Shared iPad security in iPadOS
Shared iPad is a multiuser mode for use in iPad deployments. It allows users to share an iPad while maintaining separation of documents and data for each user. Each user gets their own private, reserved storage location, which is implemented as an APFS (Apple File System) volume protected by the user’s credential. Shared iPad requires the use of a Managed Apple Account that’s issued and owned by the organization.
With Shared iPad, a user can sign in to any organizationally owned device that’s configured for use by multiple users. User data is partitioned into separate directories, each in their own data protection domains and protected by both UNIX permissions and sandboxing. In iPadOS 13.4 or later, users can also sign in to a temporary session. When the user signs out of a temporary session, their APFS volume is deleted and its reserved space is returned to the system.
Signing in to Shared iPad
Both native and federated Managed Apple Accounts are supported when signing in to Shared iPad. When using a federated account for the first time, the user is redirected to the Identity Provider’s (IdP) sign-in portal. After authenticated, a short-lived access token is issued for the backing Managed Apple Accounts—and the login process proceeds similarly to the native Managed Apple Accounts sign-in process. Once signed in, Setup Assistant on Shared iPad prompts the user to establish a passcode (credential) used to secure the local data on the device and to authenticate to the login screen in the future. Like a single-user device, in which the user would sign in once to their Managed Apple Account using their federated account and then unlock their device with their passcode, on Shared iPad the user signs in once using their federated account and from then on uses their established passcode.
When a user signs in without federated authentication, the Managed Apple Account is authenticated with Apple Identity Service (IDS) using the SRP protocol. If authentication is successful, a short-lived access token specific to the device is granted. If the user has used the device before, they already have a local user account, which is unlocked using the same credential.
If the user hasn’t used the device before or is using the temporary session feature, Shared iPad provisions a new UNIX user ID, an APFS volume to store the user’s personal data, and a local keychain. Because storage is allocated (reserved) for the user at the time the APFS volume is created, there may be insufficient space to create a new volume. In such an event, the system identifies an existing user whose data has finished syncing to the cloud and evicts that user from the device so that the new user to sign in. In the unlikely event that all existing users haven’t completed uploading their cloud data, the new user sign in fails. To sign in, the new user must wait for the previous user’s data to finish syncing, or have an administrator forcibly delete an existing user account, thereby risking data loss.
If the device isn’t connected to the internet (for example, if the user has no Wi-Fi access point), authentication can occur against the local account for a limited number of days. In that situation, only users with previously existing local accounts or a temporary session can sign in. After the time limit has expired, users are required to authenticate online, even if a local account already exists.
After a user’s local account has been unlocked or created, if it’s remotely authenticated, the short-lived token issued by Apple’s servers is converted to an iCloud token that permits signing in to iCloud. Next, the users’ settings are restored and their documents and data are synced from iCloud.
While a user session is active and the device remains online, documents and data are stored on iCloud as they are created or modified. In addition, a background syncing mechanism helps ensure that changes are pushed to iCloud, or to other web services using NSURLSession background sessions, after the user signs out. After background syncing for that user is complete, the user’s APFS volume is unmounted and can’t be mounted again without the user signing back in.
Temporary sessions don’t sync data with iCloud, and although a temporary session can sign into a third-party syncing service such as Box or Google Drive, there’s no facility to continue syncing data when the temporary session ends.
Signing out of Shared iPad
When a user signs out of Shared iPad, that user’s keybag is immediately locked and all apps are shut down. To accelerate the case of a new user signing in, iPadOS defers some ordinary sign-out actions temporarily and presents a login window to the new user. If a user signs in during this time (approximately 30 seconds), Shared iPad performs the deferred cleanup as part of signing in to the new user account. However, if Shared iPad remains idle, it triggers the deferred cleanup. During the cleanup phase, Login Window is restarted as if another sign-out had occurred.
When a temporary session is ended, Shared iPad performs the full logout sequence and deletes the temporary session’s APFS volume immediately.