Did Microsoft just solve a big business iPad problem

One of the most disappointing things about iOS devices as business devices, and one of the things that keeps the iPad from being a true computing solution, is that there is no support for multiple-user accounts. An unlikely ally is determined to solve the problem for Apple. A future version of Microsoft Authenticator will allow for a multi-user iPad experience.

montage of cityscape and man holding tablet
Thinkstock

One of the most disappointing things about iOS devices as business devices, and one of the things that keeps the iPad from being a true computing solution, is that there is no support for multiple-user accounts -- unless you’re a K-12 student. With Apple Classroom iPads only support multiple-user accounts in a special education mode intended for schools. When Apple announced Classroom, there was a lot of hope that along with enterprise solutions like the Device Enrollment Program that the feature would migrate to the enterprise.

Related: Sounding board: iPads in the enterprise

That didn’t happen. So far as Apple is concerned iOS devices, even the new iPad Pros that are billed as a laptop replacement when used with a keyboard and trackpad, remain single-user devices.

Apple promotes the idea of shared devices (a healthcare worker can grab anyone of several iPads at a nurses station) but it remains configured such that it is identical to every other iPad and doesn’t easily connect a user to any resources that are specific to that user (email, calendar, personal or shared files etc). Likewise, there is a kiosk mode for iPads used by customers or visitors.

What makes this so puzzling is that macOS is utterly multi-user because of its Unix underpinning. It supports local accounts of different family members and enterprise accounts, typically Active Directory accounts, of corporate employees. Even as Apple narrows the differences between the two platforms, iOS and iPadOS remain single-user devices.

One of the most disappointing things about iOS devices as business devices, and one of the things that keeps the iPad from being a true computing solution, is that there is no support for multiple-user accounts -- unless you’re a K-12 student. With Apple Classroom iPads only support multiple-user accounts in a special education mode intended for schools. When Apple announced Classroom, there was a lot of hope that along with enterprise solutions like the Device Enrollment Program that the feature would migrate to the enterprise.

Related: Sounding board: iPads in the enterprise

That didn’t happen. So far as Apple is concerned iOS devices, even the new iPad Pros that are billed as a laptop replacement when used with a keyboard and trackpad, remain single-user devices.

Apple promotes the idea of shared devices (a healthcare worker can grab anyone of several iPads at a nurses station) but it remains configured such that it is identical to every other iPad and doesn’t easily connect a user to any resources that are specific to that user (email, calendar, personal or shared files etc). Likewise, there is a kiosk mode for iPads used by customers or visitors.

What makes this so puzzling is that macOS is utterly multi-user because of its Unix underpinning. It supports local accounts of different family members and enterprise accounts, typically Active Directory accounts, of corporate employees. Even as Apple narrows the differences between the two platforms, iOS and iPadOS remain single-user devices.

Microsoft to the rescue

An unlikely ally is determined to solve the problem for Apple. A future version of Microsoft Authenticator will allow for a multi-user iPad experience. While this doesn’t help consumers, it does help businesses. To bring Microsoft’s vision of multiple enterprise user accounts to full fruition will take some help from developers and IT departments. Microsoft staffers have indicated that Apple has actually been an almost invisible help to the project.

Motives

It may seem strange that Microsoft would want to help make the iPad more enterprise-worthy. After all, the company’s Surface line of PCs directly compete with the iPad. So what gives?

I don’t have a crystal ball or covert contacts, but I have watched the relationship of these two companies for over 20 years. Here’s my take on motive.

Microsoft realizes that it doesn’t have the dominance that it once had. Yes, it wants to sell as many Surface devices as it can, but the company also knows that there is a strong software and services opportunity, Microsoft’s bread and butter, in providing enterprise-ready options on other platforms. It can easily earn more from license/subscription deals over time compared to one shot hardware purchases.

In this case, Microsoft recognizes that the iPad is a strong seller in the enterprise space and wants to ensure that customers remain in its grasp regardless of what they use. It doesn’t want IT leaders to think “Well, we’ve gone Apple this far, maybe we should consider iWork or G Suite -- if we’re making that change it’d be easier to make some other changes at the same time. If we don’t need Office, maybe a best in breed unified endpoint management (UEM) like MobileIron would better than Intune. Well if we have all of these choices for cloud providers and we’re not using Azure except for Azure AD, maybe we should look at Okta or another cloud-based identity manager.”

Granted few organizations will go all the way down that particular chain of thought. Some might, and opting out of Microsoft subscriptions can have a snowball effect across one enterprise or even across an industry.

As long as Microsoft has a toe hold in there, it can make it easier to retain and attract customers. So there’s an incentive to develop for iOS, but developing an industry-first solution to a common enterprise concern is a big deal and it’s an extremely attractive one that encourages companies to choose or stick with additional Microsoft apps and services.

Single sign-on

So let’s get down to exactly what Microsoft is doing. Single sign-on Is a very basic and useful enterprise technology. In simple terms, it means that you don’t need to repeatedly enter login information every time you check your email or open apps or connect to websites or cloud solutions. When you sit down at your PC in the morning and you login that’s the extent of identifying yourself to the PC and every other enterprise service in your environment.

Single sign-on is typically based around a technology called Kerberos that uses tokens to connect your account to any service. In addition to convenience, Single sign-on also ensures a higher level of security across a network because tokens are used to identify you rather than you needing to re-enter your credentials.

Related: What you need to know about single sign-on

What does single sign-on have to do with iPad OS?

You can probably see how single sign-on is all about secure accounts in a multi-user system. But the iPad doesn’t support single sign-on or Kerberos or Active Directory (macOS does but that’s a separate discussion). At least not directly or in the way a PC does.

In iOS 13, Apple began to support single sign-on through third-party plug-ins and this is what Microsoft is building, a single sign-on capacity that allows users to log in to a single network service and then not need to do so again until they log out or time out. This enables network credentials to extend to IPad OS.

Related: 'Sign In with Apple' isn't for business – yet

Microsoft is delivering this in the form of the Microsoft Authenticator app. When installed, it can be used to establish a secure network connection and once connected, you have easy access to any network or cloud resources associated with your account.

This also means that the connection won’t be made until there’s a login using Authenticator. Up till that point, the iPad is in its traditional single user state.

Related: Two tips to make multifactor authentication for Office 365 more effective

This isn’t a perfect solution (yet). The multi-user environment only impacts apps that are built to recognize and use the single sign-on plug-in. That means that developers need to explicitly incorporate this support into their apps.

To be useful, Microsoft needs apps that support single sign-on on iOS. This includes its own apps and services as well as third-party apps -- both commercial apps from the App Store and enterprise apps developed for use with a company.

How to deploy single sign-on

In theory this should be a relatively simple task for IT. Use your enterprise mobility management (EMM)/UEM system of choice to push the Authenticator app plus any supported apps. You may also need to push down configuration data and commands. That’s pretty much the workload -- outside of sourcing and/or building apps that support Microsoft single sign-on -- and it can largely be automated.

How this looks to end users once implemented

So what does this look like once deployed? It will probably vary depending on how many apps supporting the single sign-on plug-in are installed and what they are but the basic concept should go something like this:

  • Employee takes an iPad.
  • Unlocks iPad, sees a prepopulated set of apps. The initial experience is no different than picking up any managed iPad and looks identical to every other iPad at shift beginning (or when it’s checked out).
  • User launches Microsoft Authenticator, logs in with network credentials.
  • At this point the overall experience of the iPad itself doesn’t change.
  • When the employee launches supported apps, however, they see their files/content and app configuration -- presumably this will include all Microsoft apps including Office and Outlook (where users can see and reply to their emails or calendars). There would likely be messaging/video chat apps, apps specific to the workplace as a whole (payroll, time and attendance, expense reporting, etc) as well as apps specific to the department where the user works.
  • If the employee launches an app that lacks support for Microsoft single sign-on, the app will offer the same generic experience appropriate to anyone using that iPad.

The experience isn’t entirely like logging into a PC and it is heavily app-specific but, provided there’s a robust set of supporting apps, it will come close.

Related: Best tools for single sign-on (SSO)

Some considerations

The only user experience challenge is that there isn’t an obvious distinction between a single sign-on app and any other app. Users will need to be trained to know which apps are available for personalized work tools and generic apps.

The simplest solution is to just email a list of supporting apps. But that might not be seen, or might be forgotten.

A better option would be to simply not include any non-single sign-on apps on the device or as few as possible, which can be pushed to all the iPads by a company’s management console of choice.

Still in preview

Right now, single sign-on is only available as a preview for developers so they can begin building support into their apps, though IT professionals will also benefit from checking out what’s coming down the pike. Extremely tech savvy users might want to try working with the preview, but should note that this is in its very early stages and it’s probably better to wait and see at this point. Microsoft does provide documentation on installation and testing.

This likely won’t be a feature that’s launched as a finished product for some time. As I noted, this is still pretty early and one of Microsoft’s top objectives is to build a developer base at this point to ensure as broad adoption as possible when it officially launches.

Apple’s part in the story

For the most part, Apple’s big part in the story is simply providing the capability for single sign-on plug-ins. Apple has provided some degree of assistance during the initial development stages. That shows that Apple does support the project but is leaving much of the effort to Microsoft at this point.

The ultimate goal here seems to be shoring up support for the iPad Pro as a complete enterprise laptop replacement. Whether this achieves that goal or simply gets a few steps closer is an area where we’ll need to wait and see.