All configuration keys
The complete settings reference.
Set every key in the Apple managed namespace (com.apple.configuration.managed) — the XML you
paste in Intune.
Required
api_key — turns the app into a shared device; its presence is the switch.
String · Default: none · a Shared Mobile secret from the IDmelon Admin Panel
base_api_url — points the app at your on-premise IDmelon instead of the cloud.
String · Default: absent (uses the cloud) · an https URL
No
shared_device_modeswitch on iPad.api_keyis what makes it a shared device.
Recommended
device_id — pre-sets a unique device id for this one iPad.
String · Default: none · never push one value to a whole fleet
shared_login_method — how users sign in: badge over the IDmelon Hub, or face on the
iPad camera.
String or Dict · Default: badge / hub · see Login methods
authentication_type — when a PIN or second factor is required (read lowercased).
String · Default: oninit · one of none, oninit, onuse
auto_logout — session timeout before the iPad signs the user out.
String · Default: never · never, one-time use, 5m, 60m, 2h, 4h, 6h, 8h
badge / hub is the paired-reader path; face / hid uses the iPad camera (no reader). For
keystroke/smart-card readers or a cloud face server, pass a full block — see
Login methods.
Microsoft
Set this group and Microsoft apps (Teams, Outlook) open without a second login. Skip it if you don’t use Microsoft apps. See Set up a shared iPad.
use_msal — turns on Microsoft Entra (MSAL) login; the on-switch.
Boolean · Default: false · set true to enable Microsoft sign-in
azure_client_id — your Entra app (client) id; the only required Microsoft key.
String · Default: none · the application GUID
azure_tenant_id — OPTIONAL. Your Entra tenant.
String · Default: common · set it only to lock sign-in to a single tenant
microsoft_sp_name — label shown for the Microsoft service provider.
String · Default: entra_id · any name
msal_browser_login — uses the system browser flow for sign-in.
Boolean · Default: false
msal_browser_login_url — base URL for the browser-login flow.
String · Default: https://login.microsoftonline.com
domain_hint — pre-selects an organization at the Microsoft prompt.
String · Default: none · a domain
use_login_hint — pre-fills the username at the Microsoft prompt.
Boolean · Default: true
external_login — opens Microsoft sign-in in an external browser.
Boolean · Default: false
Redirect URI is msauth.com.idmelon.idmelon-2://auth, hardcoded. See
Microsoft sign-in options.
Experience
Home screen and what opens around sign-in. All optional.
shortcut_list — home-screen tiles users tap after signing in.
Array of {title, url, iconName} · Default: none · see Home page Customization
default_sp_for_auto_login — auto-starts sign-in for one named provider.
String · Default: none · an SP name
open_url_after_login — opens this URL right after login; accepts tokens.
String · Default: none · a URL
open_url_after_logout — opens this URL right after logout; accepts tokens.
String · Default: none · a URL
self_service_url — where users who aren’t enrolled yet are sent.
String · Default: none · build the workflow in the Admin Panel first, then paste its URL
use_internal_browser — use the in-app browser instead of Safari.
Boolean · Default: true
Each tile’s iconName is fetched remotely as <name>.png, not bundled. See
Home page Customization.
Advanced security
shared_device_passkeys — turns on passkey (FIDO2) mode.
Boolean · Default: false · needs iPadOS 17 or later
one_time_use_passkeys — makes each passkey single-use.
Boolean · Default: false · needs iPadOS 17 or later
shared_authentication_backend — backend protocol for the shared auth flow (read
lowercased).
String · Default: legacy · legacy or authenticator
shared_device_mode — LEGACY on iPad; an MSAL fallback only, not the on/off switch.
Boolean · Default: false · don’t set it on iPad
See Advanced security before turning on passkeys.
Placeholder tokens
shortcut_list, open_url_after_login, and open_url_after_logout accept these tokens in
their URLs. The app swaps each for the signed-in user’s value.
| Token | Replaced with |
|---|---|
{email} | The user’s email |
{username} | The user’s username |
{name} | The user’s display name |
{realm} | The user’s realm |
{organization} | The user’s organization |
{tenantID} | The tenant id |
Example:
<key>open_url_after_login</key>
<string>https://myapps.microsoft.com/?login_hint={email}</string>
Notes that bite you
- Apple namespace only. Keys in
com.apple.configuration.managedhave no fallback. api_keyis the switch, notshared_device_mode, on iPad.base_api_urlis on-premise only. Leave it out for the cloud.device_idis per-device. Never push one value to a whole fleet.- Passkey keys need iPadOS 17 or later. They do nothing on older iPads.
auth_urlis Android-only. The iPad ignores it.- Lowercased values.
authentication_typeandshared_authentication_backendignore case. auto_logout:neverandone-time usemean no timer; any unrecognized value falls back tonever, so a typo leaves the session open.