Shared Device/Multi-User Device functionality in Workspace ONE UEM powered by AirWatch ensures that security and authentication are in place for every unique end user. Shared devices can also allow only specific end users to access sensitive information.

Issuing a device to every employee in certain organizations can be expensive. Workspace ONE UEM powered by AirWatch lets you share a mobile device among end users in two ways: using a single fixed configuration for all end users, or using a unique configuration setting for individual end users.

When administering shared devices, you must first provision the devices with applicable settings and restrictions before deploying them to end users. Once deployed, Workspace ONE UEM uses a simple login or log-out process for shared devices in which end users simply enter their directory services or dedicated credentials to log in. The end-user role determines their level of access to corporate resources such as content, features, and applications. This role ensures the automatic configuration of features and resources that are available after the user logs in.

The login or log-out functions are self-contained within the Workspace ONE Intelligent Hub. Self-containment ensures that the enrollment status is never affected, and that the device is managed whether it is in use or not.

Functionality

There are basic capabilities surrounding the functionality and security of devices that are shared across multiple users. These capabilities offer compelling reasons to consider shared devices as a cost-effective solution to making the most of enterprise mobility.

  • Personalize each end-user experience without losing corporate settings.
  • Logging in a device configures it with corporate access and specific settings, applications, and content based on the end-user role and organization group (OG).
  • Allow for a log in/log out process that is self-contained in the Workspace ONE Intelligent Hub or Workspace ONE Access.
  • After the end user logs out of the device, the configuration settings of that session are wiped. The device is then ready for login by another end user.

Security

  • Provision devices with the shared device settings before providing devices to end users.
  • Log in and log out devices without affecting an enrollment in Workspace ONE UEM.
  • Authenticate end users during a login with directory services or dedicated Workspace ONE UEM credentials.
  • Authenticate end users using Workspace ONE Access.
  • Manage devices even when a device is not logged in.

Configure Shared Devices

Similar to single-user device staging, multi-user staging a ("shared device") allows an IT administrator to provision devices to be used by more than one user.

  1. Navigate to Groups & Settings > All Settings > Devices & Users > General > Shared Device.

  2. Select Override and complete the Grouping section.

    Setting Description
    Group Assignment Mode Configure devices in one of three ways:
    • Select Prompt User for Organization Group to have the end user enter a Group ID for an organization group upon login.

With this method, you have the flexibility to provide access to the settings, applications, and content of the organization group entered. Using this approach, an end user is not restricted to accessing only the settings, applications, and content for the organization group to which they are enrolled.

-   Select **Fixed Organization Group** to limit your managed devices to settings and content applicable to a single organization group.

Each end user who logs in to a device has access to the same settings, applications, and content. This method can be beneficial in a retail use case where employees use shared devices for similar purposes such as checking inventory.

-   Select **User Group Organization Group** to enable features based on both user groups and organization groups across your hierarchy.

When an end user logs in to a device, they have access to specific settings, applications, and content based on their assigned role within the hierarchy. For example, an end user is a member of the 'Sales' user group, and that user group is mapped to the 'Standard Access' organization group. When that end user logs in to the device, the device is configured with the settings, applications, and content available to the 'Standard Access' organization group.

You can map user groups to organization groups on the UEM console. Navigate to Groups & Settings > All Settings > Devices & Users > General > Enrollment. Select the Grouping tab and fill in the required details.

| |Always Prompt for Terms of Use|Prompts the end users to accept your Terms of Use agreement before they log in to a device.|

  1. Complete the Security section, as applicable.

    Setting Description
    Require Shared Device Passcode **(For iOS devices only)**Require users to create a Shared Device passcode in the Self-Service Portal to check out devices. This passcode is different from a Single Sign On passcode or a device-level passcode.
    Require Special Characters Require special characters in the shared device passcode, which includes characters such as @, %, &, and so forth.
    Shared Device Passcode Minimum Length Set the minimum character length of the shared passcode.
    Shared Device Passcode Expiration Time (days) Set the length of time (in days) the shared passcode expires.
    Keep Shared device Passcode for minimum time (days) Set the minimum amount of time (in days) the shared device passcode must be changed.
    Passcode History Set the number of passcodes that are remembered by the system, providing a more secure environment by preventing the user from reusing old passcodes.
    Auto Logout Configure an automatic log out after a specific time period.
    Auto Logout After Set the length of time that must elapse before the Auto Log out function activates in Minutes, Hours, or Days.
  2. Configure the Logout Settings, as applicable.

    Setting Description
    Clear Android App Data Clear the app data when the user logs out of a shared device (checks it in).
    Reinstall Android Apps Use the drop-down to select whether to Always reinstall app between users or never reinstall app between users. For Android (Legacy) deployments, you can opt to reinstall app if the Hub cannot clear app data between users.
    Clear Android Device Passcode This setting controls whether the current Android device passcode is cleared when the user logs out (checks in) a multi-user shared device.
    Allow PIN at Startup Enable or disable Android Secure Startup, which requires an initial PIN entry to boot up the device. If disabled, users cannot enable Secure Startup during passcode setup. If Secure Startup is already disabled on the device, the device must be factory reset to enable it. This feature applies only to Android devices that do not have file-based encryption.
  3. Select Save.

Configure Android for Shared Device Use

To use shared device functionality on Android devices, enroll the device using the Workspace ONE Intelligent Hub, set the Workspace ONE Launcher application as the default home screen, and create and assign the Launcher profile. Workspace ONE Launcher is automatically downloaded during enrollment, but you will need to determine which version of the Launcher is pushed to devices.

  1. Navigate to Devices > Device Settings > Android > Service Applications.

  2. Configure the applicable settings:

    Setting Description
    Always use the Latest Version of Launcher If this setting is enabled, the latest version of the app automatically pushes to devices when it becomes available.
    Launcher Version Manually choose the version you want to deploy from the drop-down menu.
  3. Select Save.

  4. Navigate to Devices > Profiles & Resources > ** Profiles** > Add > Add Profile > Android > Launcher and configure the Launcher profile at each child organization group. This profile should contain all of the necessary settings common to that organization group.

    Important: Make sure to enable the Persist Admin Passcode If Launcher Profile Is Removed From Device setting, as this will ensure that the staging user, as well as the shared device Users are not permitted to exit the Launcher without entering the Administrative Passcode.

    Do not assign the Launcher profile to a staging user.

  5. Enroll the device into the enrollment organization group using the staging user. The Launcher .apk installs and the login screen appears, by default.

    Note: The Launcher .apk needs to be installed before the Launcher profile is pushed as a part of the Shared Device settings.

  6. Enter the shared device user Group ID, Name, and Password to log in, assigning the device to the Shared Device User and the proper child organization group. The Launcher profile will be applied to the device, and the console will reflect which user is logged in to the device.

    Important: Only enter the Group ID if you selected Prompt for Organization Group in the Group Organization Group assignment mode under the shared device settings.

  7. Log out of the Launcher profile on the device. This reassigns the device back to the staging user, moves the device back to the original enrollment organization group, and removes the Launcher profile.

Log In and Log Out of Shared Android Devices

To use shared device functionality on Android devices, enroll the device using the Workspace ONE Intelligent Hub and set the VMware Workspace ONE Launcher as the default home screen. The Workspace ONE Launcher is automatically downloaded during enrollment.

Once the application is installed and set as the default home screen, the device is in a checked-in state. While in this state, the end user is unable to navigate away from this page and the device prompts the user to check out. To remove the profile and make the entire device accessible again, perform an Enterprise Wipe on the staging user device from the Workspace ONE UEM console.

  1. From the Workspace ONE Launcher log in page, users must enter their Group ID, user name, and password. If Prompt User for Organization Group is enabled on the console, end users are required to enter a Group ID to log in.

  2. Select Login and accept the terms of use, if applicable.

    The device is configured. Once logged in, user profiles are pushed down based on the smart group and user group associations.

To log out of an Android device, select Launcher Settings and select Log Out (door icon).

check-circle-line exclamation-circle-line close-line
Scroll to top icon