This article introduces additional configuration options for organisations that use Shared iPads managed by Apple School Manager.
Note: "Shared iPad" refers specifically to Apple's definition - Shared iPad. This is not suitable for iPads which are simply left for students to pick up without any logon or demarcation between one user and the next.
Prerequisites
It is assumed the reader is familiar with Installing Cloud Filter for iOS.
The Issue
On Shared iPads, it is not possible to push user-specific MDM configuration to individual apps. As such all logged-in users on an iPad will share the same settings documented in Installing Cloud Filter for iOS. Smoothwall Browser uses the UserID from those settings to identify users in policy decisions and Access Logs, so some additional steps need to be taken to ensure that the currently logged-in user is identified correctly.
It does this by getting users to sign-in to your organisation's SSO.
SSO (Single Sign-On) Configuration Options
The following additional MDM settings are available for configuring your SSO environment.
Note - While these settings can also work on non-Shared iPads, it is recommended that you do not do so on such devices. It is far simpler to use your MDM's own functionality to push the correct username via UserID.
MDM Configuration Fields Naming Convention
Fields whose name starts with "Smoothwall" contain data that is provided to you by Smoothwall. All other fields are for data provided by you or your organisation.
Field Name | Field Type | Description | Examples |
SSOProvider | String |
Optional, but recommended when deployed to Shared iPads using Apple School Manager. Instead of using the userID specified in UserID, use the specified SSO provider to obtain the user ID. There are two available options:
Note - You must still supply a value for UserID, but its value will be ignored. |
Microsoft |
UsersIDsAllowedToSSOSignIn | Array of String |
Optional and only relevant when SSOProvider is supplied. This field contains a list of SSO usernames (case-insensitive) that are allowed to Sign in to Smoothwall Browser. If your MDM solution does not support arrays natively, you may also supply a comma separated string containing the user names instead. If this field is not supplied or is empty, then there is no limit on what SSO accounts can be used to sign in. This field supports a limited wildcard substitution. If the first character of a username string is a '*' then any username whose suffix matches the remainder of the string is allowed:
Note - This setting cannot be used to allow Personal Accounts when using Microsoft SSO. |
See Description |
CanStoreSSOUserIDInCloud | Boolean |
Optional and only relevant when SSOProvider is supplied. When this is true the username obtained from signing in via SSO on an iPad will be saved to the current iPad user’s iCloud account. When that same user uses a different iPad with the same iCloud account the Smoothwall Browser should automatically use that saved username without needing to ask for SSO on that or subsequent iPads. Note - Even with this setting, it is possible that users will still be asked to SSO on a different iPad if iCloud syncing is currently not possible or too slow. Important - This should not be enabled in situations where users could have multiple SSO accounts that they can log into, as the first one chosen will propagate to all future iPads they use. This is difficult to undo. |
true false |