Sign in to Shared iPad
Both native and federated Managed Apple IDs are supported when signing in to Shared iPad. When using a federated account for the first time, the user is redirected to the Identity Provider’s (IdP) sign-in portal. After authenticated, a short-lived access token is issued for the backing Managed Apple IDs—and the login process proceeds similarly to the native Managed Apple IDs sign-in process. Once signed in, Setup Assistant on Shared iPad prompts the user to establish a passcode (credential) used to secure the local data on the device and to authenticate to the login screen in the future. Like a single-user device, where the user would sign in once to their Managed Apple ID using their federated account and then unlock their device with their passcode, on Shared iPad the user signs in once using their federated account and from then on uses their established passcode.
When a user signs in without federated authentication, the Managed Apple ID is authenticated with Apple Identity Service (IDS) using the SRP protocol. If authentication is successful, a short-lived access token specific to the device is granted. If the user has used the device before, they already have a local user account, which is unlocked using the same credential.
If the user hasn’t used the device before or is using the temporary session feature, Shared iPad provisions a new UNIX user ID, an APFS volume to store the user’s personal data, and a local keychain. Because storage is allocated (reserved) for the user at the time the APFS volume is created, there may be insufficient space to create a new volume. In such an event, the system will identify an existing user whose data has finished syncing to the cloud and evict that user from the device in order to allow the new user to sign in. In the unlikely event that all existing users haven’t completed uploading their cloud data, the new user sign in fails. To sign in, the new user will need to wait for one user’s data to finish syncing, or have an administrator forcibly delete an existing user account, thereby risking data loss.
If the device isn’t connected to the Internet (for example, if the user has no Wi-Fi access point), authentication can occur against the local account for a limited number of days. In that situation, only users with previously existing local accounts or a temporary session can sign in. After the time limit has expired, users are required to authenticate online, even if a local account already exists.
After a user’s local account has been unlocked or created, if it’s remotely authenticated, the short-lived token issued by Apple’s servers is converted to an iCloud token that permits signing in to iCloud. Next, the users’ settings are restored and their documents and data are synced from iCloud.
While a user session is active and the device remains online, documents and data are stored on iCloud as they are created or modified. In addition, a background syncing mechanism ensures that changes are pushed to iCloud, or to other web services using NSURLSession background sessions, after the user signs out. After background syncing for that user is complete, the user’s APFS volume is unmounted and can’t be mounted again without the user signing back in.
Temporary sessions do not sync data with iCloud, and although a temporary session can sign into a third-party syncing service such as Box or Google Drive, there is no facility to continue syncing data when the temporary session ends.