Android Shared Device Management
Frontline workers in logistics and retail, educational institutions, healthcare and other industries use shared devices where multiple users use a single device. In such cases, data privacy and protection of the devices has to be maintained. With MDM's Android Shared device management, multiple users can use a single device with different profiles, data and applications ensuring privacy and security.
Note: MDM also supports shared device management of iPads.
Prerequisites
- Devices must be Fully Managed (Device owner).
- Directory services must be integrated with MDM (Azure, On-prem AD, Zoho).
- Azure Authenticator app must be distributed incase of Entra ID(formerly Azure AD)
- The admin account must have the Cloud Device Administrator role to add the device as a shared device in the Microsoft Entra admin portal (formerly known as Azure AD portal).
How does it work?
MDM uses an app called Shared Device app where the users have to sign in with their Directory credentials. Integrate your organization's directory as it is used for authentication. This app is the default launcher on the device. Configure the app with necessary configurations like shift hours, clearing data, etc based on your requirements. Once the user has signed in, all the apps, profiles associated with that user gets applied. When the user signs out, the next user can sign in with their credentials.
Enable shared device mode
- On the web console, navigate to Enrollment > Android enrollment > ME MDM app. Under Manage ME MDM app, Select Yes for Add Shared Device app.
- Once you have enabled this configuration, the app gets added to the App Repository automatically.
- Configure the app's configurations based on the users' session or shifts. Follow the steps given below to configure your app.
How to enroll a shared device?
The device can have multiple users accessing it. Enroll the device either under Admin or Technician. If the device is assigned to a user, then the device will be reassigned to the user after every logout. So we recommend to enroll a device under an admin or a technician.
Configure settings in ME Shared Device App
Admins can configure the app based on their organization's requirements. These configurations once set cannot be modified by the end-user.
FEATURE | DESCRIPTION | ||||||
Shared device mode | This has to be set to enabled to perform shared device mode. | ||||||
Customize the app name | You can customize the Shared Device app's name. This is applicable only incase of using a Kiosk launcher. | ||||||
Authentication Settings | |||||||
Authentication Mode | Choose the authentication type as On-prem, Azure or other IDPS. Note: For Azure authentication, copy the JSON value after registering the app in the portal. | ||||||
Entra ID(formerly Azure AD) Authenticator app config JSON | Enter the JSON which is retrieved from Entra ID after registering the App. | ||||||
Login Settings | |||||||
Login screen message | You can enter the text here to show it in the sign-in page. | ||||||
Mandate login terms | Allow this option to show the terms and conditions after the user sign-in | ||||||
Enforce device passcode | Allow this option to enforce the password after the user sign-in | ||||||
Admin mode | Admins can login to the device with this admin mode with the password provided in the configuration below. | ||||||
Admin mode password | The password set here is used as the credentials for signing into the Admin mode. | ||||||
Guest mode | If this setting is enabled, then device authentication does not work. They can login without any credentials. Once you enter guest mode, the device will have the default settings and not the user's profiles, apps or data. But a timer will begin, based on the max time to enable guest mode configured below. | ||||||
Guest mode duration | You can set a timer for the guest mode to be active on the device. | ||||||
Guest session idle timeout | After the specified time, the guest mode temporary session will be finished. | ||||||
Logout Settings | |||||||
User session duration | After the specified time(hours), the user account will be signed out automatically. | ||||||
User session idle timeout | If the device is idle for the specified time(mins), the user account will be signed out automatically. | ||||||
Clear device passcode | Clear App password on Session Logout. | ||||||
Clear app data | The app data of all the apps is cleared at the end of the session except ME MDM app, Shared Device app and Microsoft authenticator app. | ||||||
Exclude apps for clear data | Add the package names with comma separated values to exclude from clear app data. | ||||||
Clear Accounts | Clear Accounts on Session Logout. | ||||||
Clear Contacts | The contacts accessed by the user is deleted at the end of the session. | ||||||
Clear Messages | Clears messages sent/received by the user. Here the app acts as the default SMS provider and not the device's SMS provider. This is applicable for devices running Android 10.0 or later. | ||||||
Clear call logs | Call logs is cleared once the user logs out of the session. | ||||||
Clear storage | All the local data stored on the device such as DCIM, Downloads, Documents, Pictures, Screenshots etc is deleted. | ||||||
Logout message | This message appears once the user logs out of the session. You can also set a mandatory sign out message. |
Note: At the end of the session, all the data will be cleared based on the configurations set by the admin. Accounts signed in the device will also be signed out.
Obtaining JSON from Azure Portal
- Sign in to your Azure Portal.
- Click on App registrations > New registration.
- Enter a registration name. In the “Redirect URI” dropdown, select the platform as Public client/native (mobile & desktop).
- Enter the following in the URL field: “msauth://com.manageengine.mdm.android.shareddevice/XYcMBQO6MNhD20gWMaxlS0XqsgU%3D” and click Register.
- Once registered, navigate to Manage > Authentication.
- Click View which is present near Redirect URL option.
- Copy the JSON under MSAL Configuration.
- Navigate to MDM web console > Device Mgmt > App repository > Shared Device App > Configurations.
- Paste the JSON in Entra ID(formerly Azure AD) Config JSON and click on Save.
Shared Device Admin Account
To set up a Shared Device Admin Account, follow these steps:
- Navigate to Microsoft Entra.
- Log in using your admin account credentials.
- In the dashboard, go to Users and select the admin user you want to assign the role to.
- Click on Assigned Roles to view the current roles associated with this account.
- Click Add assignments to add a new role.
- From the available roles, select Cloud Device Administrator and click Add to assign the role.
Best Practices
- Shared device mode is a feature that supports Single Sign on and Single Sign out for some apps(like Teams, Outlook). You can enable this configuration in Entra ID(formerly Azure AD) to have SSO.
- For Kiosk devices, distribute Shared Device app along with other apps to perform shared device mode.
- It is recommended to associate device specific password policy to the devices.
- To get a report of users accessing the devices, generate a report by navigating to Reports > Query Reports .