Multiuser support is a new capability being added to Workspace ONE UEM. This feature will make it possible for a user to log in to an enrolled PC and see their samples and device details reflected in the console. The support will be delivered in phases with the first phase starting with enrolling devices through Azure Active Directory (ADD) and into UEM. The later phases will grow to support Hub based enrollment without any dependency on Azure Active Directory.
The first phase of this feature will support the enrollment of PCs using either existing environment systems which have completed the Out-of-Box Experience (OOBE) and have a local administrator who will join it to AAD or through OOBE for new environments that are still in process of being set up.
Devices enrolled in this manner will support the ability of a user to log in to an enrolled PC, have the assignment of the PC switched to the current user, and the samples and device details related to the current user reflected in the console.
Support for resources in the beta will include apps, profiles, and baselines. However, apps should be assigned to the devices rather than the users to prevent app install and removal churn based on user assignment. Other resources such as sensors, scripts, and workflows will work if they target device based groups. User based assignments will work for the first user but will not work for subsequent users. User based assignments will be fully supported in a later phase for all users.
The enrollment of a multiuser system starts with device registration. The device must not have been enrolled previously as a single device. If it was previously enrolled, the device record should be deleted from the console first. To do this, go to the device details page, choose more actions, and then delete it.
Prior to the multiuser enrollment, the device must be registered in the same Organization Group where AAD integration is configure. The Ownership type must be Corporate Shared, the Platform must be Windows Desktop and the Serial Number must be populated.
There are two enrollment flow process options. The first option is for a device which has been through OOBE and has a local administrator account configured. The second option is for a device that is new and has not gone through OOBE.
If the device is currently registered, has been through OOBE, and is currently logged in with a local administrator account, follow these steps:
If the device is newly unboxed or has not been through the Out-of-Box Experience, follow these steps:
Once the device is enrolled using either of those methods, Intelligent Hub will be installed for all users. You should enable Publish Hub through Settings / Devices and Users / Windows / Windows Desktop / Intelligent Hub Application.
Upon launching Hub, the Accounts tab can be used to verify that the user of the system matches the logged in user.
Console View: When the first user has logged into the desktop with their ADD credentials, the user should appear in the console as the current user. The device should be a Corporate – Shared ownership type.
User Switching: Sign out of the system and log in as another AAD based user to complete user switch.
Upon log in as another user, Intelligent Hub Account page will show details of the current user.
On the console, the Device Details page will reflect the new user.
Native Apps: Native apps that are installed on multiuser systems should be assigned to device based smartgroups. If they are assigned to user based smartgroups, ensure that all users who will use the PC are included in the assignment to prevent apps from being removed on user switch.
Profiles: Profiles can be assigned to users or to devices. Both user profiles and device profiles can be assigned to either device based or user based smartgroups.
Will multiuser support AAD only environments? A future phase of development will add support for environments that are not using AAD based identities.
Will multiuser support Hub based enrollments? A future phase of development will support Hub based enrollment though command line / staging user support.
Will multiuser support non-AD based LDAP directories? Engineering is investigating support for environments that don’t use AD and instead use LDAP or other directories for identity. This will impact both single and multiuser deployments.
Will multiuser support Windows multisession / Azure Virtual Desktop environments? A future phase of development will investigate AVD based management. The complete feature set supported is not known at this time.