From zero experience to a repeatable process — how I learned to wipe, enroll, and configure iPads in Shared Device Mode.
When I first got asked to "wipe a batch of iPads and enroll them into Intune in shared mode," I had exactly zero practical experience doing it. I understood Intune pretty well on the Windows side, but Apple enrollment felt like walking into a room where everyone already knew the rules — and I didn't even know what game we were playing.
What I did know was the outcome we needed: a set of corporate iPads that multiple users could safely share, where each person could sign in, do their work, and sign out without leaving behind a mess of cached data or access tokens. In Microsoft terms, that's Microsoft Entra shared device mode on iOS/iPadOS — designed for frontline-style scenarios where devices rotate between users.
One of the first lessons I learned is that "shared iPad" can mean two different things:
Shared iPad (Apple feature): creates user partitions on the device and is typically paired with "no user affinity" enrollment.
Shared Device Mode (Microsoft Entra feature): focuses on secure sign-in/out flows for multiple users, typically using Microsoft Authenticator and supported apps.
In my case, we meant Entra shared device mode — because the goal was clean user sign-in/sign-out and tight access control in Microsoft 365 apps. Once I locked onto that, everything else started to click.
I learned quickly that Apple Automated Device Enrollment (ADE) is happiest when devices are truly in an out-of-box state. Microsoft's own guidance basically says it outright: if you're going to ADE-enroll a device, wipe it first so it comes up like new and takes management cleanly.
So the wipe step became the "foundation":
If the iPad had already been used (even briefly), I wiped it. If the iPad had random setup leftovers, I wiped it. If I wasn't 100% sure, I wiped it.
That sounds heavy-handed, but it saved time later — because troubleshooting half-enrolled iPads is a special kind of pain.
Practically, this meant using the device's Erase All Content and Settings workflow (or using an admin workflow if you're doing this at scale). The end goal is the same: the next boot should start Setup Assistant like it's brand new.
ADE is the bridge between Apple Business Manager (ABM) and Intune. The iPad has to be in ABM, assigned to your MDM server (Intune), and Intune needs a valid enrollment token so it can sync device records.
Microsoft's ADE setup requirements are pretty clear: you need ABM access, an ADE token (.p7m), an Apple MDM push certificate in Intune, and wiped devices ready to enroll.
This was the first moment I realized: enrolling iPads isn't "just Intune." It's an ecosystem:
ABM assignment controls whether a device can enroll via ADE. Intune enrollment profiles control how it enrolls. The device wipe is what triggers the experience on the iPad.
Once the ABM-to-Intune connection is in place, the enrollment profile is where shared device mode comes alive. Microsoft documents a specific approach for automated device enrollment for shared device mode, including key settings like shared mode user affinity and locked enrollment.
The high-level profile intent is:
The device enrolls via ADE. It's locked to management (users can't just remove it). It's targeted to the right set of devices. It's prepared for multiple users cycling through sign-in and sign-out.
This is also where I started learning how important targeting is. Microsoft recommends using things like a dynamic group based on the enrollment profile name, or an assignment filter using the same concept — so you can reliably scope apps and policies only to these shared devices.
Here's a real "rookie" moment: I assumed once ABM was configured, devices would just appear in Intune instantly whenever I wanted. That's not how it works in the real world.
Intune uses an ADE sync process, and Microsoft enforces a 15-minute cooldown between sync requests for ADE/DEP tokens. So if you're impatient (I was), you end up clicking "sync" repeatedly and wondering why nothing's happening.
That's exactly why I built and leaned on my script repo: Automated-Device-Enrollment-Sync.
The tool (ADE-Sync.ps1) is designed to:
Discover ADE/DEP tokens in the tenant. Trigger sync for each token. Respect the 15-minute cooldown. Show a real-time countdown and status details. Repeat continuously until you stop it.
It was a game-changer because it replaced guesswork with a predictable rhythm: sync, wait, sync again — without me babysitting the portal.
With the device wiped and properly assigned, the enrollment experience becomes straightforward: you boot the iPad, it hits Setup Assistant, and ADE pulls it into Intune with the profile you configured.
For Shared Device Mode specifically, Microsoft notes that after enrollment you typically launch Microsoft Authenticator, which kicks off and completes the shared mode registration flow (or it can be initiated by shared-mode-enabled apps).
This is the point where everything finally felt "real" to me. Up until then, I was mostly configuring portals and tokens. But seeing the iPad come up clean, enroll, and then support a multi-user sign-in/out pattern — that's when I knew I'd actually built the pipeline correctly.
If I'm being honest, the hardest part wasn't clicking the right buttons — it was learning the mental model:
Wipe first so the device is in the right state. ABM assignment determines whether ADE can happen. Intune tokens + sync determine when devices show up (and cooldowns are real). Enrollment profiles determine behavior — especially for shared device mode targeting. Authenticator + shared mode apps complete the user experience.
I started with zero experience, but the combination of Microsoft's documentation and building a repeatable sync process (instead of manual portal refreshing) turned it into something I could explain, replicate, and scale.
And now, when someone says "wipe and enroll these iPads into Intune shared mode," I don't hear chaos — I hear a checklist.