validity period in the specified certificate template, but not higher. For example, if the certificate validity period in the certificate template is two years, you can specify a value of one year but not a value of five years. The value must also be lower than the remaining validity period of the issuing CA certificate.

When you are finished configuring certificates, choose OK.

Complete Certificate Setup

  1. On the Education pane, choose OK.
  2. On the Create profile pane, choose Create.

The profile is created and appears on the profiles list pane.

Step 3 - Create a device category

  1. Sign in to Intune.
  2. On the Intune pane, choose Device enrollment.
  3. On the Device enrollment - Overview pane, choose Device categories.
  4. On the Device enrollment - Device Categories pane, choose Create.
  5. On the Create device category pane, enter a Name and Description for the category.
  6. On the Create device category pane, choose Create.

The device category is created in the Enrollment – Device Categories pane.

Step 4 – Create a dynamic group

  1. Sign in to Intune.
  2. On the Intune pane, choose Groups.
  3. On the Users and Groups – All Groups pane, choose New group.
  4. On the Group pane, choose a Group type and then enter a Name and Description for the group.
  5. From the Membership type drop-down list, choose Dynamic Device.
  6. Choose Dynamic device members to create membership rules.
  7. On the Dynamic membership rules pane:
  8. Select deviceCategory from the Add devices where drop-down list.
  9. Choose Equals.
  10. Enter the device category you created in the blank text box.
  11. On the Dynamic membership rules pane, choose Add query.
  12. On the Group pane, choose Create.

The dynamic group is created in the Users and Groups – All Groups pane.

Step 5 – Assign a device to a category (Carts)

  1. Sign in to Intune.
  2. On the Intune pane, choose Devices.
  3. On the Devices pane, choose All devices.
  4. On the Devices – All devices pane, choose a device.
  5. On the device pane, choose Properties.
  6. On the device’s properties pane, enter the device category in the Device category text box.
  7. On the device pane, choose Save.

The device is now associated to the device category. Repeat this process for all the devices you want to associate to the device category you created.

Step 6 – Create classroom profiles

  1. Sign in to Intune.
  2. On the Intune pane, choose Device configuration.
  3. On the Device configuration pane, choose Manage > Cart Profiles.
  4. On the profiles pane, choose Create Profile.
  5. On the Create Association pane, enter a Name and Description.
  6. Choose Select Classes > Configure to associate groups to the Cart Profile.
  7. Choose the classes to include to the Cart Profile then choose Select.
  8. Choose Select Carts > Configure to associate groups to the Cart Profile.
  9. Choose the groups to include to the Cart Profile then choose Select.
  10. On the Create Association pane, choose Save to save the Cart Profile.

The profile is created and appears on the profiles list pane.

Step 7 - Assign the Cart Profile to Classes

  1. Sign in to Intune.
  2. On the Intune pane, choose Device configuration.
  3. On the Device configuration pane, choose Monitor > Assignment status.
  4. On the Assignment status pane, select the Cart Profile you created.
  5. On the Cart Profile pane choose Assignments and then, under Include choose Select groups to include.
  6. Select the classes you want the cart profile to target (do not select a group), then choose Select.
  7. When you are finished, choose Save.

The assignment completes, and Intune deploys the Classroom profile to the targeted devices based on the classroom assignment.

Next Steps

Now students can share devices between students, and students can pick up any iPad in a classroom, log in with a PIN and have it personalized with their content. For more information about Shared iPads, see the Apple website.