Shared devices should be predictable.
When we first deployed our RockRMS check-in iPads, the goal wasn’t flexibility. It was reliability.
Recently, one of our check-in iPads recently started throwing constant “Sign in to Apple ID” pop-ups. The device had been briefly signed into a personal Apple ID — and then signed out.
Except iOS didn’t fully let go.
The result? Random prompts during Sunday check-in. Exactly when you don’t want friction. And as a bonus surprise, a couple of games had been downloaded from the App Store. Definitely not part of the check-in workflow.
The Fix
To prevent Apple ID prompts and account changes, I created a dedicated restriction profile in Mosyle applied 24x7 to our Check-In device group.
These devices are now:
- DEP enrolled and supervised
- Assigned to a dedicated “Check-In Kiosk” device group
- Locked into Single App Mode (RockRMS Check-in)
- Restricted from modifying account settings
- Restricted from signing into Apple ID
- Restricted from using iCloud services
- Restricted from accessing the App Store
In short: they behave like single-purpose locked-down devices.
The Lesson
It only takes one well-meaning tap.
MDM isn’t just about deployment. It’s about guardrails.
Shared ministry devices need structure more than they need flexibility.
And sometimes that structure protects you from unintended configuration changes.