Shared Device/Multi-User Device functionality in Workspace ONE UEM powered by AirWatch ensures that security and authentication are in place for every unique end user. Shared devices can also allow only specific end users to access sensitive information.
Issuing a device to every employee in certain organizations can be expensive. Workspace ONE UEM powered by AirWatch lets you share a mobile device among end users in two ways: using a single fixed configuration for all end users, or using a unique configuration setting for individual end users.
When administering shared devices, you must first provision the devices with applicable settings and restrictions before deploying them to end users. Once deployed, Workspace ONE UEM uses a simple login or log-out process for shared devices in which end users simply enter their directory services or dedicated credentials to log in. The end-user role determines their level of access to corporate resources such as content, features, and applications. This role ensures the automatic configuration of features and resources that are available after the user logs in.
The login or log-out functions are self-contained within the Workspace ONE Intelligent Hub. Self-containment ensures that the enrollment status is never affected, and that the device is managed whether it is in use or not.
There are basic capabilities surrounding the functionality and security of devices that are shared across multiple users. These capabilities offer compelling reasons to consider shared devices as a cost-effective solution to making the most of enterprise mobility.
Similar to single-user device staging, multi-user staging a ("shared device") allows an IT administrator to provision devices to be used by more than one user.
Navigate to Groups & Settings > All Settings > Devices & Users > General > Shared Device.
Select Override and complete the Grouping section.
|Group Assignment Mode||Configure devices in one of three ways:|
With this method, you have the flexibility to provide access to the settings, applications, and content of the organization group entered. Using this approach, an end user is not restricted to accessing only the settings, applications, and content for the organization group to which they are enrolled.
- Select **Fixed Organization Group** to limit your managed devices to settings and content applicable to a single organization group.
Each end user who logs in to a device has access to the same settings, applications, and content. This method can be beneficial in a retail use case where employees use shared devices for similar purposes such as checking inventory.
- Select **User Group Organization Group** to enable features based on both user groups and organization groups across your hierarchy.
When an end user logs in to a device, they have access to specific settings, applications, and content based on their assigned role within the hierarchy. For example, an end user is a member of the 'Sales' user group, and that user group is mapped to the 'Standard Access' organization group. When that end user logs in to the device, the device is configured with the settings, applications, and content available to the 'Standard Access' organization group.
You can map user groups to organization groups on the UEM console. Navigate to Groups & Settings > All Settings > Devices & Users > General > Enrollment. Select the Grouping tab and fill in the required details.
Complete the Security section, as applicable.
|Require Shared Device Passcode||**(For iOS devices only)**Require users to create a Shared Device passcode in the Self-Service Portal to check out devices. This passcode is different from a Single Sign On passcode or a device-level passcode.|
|Require Special Characters||Require special characters in the shared device passcode, which includes characters such as @, %, &, and so forth.|
|Shared Device Passcode Minimum Length||Set the minimum character length of the shared passcode.|
|Shared Device Passcode Expiration Time (days)||Set the length of time (in days) the shared passcode expires.|
|Keep Shared device Passcode for minimum time (days)||Set the minimum amount of time (in days) the shared device passcode must be changed.|
|Passcode History||Set the number of passcodes that are remembered by the system, providing a more secure environment by preventing the user from reusing old passcodes.|
|Auto Logout||Configure an automatic log out after a specific time period.|
|Auto Logout After||Set the length of time that must elapse before the Auto Log out function activates in Minutes, Hours, or Days.|
Configure the Logout Settings, as applicable.
|Clear Android App Data||Clear the app data when the user logs out of a shared device (checks it in).|
|Reinstall Android Apps||Use the drop-down to select whether to Always reinstall app between users or never reinstall app between users. For Android (Legacy) deployments, you can opt to reinstall app if the Hub cannot clear app data between users.|
|Clear Android Device Passcode||This setting controls whether the current Android device passcode is cleared when the user logs out (checks in) a multi-user shared device.|
|Allow PIN at Startup||Enable or disable Android Secure Startup, which requires an initial PIN entry to boot up the device. If disabled, users cannot enable Secure Startup during passcode setup. If Secure Startup is already disabled on the device, the device must be factory reset to enable it. This feature applies only to Android devices that do not have file-based encryption.|
To use shared device functionality on Android devices, enroll the device using the Workspace ONE Intelligent Hub, set the Workspace ONE Launcher application as the default home screen, and create and assign the Launcher profile. Workspace ONE Launcher is automatically downloaded during enrollment, but you will need to determine which version of the Launcher is pushed to devices.
Navigate to Devices > Device Settings > Android > Service Applications.
Configure the applicable settings:
|Always use the Latest Version of Launcher||If this setting is enabled, the latest version of the app automatically pushes to devices when it becomes available.|
|Launcher Version||Manually choose the version you want to deploy from the drop-down menu.|
Navigate to Devices > Profiles & Resources > ** Profiles** > Add > Add Profile > Android > Launcher and configure the Launcher profile at each child organization group. This profile should contain all of the necessary settings common to that organization group.
Important: Make sure to enable the Persist Admin Passcode If Launcher Profile Is Removed From Device setting, as this will ensure that the staging user, as well as the shared device Users are not permitted to exit the Launcher without entering the Administrative Passcode.
Do not assign the Launcher profile to a staging user.
Enroll the device into the enrollment organization group using the staging user. The Launcher .apk installs and the login screen appears, by default.
Note: The Launcher .apk needs to be installed before the Launcher profile is pushed as a part of the Shared Device settings.
Enter the shared device user Group ID, Name, and Password to log in, assigning the device to the Shared Device User and the proper child organization group. The Launcher profile will be applied to the device, and the console will reflect which user is logged in to the device.
Important: Only enter the Group ID if you selected Prompt for Organization Group in the Group Organization Group assignment mode under the shared device settings.
Log out of the Launcher profile on the device. This reassigns the device back to the staging user, moves the device back to the original enrollment organization group, and removes the Launcher profile.
To use shared device functionality on Android devices, enroll the device using the Workspace ONE Intelligent Hub and set the VMware Workspace ONE Launcher as the default home screen. The Workspace ONE Launcher is automatically downloaded during enrollment.
Once the application is installed and set as the default home screen, the device is in a checked-in state. While in this state, the end user is unable to navigate away from this page and the device prompts the user to check out. To remove the profile and make the entire device accessible again, perform an Enterprise Wipe on the staging user device from the Workspace ONE UEM console.
From the Workspace ONE Launcher log in page, users must enter their Group ID, user name, and password. If Prompt User for Organization Group is enabled on the console, end users are required to enter a Group ID to log in.
The device is configured. Once logged in, user profiles are pushed down based on the smart group and user group associations.
To log out of an Android device, select Launcher Settings and select Log Out (door icon).