Shared Device/Multi-User Device functionality in Workspace ONE UEM powered by AirWatch ensures that security and authentication are in place for every unique end user. Shared devices can also allow only specific end users to access sensitive information.
Issuing a device to every employee in certain organizations can be expensive. Workspace ONE UEM powered by AirWatch lets you share a mobile device among end users in two ways: using a single fixed configuration for all end users, or using a unique configuration setting for individual end users.
When administering shared devices, you must first provision the devices with applicable settings and restrictions before deploying them to end users. Once deployed, Workspace ONE UEM uses a simple login or log-out process for shared devices in which end users simply enter their directory services or dedicated credentials to log in. The end-user role determines their level of access to corporate resources such as content, features, and applications. This role ensures the automatic configuration of features and resources that are available after the user logs in.
The login or log-out functions are self-contained within the Workspace ONE Intelligent Hub. Self-containment ensures that the enrollment status is never affected, and that the device is managed whether it is in use or not.
Shared Device capabilities are also possible natively on Apple iPads integrated with Apple Business Manager. This functionality called Shared iPads for Business leverages the user's Managed Apple ID for login and does not take place in the Workspace ONE Intelligent Hub for login and logout. To know more about configuring Shared iPads for Business with Apple Business Manager and steps to achieve this functionality, see Shared iPads for Business in Introduction to Apple Business Manager Guide available on docs.vmware.com.
Shared Devices Capabilities
There are basic capabilities surrounding the functionality and security of devices that are shared across multiple users. These capabilities offer compelling reasons to consider shared devices as a cost-effective solution to making the most of enterprise mobility.
Functionality
Security
Platforms That Support Shared Devices
The following devices support shared device/multi-user device functionality.
While strictly optional, making an organization group (OG) specific to shared devices offers many benefits due to multi-tenancy and inherited device settings.
If you have a large number of shared devices in your fleet and you want to manage them apart from single user devices, you can make a shared device-specific OG. Making a shared device hierarchy in your OG structure is optional. Features like smart groups and user groups mean you do not have to rely strictly on OG hierarchy design to simplify device management.
However, having a shared device OG (or nested OGs) simplifies device management by enabling you to standardize device functionality through profiles, policies, and device inheritance without the processing overhead required by a smart group or a user group.
Navigate to Groups & Settings > Groups > Organization Groups > Organization Group Details.
Here, you can see an OG representing your company.
Ensure the Organization Group Details displayed are accurate, and then use the available settings to make modifications, if necessary. If you make changes, select Save.
Select Add Child Organization Group.
Enter the following information for the first OG underneath the top-level OG.
Setting | Description |
---|---|
Name | Enter a name for the child organization group (OG) to be displayed. Use alphanumeric characters only. Do not use odd characters. |
Group ID | Enter an identifier for the OG for the end users to use during the device login. Group IDs are used during the enrollment of group devices to the appropriate OG. |
Ensure that users sharing devices receive the Group ID as it might be required for the device to log in depending on your Shared Device configuration.If you are not in an on-premises environment, the Group ID identifies your organization group across the entire shared SaaS environment. For this reason, all Group IDs must be uniquely named.
Setting | Description |
---|---|
Name | Enter a name for the child organization group (OG) to be displayed. Use alphanumeric characters only. Do not use odd characters. |
GroupID | Enter an identifier for the OG for the end users to use during the device login. Group IDs are used during the enrollment of group devices to the appropriate OG. Ensure that users sharing devices receive the Group ID as it might be required for the device to log in depending on your Shared Device configuration. If you are not in an on-premises environment, the Group ID identifies your organization group across the entire shared SaaS environment. For this reason, all Group IDs must be uniquely named. |
Type | Select the preconfigured OG type that reflects the category for the child OG. |
Country | Select the country where the OG is based. |
Locale | Select the language classification for the selected country. |
Customer Industry | This setting is only available when Type is Customer. Select from the list of Customer Industries. |
Time Zone | Select the time zone for the OG's location. |
Build out your corporate hierarchical structure by creating more groups and subgroups in the same manner.
If you are configuring a Fixed Organization Group, then ensure that you create the single organization group for end users to log in or log out.
If you configure Prompt Users for Organization Group, then ensure that you have created the multiple OGs for end-user roles for logging in or logging out. For more information, see Configure Shared Devices.
Select Save.
Similar to single-user device staging, multi-user staging (a "shared device") allows an IT administrator to provision devices to be used by more than one user.
Navigate to Groups & Settings > All Settings > Devices & Users > General > Shared Device.
Select Override and complete the Grouping section.
Setting | Description |
---|---|
Group Assignment Mode | Configure devices in one of three ways: Select Prompt User for Organization Group to have the end user enter a Group ID for an organization group upon login. With this method, you have the flexibility to provide access to the settings, applications, and content of the organization group entered. Using this approach, an end user is not restricted to accessing only the settings, applications, and content for the organization group to which they are enrolled. Select Fixed Organization Group to limit your managed devices to settings and content applicable to a single organization group. Each end user who logs in to a device has access to the same settings, applications, and content. This method can be beneficial in a retail use case where employees use shared devices for similar purposes such as checking inventory. Select User Group Organization Group to enable features based on both user groups and organization groups across your hierarchy. When an end user logs in to a device, they have access to specific settings, applications, and content based on their assigned role within the hierarchy. For example, an end user is a member of the 'Sales' user group, and that user group is mapped to the 'Standard Access' organization group. When that end user logs in to the device, the device is configured with the settings, applications, and content available to the 'Standard Access' organization group. You can map user groups to organization groups on the UEM console. Navigate to Groups & Settings > All Settings > Devices & Users > General > Enrollment. Select the Grouping tab and fill in the required details. |
Always Prompt for Terms of Use | Prompts the end users to accept your Terms of Use agreement before they log in to a device. |
Complete the Security section, as applicable.
Setting | Description |
---|---|
Require Shared Device Passcode | (For iOS devices only) Require users to create a Shared Device passcode in the Self-Service Portal to check out devices. This passcode is different from a Single Sign On passcode or a device-level passcode. |
Require Special Characters | Require special characters in the shared device passcode, which includes characters such as @, %, &, and so forth. |
Shared Device Passcode Minimum Length | Set the minimum character length of the shared passcode. |
Shared Device Passcode Expiration Time (days) | Set the length of time (in days) the shared passcode expires. |
Keep Shared device Passcode for minimum time (days) | Set the minimum amount of time (in days) the shared device passcode must be changed. |
Prompt users to change their Shared Device Passcode x (days) before expiration | (For iOS devices only) Set the number of days the user is reminded to change their shared device passcode before it expires. For best results, set a value less than the difference between the Expiration Time and minimum time you can keep the Shared Device Passcode. |
Passcode History | Set the number of passcodes that are remembered by the system, providing a more secure environment by preventing the user from reusing old passcodes. |
Auto Logout | Configure an automatic log out after a specific time period. |
Auto Logout After | Set the length of time that must elapse before the Auto Log out function activates in Minutes, Hours, or Days. |
iOS Single App Mode | Select this check box to configure Single App Mode, which locks the device into a single application when an end user logs in to the device. To check out an iOS device in Single App Mode, end users log in using their credentials. When the device is checked in again, it returns to Single App Mode. Enabling Single App Mode also deactivates the Home button on the device. |
Configure the Logout Settings, as applicable.
Setting | Description |
---|---|
Clear Android App Data | Clear the app data when the user logs out of a shared device (checks it in). |
Reinstall Android Apps | Use the drop-down to select whether to Always reinstall app between users or never reinstall app between users. For Android (Legacy) deployments, you can opt to reinstall app if the Hub cannot clear app data between users. |
Clear Android Device Passcode | This setting controls whether the current Android device passcode is cleared when the user logs out (checks in) a multi-user shared device. |
Allow PIN at Startup | Activate or deactivate Android Secure Startup, which requires an initial PIN entry to boot up the device. If deactivated, users cannot enable Secure Startup during passcode setup. If Secure Startup is already deactivated on the device, the device must be factory reset to enable it. This feature applies only to Android devices that do not have file-based encryption. |
Clear iOS Device Passcode | This setting controls whether the current iOS device passcode is cleared when the user logs out (checks in) a multi-user shared device. |
Select Save.
For specific information about provisioning devices for single-user and multi-user device staging, see the topics Stage a Single-User Device and Stage a Multi-User Device in Self-Enrollment Versus Device Staging.
You can log in to and out of an iOS device that is shared across multiple users.
Run the Workspace ONE Intelligent Hub on the device.
Enter the end-user credentials.
If the device is already logged in to Workspace ONE Intelligent Hub, then users are prompted to enter an SSO Passcode. If the device is not logged in, then users are prompted to enter a user name and password. The profiles assigned to each user are pushed down based on the smart group and user group association.
Note: If Prompt User for Organization Group is enabled, then end users are required to enter a Group ID to log in to a device.
Select Login and accept the Terms of Use.
Note: If prompted for a passcode, users can create one in the Self-Service Portal. These passcodes are subject to an expiration period. As the expiration period nears, the Workspace ONE Intelligent Hub prompts users to change the passcode on the device. If users do not a change their passcode before it expires, users must return to the Self-Service Portal to create another passcode.
To log out of an iOS device, run the Workspace ONE Intelligent Hub and select Log Out at the bottom.