Shared iPad device enrolment and restrictions

Forums › Apple iOS and devices › Shared iPad device enrolment and restrictions

JayADee

2236 posts

Uber Geek
+1 received by user: 483

#323992 13-Feb-2026 08:35

Hi,
Has anyone got a list of the toggles for the enrolment profile and device restrictions for shared, managed iPads using inTune? I’m federating to Google. I had it working once and messed with it and now I’m lost again. After starting the newly wiped iPad I get to the Apple login screen, put the user Google email in and then it takes me straight to asking for the device passcode, skipping both the Apple login (the Google password) and the screen asking me to create a device passcode.

When I get past this hurdle the next thing I’d like to do is set the device passcode to 4 numbers instead of the present 8 alphanumeric.

No one has used their Managed Apple accounts yet so now is the time to figure this out so I can apply profiles and unbox. I’m using a test user account in Google to experiment with.

Thanks!

1 | 2

2236 posts

Uber Geek
+1 received by user: 483

#3461219 13-Feb-2026 13:34

Ok so I am able to login to the shared iPad with my test user profile BUT it's a ridiculous process of logging in about three times, once using Google creds, once using google creds to login to apple... then i am prompted to make a shared iPad passcode. What I was expecting was one login with google creds and a prompt to make an iPad passcode...

These are the profile settings I think may need some changing, like maybe try hiding Apple? It's a pain resetting the test iPad every time so I'm hoping you guys have some insight.

Setup assistance screens

passcode show

location services show

restore hide

apple id show

zocster

1994 posts

Uber Geek
+1 received by user: 105

ID Verified

Trusted

Lifetime subscriber

#3461230 13-Feb-2026 14:14

You’re basically seeing the normal collision between Shared iPad mode, Intune ADE enrolment, and Apple Business Manager federation — plus a passcode policy override. A few specific things to check that usually resolve this:

1. Passcode length (your 8-character issue)

This almost always comes from an Intune compliance policy overriding your configuration profile.

Check:

Intune → Devices → Compliance policies → iOS/iPadOS

Make sure minimum passcode length and complexity match your config profile (e.g. numeric, 4 digits). Compliance wins every time.

2. Setup Assistant screen sequencing

In the ADE enrolment profile:

Devices → iOS/iPadOS → Enrolment Program Tokens → Profile → Setup Assistant

Recommended for Shared iPad testing:

Apple ID = Show
Passcode = Show
Restore = Hide
Location Services = optional
Hiding Apple ID while federation is active often causes the odd login jump you described.

3. Shared iPad mode expectations

With Shared iPad + Managed Apple IDs you will usually see:

Identity login (Google → Apple federation)
Then local device passcode creation
That separation is intentional — Apple keeps identity auth and device unlock separate.

4. Federation sanity check

In Apple Business Manager:

Settings → Accounts → Federation

Confirm domain verified, federation active, and the test Managed Apple ID actually exists.

If behaviour stays inconsistent, temporarily disable federation, enrol one device cleanly, then re-enable.

5. Reset method matters

Factory reset the iPad and let ADE trigger automatically.

Local erase without ADE reassignment can produce inconsistent setup behaviour.

Once passcode compliance and ADE setup screens are aligned, the enrolment flow usually stabilises.

JayADee

2236 posts

Uber Geek
+1 received by user: 483

#3461332 13-Feb-2026 17:29

Oh my gosh, thanks for the reply! I've set this whole thing up from scratch myself and you're the first person I've had a chance to check anything with. I am grateful.

1.Passcode length (your 8-character issue)- I've got Apple School Manager's passcodes set to 8 (you set it in 'Location') and so everyone who federated from Google now has it set to 8 in their ASM (managed apple) account. I'm pretty sure that's where it's coming from. I have just been googling it. I can see the ASM passcode length is editable in the student accounts. According to AI I can bulk change all student ones to 4 numeric, yay.

I'll try manually resetting a single test user's passcode length first and see what happens.

Apple ID = Show
Passcode = Show
Restore = Hide
Location Services = optional
Hiding Apple ID while federation is active often causes the odd login jump you described.

Agreed, got rid of the jump by showing Apple ID and Passcode! Location Services I'm not too sure what that's doing- I need to look that up, it might be why I'm getting keyboard and language options. It's not showing me actual location settings I don't think.

3. Shared iPad mode expectations

With Shared iPad + Managed Apple IDs you will usually see:

Identity login (Google → Apple federation)
Then local device passcode creation
That separation is intentional — Apple keeps identity auth and device unlock separate.

Ok so I am thinking the double login plus passcode rigamerol is intentional then. Log in the first time is Google federation as you say, second time is to Apple School Manager and then device passcode creation.

Note: Google says "In some configurations, the iPad may ask them to "Sign in to Apple School Manager" to officially link the federated identity to the device's local partition. They should continue using their original Google credentials for this step if prompted for a password."

4. Federation sanity check

That part has been going along pretty well. I had the whole 30 day wait to clear old user accounts to clean the domain over the holidays but after that pretty smooth sailing.

5. Reset method matters

Can you elaborate? I've reset the iPad through 'wipe' in inTune a few times, and at least once in DFU mode, a couple times through iTunes. I hope I'm done 'breaking' it now so my go-to is to use wipe Devices -> all devices -> ipadname -> wipe

I can't remember if I sync devices again after that. I let ADE trigger automatically from the hello screen.

Thanks for the help!

zocster

1994 posts

Uber Geek
+1 received by user: 105

ID Verified

Trusted

Lifetime subscriber

#3461336 13-Feb-2026 18:25

Intune wipe is usually the cleanest because it preserves ADE supervision, but DFU/iTunes restores still keep the Apple Business Manager assignment intact so ADE should trigger normally once the device hits the activation server.

You generally don’t need to re-sync ABM after every wipe unless you’ve reassigned the device, changed enrolment profiles, or Intune isn’t seeing the device correctly. Otherwise the activation handshake handles it.

The login jump you saw earlier is much more commonly tied to federation + Setup Assistant screen settings than the wipe method itself — especially if Apple ID or passcode screens were hidden.

Letting ADE trigger automatically from the Hello screen is exactly the right flow.

JayADee

2236 posts

Uber Geek
+1 received by user: 483

#3461482 14-Feb-2026 15:01

Thanks again. Teacher and shared student iPad profiles and restrictions are all working now. Once set up on an iPad students tap their account and input a 4 digit number which can be mass generated in advance. I have left guest user turned on for flexibility.

One pain I didn’t foresee is any student who’s never logged into Google before has to go through Google’s login process first on the iPad as part of the login prompting process… right down to the Google welcome to your account screen. Then the login flicks over to the rest of the login process.

JayADee

2236 posts

Uber Geek
+1 received by user: 483

#3462091 17-Feb-2026 08:48

Have you got a separate update policy set?

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

zocster

1994 posts

Uber Geek
+1 received by user: 105

ID Verified

Trusted

Lifetime subscriber

#3462094 17-Feb-2026 08:55

Yes — I would have an iOS/iPadOS update policy set separately in Intune. Mostly just to keep updates predictable and avoid surprises during enrolment or class use rather than locking things down aggressively.

With Shared iPads especially I found leaving updates fully automatic can sometimes introduce odd timing issues around login/setup, so having a light-touch policy there just keeps things consistent. Nothing too restrictive though — more guardrails than control.

JayADee

2236 posts

Uber Geek
+1 received by user: 483

#3462183 17-Feb-2026 11:59

Ok thanks I’ll have a go at making one

edit: had a go. I’ll remotely sign everyone out before the scheduled update and see how it goes.

zocster

1994 posts

Uber Geek
+1 received by user: 105

ID Verified

Trusted

Lifetime subscriber

#3462466 18-Feb-2026 07:00

Recommended iPadOS Update Policy (Intune)
1. Update Ring / Policy Type
Devices → iOS/iPadOS → Update policies
Use:
iOS/iPadOS Software Update Policy
(not compliance or restriction profile).
This gives proper OS update control.

2. Core Recommended Settings
Update Type
Automatically install updates → ON (but controlled)
Avoid fully manual unless you have dedicated IT staff managing devices constantly.
Delay Period
7–14 days recommended

Why:
Lets Apple patch early bugs
Avoids first-wave update issues
Still keeps devices current
For schools: 14 days is common.

Installation Window
Set a defined window:

Example:
After hours (e.g. 6 pm–6 am)
Or weekends if possible

This prevents:
Mid-class updates
Login interruptions
Shared iPad session disruptions.
Force Restart Behaviour

Recommended:
Require device restart outside active hours
Shared iPads hate surprise reboots.

3. Setup Assistant Interaction (Important)
Updates can trigger additional login prompts if:
Federation tokens refresh
Apple ID session resets
Device just enrolled
So keep:
Apple ID screen visible during enrolment
Passcode policies aligned
Update policy not forcing immediate install post-enrolment.

4. Shared iPad Specific Tips

A. Avoid “Install Immediately” policies
This causes:

Cached user session issues

Storage partition conflicts

Shared iPads manage multiple users locally.

B. Storage Awareness

Updates need space.
If you use:

Many cached users

Large app deployments

Then allow:

Some user cache trimming

Or slightly longer update delay.

5. What I Typically Recommend in Schools / Shared Environments

Sensible baseline:

Auto updates ON

14-day deferral

Overnight install window

Restart outside active hours

Light restrictions only.

Stable without being rigid.

6. Things NOT to Over-Control
Avoid:

Blocking updates indefinitely

Forcing same-day installs

Complex restart enforcement

Excessive compliance triggers.

Those create more support tickets than they solve.

7. Quick Summary

If you want simple:
Auto update: Enabled
Deferral: 14 days
Install window: After hours
Restart: Outside active use
Restrictions: Minimal

That keeps Shared iPads reliable.

JayADee

2236 posts

Uber Geek
+1 received by user: 483

#3462575 18-Feb-2026 13:28

Excellent thanks so much, I’ll change a few of my settings to match yours. They updated last night bar one which was low on power. I very much appreciate your recommendations!

JayADee

2236 posts

Uber Geek
+1 received by user: 483

#3466877 4-Mar-2026 22:04

@zocster

Oh boy!! I ran into a vexing issue today!

Room 1 iPads (the test group of 7 iPads with 1-3 accounts on each iPad)

My changing the iPad passcodes (the 4 digit screen code) at least a week ago on these seems to have triggered a belated Apple account settings update requirement- throwing a red error in settings where the user is prompted to update their apple password/passcode but can't because block account changes is set to YES in my device restrictions policy.

The shared, managed accounts seemed to have worked fine up until today. Even with the error present the lock screen opens with the 'new' passcode I had changed it to? I'm guessing the passcode change is what is causing this error in settings? I might have had block account changes set to YES when I changed them, I really can't remember.

To confuse matters further we also ran out of ip addresses on Monday (called the isp and had them doubled)

Not being sure of the cause of the account errors I tried wiping an iPad and re-adding the same unadulterated kid's accounts but I got the same error, so it's not the iPad, it's the apple account. So what I did was set block account changes to unconfigured, reset the passcode to a temporary one (and ticked 'log user out of accounts') and then reset a new passcode. At the moment the block account changes is still OFF. so far the latest passcode change isn't resulting in an error but it didn't the last time I did it either.

Which brings me to very important question number two:

When I am setting up brand new iPads with as yet unused apple accounts (accounts are present in Apple school Manager federated from Google as the idp complete with passwords), do I need to have block account changes to unconfigured and then change it back to configured- yes after the new accounts are added to the iPads and their shiny new passcodes are set? Or can I leave block account changes - yes while I add new managed accounts to shared iPads.

Because today I set up few new accounts on new iPads (room 3) with block account changes- yes on. My logic was putting on an existing google/apple password and a new (not yet existing) screen passcode wasn't a 'change'. After the fact I have now turned block account changes to unconfigured on these as well. Those accounts seem to be working but so did Room 1's for over a week or two until they just didn't. Should I try using these accounts once while the block account changes- unconfigured is still set not re-set to 'yes' just in case that might confirm any latent 'changes'?

Any advice would be great!

New World

Shop on-line at New World now for your groceries (affiliate link).

JayADee

2236 posts

Uber Geek
+1 received by user: 483

#3466881 4-Mar-2026 22:28

I also added some web clips yesterday, by device group (not user). That wouldn't have triggered a problem?

zocster

1994 posts

Uber Geek
+1 received by user: 105

ID Verified

Trusted

Lifetime subscriber

#3466888 5-Mar-2026 04:24

It doesn’t sound like the Web Clips would have caused this. A Web Clip profile is essentially just a Home Screen shortcut to a URL, so it doesn’t interact with Apple ID authentication or account security. I’ve used those by device group before without seeing them affect Apple ID state.

From what you described, it sounds more likely related to the passcode change. Changing the device passcode can sometimes trigger an Apple account security refresh for Managed Apple IDs. If Block account changes = Yes is already enforced, the device can’t complete that refresh, which results in the red “Update Apple ID settings” warning in Settings. The device can still unlock because the existing login token is valid, but the account update itself is blocked.

That would also explain why wiping the iPad didn’t resolve it — the trigger is tied to the Managed Apple ID security state, not the specific device.

Regarding your second question about setup: what has worked more reliably for me is leaving Block account changes set to Unconfigured while the account is first used on the Shared iPad, letting the user sign in and set their passcode once so the account session and security state are established. After that, turning Block account changes = Yes seems to be fine.

So the rough sequence I’ve settled on is: