How Do You Share Devices in UEM
Workspace ONE UEM supports shared devices scenarios for Android, macOS, and iOS platforms. Examples of scenarios that use a shared pool of devices include shared mobile nursing devices for healthcare and shared mobile point of sale devices for retail. For information on how to configure Workspace ONE UEM, find use cases that outline how to set user accounts, how to set up device enrollment, and how to configure and deploy profiles to facilitate your shared devices deployment.
There are basic capabilities surrounding the functionality and security of devices that are shared across multiple users. These capabilities offer compelling reasons to consider shared devices as a cost-effective solution to making the most of enterprise mobility.
Functionality
- Personalize each end-user experience without losing corporate settings.
- Logging in a device configures it with corporate access and specific settings, applications, and content based on the end-user role and organization group (OG).
- Allow for a log in/log out process that is self-contained in the Workspace ONE Intelligent Hub or Workspace ONE Access.
- After the end user logs out of the device, the configuration settings of that session are wiped. The device is then ready for login by another end user.
Security
- Provision devices with the shared device settings before providing devices to end users.
- Log in and log out devices without affecting an enrollment in Workspace ONE UEM.
- Authenticate end users during a login with directory services or dedicated Workspace ONE UEM credentials.
- Authenticate end users using Workspace ONE Access.
- Manage devices even when a device is not logged in.
Platforms That Support Shared Devices
The following devices support shared device/multi-user device functionality.
- Android 4.3 or later
- iOS devices with Workspace ONE Intelligent Hub 4.2 or later.
- MacOS devices with Workspace ONE Intelligent Hub 2.1 or later.
Configure Shared Android Devices for your Shift Workers
You can configure Workspace ONE UEM to provide your shift workers, and other roles that share devices, access to corporate resources. Configure and use different apps, policies, and branding based on a user's role. To ensure user privacy, certain apps can have their app data cleared between user sessions. You can use the launcher native to Android or you can use the Workspace ONE UEM Launcher.
Configure Shared iOS Devices for Shift Workers
Workspace ONE UEM offers different solutions to enable iOS devices for shared purposes. You can configure Workspace ONE UEM to provide your shift workers access to corporate resources. This use case outlines how to configure and assign different apps and policies to shift workers based on their roles.
Configure Shared iPads for Business
Shared Device capabilities are available natively on Apple iPads integrated with Apple Business Manager. This functionality called Shared iPads for Business leverages the user's Managed Apple ID for login and does not take place in the Workspace ONE Intelligent Hub for login and logout. For more information, see Shared iPads for Business
Log In and Log Out of Shared Devices
The log in and log out functions are self-contained within the Workspace ONE Intelligent Hub. Self-containment ensures that the enrollment status is never affected, and that the device is managed whether it is in use or not.
Log In and Log Out of Shared iOS Devices
You can log in to and out of an iOS device that is shared across multiple users.
Run the Workspace ONE Intelligent Hub on the device.
Enter the end-user credentials.
If the device is already logged in to Workspace ONE Intelligent Hub, then the user is prompted to enter an SSO Passcode. If the device is not logged in, then the user is prompted to enter a user name and password. The profiles assigned to each user are pushed down based on the smart group and user group association.
Note: If Prompt User for Organization Group is enabled, then end users are required to enter a Group ID to log in to a device.
Select Login and accept the Terms of Use.
Note: If prompted for a passcode, users can create one in the Self-Service Portal. These passcodes are subject to an expiration period. As the expiration period nears, the Workspace ONE Intelligent Hub prompts users to change the passcode on the device. If users do not a change their passcode before it expires, users must return to the Self-Service Portal to create another passcode.
Log In and Log Out of Shared macOS Devices
Multiple users can log in to and out of a macOS shared device, activating the automatic push of device profiles.
Log In to a macOS Device – Using assigned Network credentials, log in to a macOS device that has been staged and you receive the profiles assigned to your account in Workspace ONE UEM.
Log out of a macOS Device – The standard macOS log-out procedure also logs the device out of your assigned Workspace ONE UEM user profile.
Define the Shared Device Hierarchy in UEM
While strictly optional, making an organization group (OG) specific to shared devices offers many benefits due to multi-tenancy and inherited device settings.
If you have a large number of shared devices in your fleet and you want to manage them apart from single user devices, you can make a shared device-specific OG. Making a shared device hierarchy in your OG structure is optional. Features like smart groups and user groups mean you do not have to rely strictly on OG hierarchy design to simplify device management.
However, having a shared device OG (or nested OGs) simplifies device management by enabling you to standardize device functionality through profiles, policies, and device inheritance without the processing overhead required by a smart group or a user group.
- Navigate to Groups & Settings > Groups > Organization Groups > Organization Group Details. Here, you can see an OG representing your company.
- Ensure the Organization Group Details displayed are accurate, and then use the available settings to make modifications, if necessary. If you make changes, select Save.
- Select Add Child Organization Group.
- Enter the following information for the first OG underneath the top-level OG.
| Setting | Description |
|---|---|
| Name | Enter a name for the child organization group (OG) to be displayed. Use alphanumeric characters only. Do not use odd characters. |
| Group ID | Enter an identifier for the OG for the end users to use during the device login. Group IDs are used during the enrollment of group Devices to the appropriate OG. Ensure that users sharing devices receive the Group ID as it might be required for the device to log in depending on your Shared Device configuration. If you are not in an on-premises environment, the Group ID identifies your organization group across the entire shared SaaS environment. For this reason, all Group IDs must be uniquely named. |
| Type | Select the preconfigured OG type that reflects the category for the child OG. |
| Country | Select the country where the OG is based. |
| Locale | Select the language classification for the selected country. |
| Customer Industry | This setting is only available when Type is Customer. Select from the list of Customer Industries. |
| Time Zone | Select the time zone for the OG's location. |
- Select Save.
