Technical Preview: Device Enrollment for Multiuser Support

Multiuser support is a new capability being added to Workspace ONE UEM. This feature will make it possible for a user to log in to an enrolled PC and see their samples and device details reflected in the console. The support will be delivered in phases with the first phase starting with enrolling devices through Azure Active Directory (ADD) and into UEM. The later phases will grow to support Hub based enrollment without any dependency on Azure Active Directory.

Feature Overview

The first phase of this feature will support the enrollment of PCs using either existing environment systems which have completed the Out-of-Box Experience (OOBE) and have a local administrator who will join it to AAD or through OOBE for new environments that are still in process of being set up.

Devices enrolled in this manner will support the ability of a user to log in to an enrolled PC, have the assignment of the PC switched to the current user, and the samples and device details related to the current user reflected in the console.

Support for resources in the beta will include apps, profiles, and baselines. However, apps should be assigned to the devices rather than the users to prevent app install and removal churn based on user assignment. Other resources such as sensors, scripts, and workflows will work if they target device based groups. User based assignments will work for the first user but will not work for subsequent users. User based assignments will be fully supported in a later phase for all users.

Requirements for the Tech Preview

  • The customer is responsible for Azure AD Premium Licenses for their users.
  • The customer environment must be a SaaS UEM tenant.
  • A feature flag to support multiuser must be enabled. The VMware SaaS ops team can enable feature flags.
  • Azure AD integration must be configured in UEM.
  • Users must enroll the device using either AAD Join from Work/School account or through the OOBE process.
  • All users on the system should log in with AAD credentials. This can be in the form of a custom domain or a default Microsoft domain.
  • Users must logoff before a new user logs in. Fast User Switching is not supported.
  • The setting for Devices and Users / Enrollment / Grouping / Default Action for Inactive users must be set to Restrict Additional Device Enrollment.

settings for Devices and Users

Note: If the new device registration is asking to add a user, this means you are running a version of UEM older than 2209 or the Feature Flag may not be enabled in 2209. To use this feature, you need to request the “MultiUserPhase1EnrollmentSupportFeatureFlag” be set for every OG where multiuser devices will be used.

Enrolling Multiuser Systems

The enrollment of a multiuser system starts with device registration. The device must not have been enrolled previously as a single device. If it was previously enrolled, the device record should be deleted from the console first. To do this, go to the device details page, choose more actions, and then delete it.

Prior to the multiuser enrollment, the device must be registered in the same Organization Group where AAD integration is configure. The Ownership type must be Corporate Shared, the Platform must be Windows Desktop and the Serial Number must be populated.

shows the add device screen to register

Enrollment Flow

There are two enrollment flow process options. The first option is for a device which has been through OOBE and has a local administrator account configured. The second option is for a device that is new and has not gone through OOBE.

If the device is currently registered, has been through OOBE, and is currently logged in with a local administrator account, follow these steps:

  1. From the desktop of a local administrator, open Settings > Accounts > Access work or school.
  2. Click Connect.
  3. Instead of enrolling at this stage, select Join this device to Azure Active Directory.

adding a device to Azure AD

  1. Complete the AAD join setup wizard using the account of a user in the AAD tenant.
  2. Once done, sign out from the local account.
  3. Next, Log onto the PC using your AAD credentials. Note that the first user to log in to the device will be an administrator. All additional users will be standard users.

If the device is newly unboxed or has not been through the Out-of-Box Experience, follow these steps:

  1. From the OOBE setup in Windows, continue through the wizard until The Sign in With Microsoft screen appears. A tip to consider is that the time of the system must be accurate. To ensure this happens, when the device starts up into OOBE, press Shift-F10 and then force a time sync using these commands: net start w32timew32tm /resync /force

image of the Microsoft screen

  1. Enter your AAD credentials of the user who will be the administrator on the system. Note: The first user is Admin by default, all additional users will be standard users.

Once the device is enrolled using either of those methods, Intelligent Hub will be installed for all users. You should enable Publish Hub through Settings / Devices and Users / Windows / Windows Desktop / Intelligent Hub Application.

Upon launching Hub, the Accounts tab can be used to verify that the user of the system matches the logged in user.

image of the enrolled user view

Console View: When the first user has logged into the desktop with their ADD credentials, the user should appear in the console as the current user. The device should be a Corporate – Shared ownership type.

image of the console view

User Switching: Sign out of the system and log in as another AAD based user to complete user switch.

image of sign out and log in view

Upon log in as another user, Intelligent Hub Account page will show details of the current user.

Hub Account Page is shown

On the console, the Device Details page will reflect the new user.

image of console device details

Resource Assignments

Native Apps: Native apps that are installed on multiuser systems should be assigned to device based smartgroups. If they are assigned to user based smartgroups, ensure that all users who will use the PC are included in the assignment to prevent apps from being removed on user switch.

Profiles: Profiles can be assigned to users or to devices. Both user profiles and device profiles can be assigned to either device based or user based smartgroups.

FAQs

Will multiuser support AAD only environments? A future phase of development will add support for environments that are not using AAD based identities.

Will multiuser support Hub based enrollments? A future phase of development will support Hub based enrollment though command line / staging user support.

Will multiuser support non-AD based LDAP directories? Engineering is investigating support for environments that don’t use AD and instead use LDAP or other directories for identity. This will impact both single and multiuser deployments.

Will multiuser support Windows multisession / Azure Virtual Desktop environments? A future phase of development will investigate AVD based management. The complete feature set supported is not known at this time.

check-circle-line exclamation-circle-line close-line
Scroll to top icon