Set up an iOS or iPadOS device in Shared Device Mode
Set up an iOS or iPadOS device in Shared Device Mode
Shared mobile devices are widely used across many industries, including manufacturing and retail. IDmelon Authenticator can be configured in shared device mode, enabling users to use their badge or biometric authentication to load passkeys into the device instantly. This allows users to access multiple applications with auto-login. The session time-to-live can be configured to support various shift change use cases with auto logout.
IDmelon Authenticator Shared Configuration Mode Features:
- Passkeys Autofill: Provides passkeys to the operating system for authentication.
- SSO Integration: Enables quick access to IDmelon-connected service providers.
- MSAL Integration: Streamlines access to Microsoft apps.
This configuration is tested with Microsoft Intune as MDM but can work with other MDMs as well to push configuration.
Prerequisites
- iOS or iPadOS 17 or later.
Configure IDmelon Authenticator
Use these managed app configuration keys to set up IDmelon Authenticator in shared device mode via your MDM (e.g., Microsoft Intune, Jamf, Kandji, VMware Workspace ONE). Push them as standard managed app settings to enrolled devices.
Scope: Controls shared-mode behavior, PIN prompts, self-service flows, shortcuts, and optional MSAL shared-mode integration.
Configuration Keys
| Key | Type | Required | Purpose |
|---|---|---|---|
shared_device_passkeys | Boolean | Yes | Enable shared device mode (true). |
authentication_type | String | Yes | When to prompt for PIN (onInit, onUse, none). |
device_id | String | Yes | MDM device identifier (e.g., Intune {{deviceid}}). |
api_key | String | Recommended | Auto-activate app (Admin Panel → Shared Mobile API key). |
one_time_use_passkeys | Boolean | No | Remove/invalidate passkey after first successful login. |
base_api_url | String | No | Target dedicated/on-prem API endpoint. |
self_service_url | String | No | Redirect to self-service enrollment if card isn’t registered. |
auto_logout | String | No | Scheduled logout (one-time use, 5m, 60m, 2h, 4h, 6h, 8h). |
shortcut_list | JSON string | No | In-app shortcuts (titles, URLs, icons). |
shared_device_mode | Boolean | No | MSAL shared device mode flag (requires MS Authenticator shared mode). |
azure_client_id | String | No | Azure App Registration Client ID for MSAL. |
Key Details & Valid Values
shared_device_passkeys (Boolean, Required)
Enable shared device mode.
"shared_device_passkeys": true
authentication_type (String, Required)
Controls PIN prompts:
onInit— PIN once after first taponUse— PIN every loginnone— PINless login
"authentication_type": "onInit"
device_id (String, Required)
MDM device identifier used for device binding.
- Intune:
{{deviceid}} - Others: use the provider’s device identifier token
"device_id": "{{deviceid}}"
api_key (String, Recommended)
Auto-activates the app on first run (no manual activation). Generate under Admin Panel → Authentication → API Key Management → Create → Type: Shared Mobile.
"api_key": "YOUR_GENERATED_KEY"
one_time_use_passkeys (Boolean, Optional)
Logs user out after the first successful login with the passkey.
"one_time_use_passkeys": true
base_api_url (String, Optional)
Specify this when pointing to a dedicated/on-premises API endpoint.
"base_api_url": "https://your-dedicated-server.example.com/api"
self_service_url (String, Optional)
Redirect users to self-service enrollment if their card isn’t registered (Admin Panel → Security Keys → Workflows → Self-Service Actions).
"self_service_url": "https://panel.idmelon.com/self-service"
auto_logout (String, Optional)
Auto-logout after the given duration or after single use.
Allowed: one-time use, 5m, 60m, 2h, 4h, 6h, 8h
"auto_logout": "2h"
shortcut_list (JSON string, Optional)
Quick-access shortcuts inside the app.
Pretty:
{
"shortcuts": [
{ "title": "My Apps", "url": "https://myapps.microsoft.com", "iconName": "microsoft.com" },
{ "title": "MS Teams", "url": "https://teams.microsoft.com", "iconName": "Teams" }
]
}
Some MDMs require the value to be a JSON string. If so, paste the JSON above as the string value of
shortcut_list.
shared_device_mode (Boolean, Optional)
Enable MSAL shared device mode. Must also be enabled in Microsoft Authenticator.
"shared_device_mode": true
azure_client_id (String, Optional)
Azure App Registration Client ID for MSAL.
"azure_client_id": "YOUR_AZURE_APP_CLIENT_ID"
Implementation Notes
- Booleans: lowercase (
true/false). - Durations: strings, not numbers (e.g.,
"2h","60m"). - URLs: include scheme (
https://). - If your MDM only supports key–value strings, wrap JSON objects (like
shortcut_list) as a JSON string. - If using
shared_device_mode, also configure Microsoft Authenticator for shared mode and supplyazure_client_id.
Configure IDmelon Authenticator using Intune
- Navigate to Apps > iOS/iPadOS.
- Click the Add button.
- Select iOS store app as the App type and click the Select button.
- Click the Search the App Store.
- Search for the IDmelon Authenticator app and click the Select button.
- Select iOS 17.0 as the Minimum operating system and click the Next button.
- Configure the Assignments tab according to your organization’s policies.
- Review the configurations you set and click the Create button.
- Navigate to Apps > App configuration policies, click the + Add, and then Managed devices.
- Set a Name, select the iOS/iPadOS as the Platform, and IDmelon Authenticator as the Targeted app, then click the Next button.
- In the Settings tab, select the User configuration designer as the Configuration settings format, enter values for the configuration keys as explained in the Configuration Keys section above, and click the Next button.
Login Experience
When IDmelon Authenticator is configured in shared mode, users can walk in, tap their badge, and get the passkeys available to the device for authentication. Depending on the configuration, you can provide multiple user experiences.
Example 1: Basic configuration
Use the following configuration object when your MDM asks for app configuration (exact UI varies).
{
"shared_device_passkeys": true,
"authentication_type": "onInit",
"device_id": "{{deviceid}}",
"api_key": "YOUR_API_KEY"
}
- Open the IDmelon Authenticator.
- Get close to the reader (or plug the keystroke reader) and tap your card on it.
- According to the Card Verification Method set in the IDmelon admin panel, if PIN is required, enter it. Otherwise, go to the next step.
- In case of successful login, user information will be displayed. At this stage, move the app to the background.
- Open the app you want to log in to using the passkey (e.g., MS Teams), tap the paste icon on the top left corner of the keyboard, and tap Next.
- Tap the Next.
- Tap the Continue.
Example 2: With MSAL Login Experience
Use the following configuration object when your MDM asks for app configuration (exact UI varies).
{
"shared_device_passkeys": true,
"authentication_type": "onInit",
"device_id": "{{deviceid}}",
"api_key": "YOUR_API_KEY",
"shared_device_mode": true,
"azure_client_id": "YOUR_AZURE_APP_CLIENT_ID"
}
For MSAL integration, Microsoft Authenticator needs to be configured in shared mode. If you use Microsoft applications (MS Teams, Excel, Power BI, etc.), the Microsoft Authenticator app must be added and configured for shared mode.
Config MS Authenticator as shared device mode
Complete the user login steps (1-4) in the IDmelon Authenticator app according to the previous section.
Once the user logs in, go through the MSAL prompts by selecting the Continue and Next buttons.
Move the app to the background.
Open any app you want to sign in to (for example, Teams).
Paste the email using the paste icon on the keyboard.
Logout Experience
There are several ways to log out. One is manual, which you can see below. Another way is by managing the temporary session on iPad, which can streamline the logout experience. For more information, see Temporary Session Experience on Shared iPad.
Manual Logout from IDmelon Authenticator
This is a manual logout that, when MSAL is configured, can also trigger sign-out from Microsoft connected services as well.
- Open the app you logged into, and log out of the account.
- Open the IDmelon Authenticator and then tap the logout icon on the top right corner of the app. Your user information and existing passkeys will be deleted from the iPad.
