Shared Devices

Shared Device/Multi-User Device functionality in Workspace ONE UEM ensures that security and authentication are in place for every unique end user. Shared devices can also allow only specific end users to access sensitive information.

Issuing a device to every employee in certain organizations can be expensive. Workspace ONE UEM lets you share a mobile device among end users in two ways: using a single fixed configuration for all end users, or using a unique configuration setting for individual end users.

When administering shared devices, you must first provision the devices with applicable settings and restrictions before deploying them to end users. Once deployed, Workspace ONE UEM uses a simple login or log-out process for shared devices in which end users simply enter their directory services or dedicated credentials to log in. The end-user role determines their level of access to corporate resources such as content, features, and applications. This role ensures the automatic configuration of features and resources that are available after the user logs in.

The login or log-out functions are self-contained within the Workspace ONE Intelligent Hub. Self-containment ensures that the enrollment status is never affected, and that the device is managed whether it is in use or not.

Shared Device capabilities are also possible natively on Apple iPads integrated with Apple Business Manager. This functionality called Shared iPads for Business leverages the user's Managed Apple ID for login and does not take place in the Workspace ONE Intelligent Hub for login and logout. To know more about configuring Shared iPads for Business with Apple Business Manager and steps to achieve this functionality, see Shared iPads for Business in Introduction to Apple Business Manager Guide available on

Shared Devices Capabilities

There are basic capabilities surrounding the functionality and security of devices that are shared across multiple users. These capabilities offer compelling reasons to consider shared devices as a cost-effective solution to making the most of enterprise mobility.


  • Personalize each end-user experience without losing corporate settings.
  • Logging in a device configures it with corporate access and specific settings, applications, and content based on the end-user role and organization group (OG).
  • Allow for a log in/log out process that is self-contained in the Workspace ONE Intelligent Hub or Workspace ONE Access.
  • After the end user logs out of the device, the configuration settings of that session are wiped. The device is then ready for login by another end user.


  • Provision devices with the shared device settings before providing devices to end users.
  • Log in and log out devices without affecting an enrollment in Workspace ONE UEM.
  • Authenticate end users during a login with directory services or dedicated Workspace ONE UEM credentials.
  • Authenticate end users using Workspace ONE Access.
  • Manage devices even when a device is not logged in.

Platforms That Support Shared Devices

The following devices support shared device/multi-user device functionality.

  • Android 4.3 or later
  • iOS devices with Workspace ONE Intelligent Hub 4.2 or later.
    • For details about logging in and out of shared iOS devices, see the topic Log In and Log Out of Shared iOS Devices in the iOS Platform Guide, available on
  • MacOS devices with Workspace ONE Intelligent Hub 2.1 or later.

Define the Shared Device Hierarchy

While strictly optional, making an organization group (OG) specific to shared devices offers many benefits due to multi-tenancy and inherited device settings.

If you have a large number of shared devices in your fleet and you want to manage them apart from single user devices, you can make a shared device-specific OG. Making a shared device hierarchy in your OG structure is optional. Features like smart groups and user groups mean you do not have to rely strictly on OG hierarchy design to simplify device management.

However, having a shared device OG (or nested OGs) simplifies device management by enabling you to standardize device functionality through profiles, policies, and device inheritance without the processing overhead required by a smart group or a user group.

  1. Navigate to Groups & Settings > Groups > Organization Groups > Organization Group Details.

    Here, you can see an OG representing your company.

  2. Ensure the Organization Group Details displayed are accurate, and then use the available settings to make modifications, if necessary. If you make changes, select Save.

  3. Select Add Child Organization Group.

The Organization Group Details page displaying options to add the details with Add Child Organization Group option highlighted

  1. Enter the following information for the first OG underneath the top-level OG.

    Setting Description
    Name Enter a name for the child organization group (OG) to be displayed. Use alphanumeric characters only. Do not use odd characters.
    Group ID Enter an identifier for the OG for the end users to use during the device login. Group IDs are used during the enrollment of group devices to the appropriate OG.
    Ensure that users sharing devices receive the Group ID as it might be required for the device to log in depending on your Shared Device configuration.
    If you are not in an on-premises environment, the Group ID identifies your organization group across the entire shared SaaS environment. For this reason, all Group IDs must be uniquely named.
    Type Select the preconfigured OG type that reflects the category for the child OG.
    Country Select the country where the OG is based.
    Locale Select the language classification for the selected country.
    Customer Industry This setting is only available when Type is Customer. Select from the list of Customer Industries.
    Time Zone Select the time zone for the OG's location.
  2. Select Save.

Log In and Log Out of Shared macOS Devices

Multiple users can log in to and out of a macOS shared device, activating the automatic push of device profiles.

Log In to a macOS Device - Using assigned Network credentials, log in to a macOS device that has been staged and you receive the profiles assigned to your account in Workspace ONE UEM.

Log out of a macOS Device - The standard macOS log-out procedure also logs the device out of your assigned Workspace ONE UEM user profile.

check-circle-line exclamation-circle-line close-line
Scroll to top icon